White paper Fujitsu s Initiatives through Fujitsu Cloud Standard Security Measures

Size: px
Start display at page:

Download "White paper Fujitsu s Initiatives through Fujitsu Cloud Standard Security Measures"

Transcription

1 White paper Fujitsu s Initiatives through Fujitsu Cloud Standard Security Measures Contents INTRODUCTION 2 OVERVIEW 3 PART 1 CONCEPT OF FJC DSS 4 1. Basic Concept of FJC DSS 4 (1) Background of FJC DSS Development 4 (2) Determination in Preparation of FJC DSS 4 2. Features of FJC DSS 5 (1) Development of FJC DSS based on External Requirements and the Practical Knowledge of Fujitsu 5 (2) Response to various Business Structures through utilization of a Conceptual Model 5 (3) Visualization of Standard Measures using a Matrix Table 5 (4) Consistency with Global Security Standards 5 3. Outline of FJC DSS 6 (1) Areas subject to FJC DSS Measures 6 (2) Concept of Requirements 7 (3) Case Study: Alternative Control 7 PART 2 FJC DSS REQUIREMENTS 8 A. Protection of Remote Access 8 B. Network Protection 8 C. Protection against Unauthorized Server Intrusion 8 D. Protection of the Maintenance Terminal 9 E. Password Management 9 F. Imposing User Authentication 10 G. Tightening the Privilege Account Management 10 H. Thorough Authority Management 10 I. Log Management 11 J. Management of Development / Test Environment 11 K. Data Protection 11 L. Protection of the Office 12 M. Contact System 12 CONCLUSION 13 APPENDIX A GLOSSARY 14 Page 1 of 14

2 INTRODUCTION This document describes Fujitsu s initiatives to provide its customers trusted cloud services using the Fujitsu cloud standard security measures, also known as Fujitsu Cloud Data Security Standard (hereafter abbreviated as FJC DSS) to realize a trusted (highly reliable) cloud platform. This standard for security measures has been developed and managed by Fujitsu by adding its rich experience in cloud platform management to the international security standard as well as the security requirements of its customers. As a business partner, Fujitsu would like to further assist its customers in developing their businesses in the future by informing them of its initiatives in cloud security that supports Fujitsu s cloud environment, allowing its customers to fully utilize cloud services with confidence. Furthermore, the contents of this document have been described based on the measures implemented at the time of preparation. For the latest information, please check the Fujitsu website and so forth. The company titles, product names and so forth described in this document are trademarks, registered trademarks or product names belonging to each corresponding company. This document does not indicate TM marks or marks in the text. Page 2 of 14

3 OVERVIEW With the arrival of the era for cloud first in which the public cloud is considered the first selection in constructing an ICT system, the range of selection for cloud services has continued to expand, both domestically and internationally. Interest in security measures of the cloud service still consumes a large proportion in the selection of the services. However, the fact is that there is established no cloud standard security measures yet and the available measures vary widely among services at present, which makes it difficult to select the optimal service. Fujitsu has prepared its own cloud standard security measures called FJC DSS. In FJC DSS, the standard security measures of cloud services that Fujitsu has strived to achieve is clearly defined, taking the initiative to ensure that each of the services delivers a certain quality of security by applying FJC DSS to the cloud services of Fujitsu. With these initiatives, Fujitsu aims to let its customers utilize the cloud service with a sense of security. Part 1 presents the background of its initiatives in developing FJC DSS, its features and its outline, and Part 2 introduces the requirements of FJC DSS. Page 3 of 14

4 PART 1 CONCEPT OF FJC DSS 1. Basic Concept of FJC DSS (1) Background of FJC DSS Development In the dawn of the public cloud, overseas providers without domestic data centers had been the mainstream. In those days, corporate security concerns used to be the major factor inhibiting the adoption of these services for data would be accumulated overseas. Today, foreign providers establishing data centers in Japan have begun offering services while at the same time; the number of domestic providers has also increased. This has reduced the apprehensions and reluctance in terms of security, and the era for cloud first has begun in which the public cloud is considered the first choice coupled with the expectations for IT investments, operating cost control and further acceleration of business operation. According to Domestic Cloud Service Market User Trends published in June of 2010 by IDC Japan, a specialized IT research company, security concern is the main factor inhibiting the use of public cloud services among corporate users. This tendency did not change in the results of a similar survey conducted by IDC Japan that was released in June of In contrast, approximately 60% of the actual users said they were satisfied with security, and 20% of these users said they were very satisfied with it. (Source: IDC Japan, J , 2013 Domestic cloud service market demand trends study, June 2013, IDCJ ). When the information assets of corporations become concentrated in the cloud, the impact of a security accident on business will be even greater. In April 2011, the Ministry of Economy, Trade and Industry released the Information Security Management Guidelines for the Use of Cloud Services *1. Moreover, organizations including the Cloud Security Alliance (CSA), and European Network and Information Security Agency (ENISA) have also released successively their cloud security guidelines to use the cloud services with a sense of security*2, *3. However, the requirements of these guidelines are set in such a way that cloud service providers can freely select the strength of security that they want to adopt, causing a disparity in the level of security measures per cloud service provider. Hence, Fujitsu created its own security standard, the FJC DSS, by integrating these external security requirements and Fujitsu s practical knowledge being put into practice by business owners who provide cloud services. Thereby, it is made possible to show that the cloud services offered by Fujitsu meet a definite security standard without any disparities. development, operation and business experiences and know-how of its cloud businesses. It is a standard measure that can flexibly address the environmental changes in the market through on-site experience at all times. * 1 Information security management guidelines for the use of cloud services * 2 Security Guidance for Critical Areas of Focus in Cloud Computing https://cloudsecurityalliance.org/research/security-guidance/ * 3 Cloud Computing: Benefits, risks and recommendations for information security https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits -risks-and-recommendations-for-information-security/view (2) Determination in Preparation of FJC DSS For thorough implementation and popularization of the standard security measures, it is important to properly understand the background such as why this setting is necessary and why the current measure is sufficient / insufficient at the site of utilization. Therefore, Fujitsu was determined to ensure that the level of measures addressed by FJC DSS is appropriate and highly feasible after clarifying the background that required measures. As shown in Figure 1.1, this level of measures has been established through discussion with specialists in cloud security-related departments, and Fujitsu s development department and operations department. The best feature of FJC DSS is that it incorporates the bottom-up approach that integrates the Page 4 of 14

5 2. Features of FJC DSS (1) Development of FJC DSS based on External Requirements and the Practical Knowledge of Fujitsu The security requirements of FJC DSS have been extracted with reference to standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO27001 with established reputations globally being concrete standards for security measures. However, these external requirements are specialized mechanisms; the PCI DSS, for instance, is a standard specially designed for the credit card industry, while ISO27001 is a standard measure for managing information systems. Therefore, these would not fit perfectly when applied as security requirements for cloud services in terms of monitoring range and security strength. Various security requirements received from the actual customers of Fujitsu s cloud business owners as well as the technical know-how and experiences in developing and operating cloud services are adopted in FJC DSS in addition to the approach from external requirements, such as global standards so as to establish a baseline for the standard measures of cloud services as shown in Figure 1.2. With this, Fujitsu has come up with its own cloud security standards; taking into consideration the aspects such as security strength, investment and feasibility covering the assets that should be protected as far as business owners are concerned. (3) Visualization of Standard Measures using a Matrix Table The security strength for each standard security measures varies depending on the requirements of each component. As shown in Figure 1.4, the standard security measures are expressed in a matrix format for each category. Requirements are arranged in parallel with which component or what level of security should be adopted, for the whole system to be easily understood. With this, the important points of the whole system of security measures can be summarized and it can be utilized in determining comprehensively the appropriate level of security measures, the investment and the operation according to each component. It is also possible to utilize it by adjusting the level of measure for each component to address the ever-changing security threats. (2) Response to various Business Structures through Utilization of Conceptual Model FJC DSS consolidates each function of the domain that applies standard security measures in a unit known as component based on the service provision environment of the cloud businesses within the Fujitsu Group. In addition, the service environment and the environment for operation and maintenance comprised of these components are defined as one conceptual model. This conceptual model can be applied to all of IaaS, PaaS, and SaaS. As shown in Figure 1.3, the elements of the service environment and the environment to realize operation and maintenance for the cloud businesses within the Fujitsu Group correspond with the components of the conceptual model in order to compare them with the requirements for each component unit in security evaluation. (4) Consistency with Global Security Standards The Ministry of Economy, Trade and Industry announced the cloud service level check list *4 with the purpose of conducting a preliminary check on the levels of cloud services to be used for corporate systems. This check list includes check items for the acquisition of public security certification such as the acquisition of ISMS and privacy mark. * 4 Cloud service level check list Page 5 of 14

6 Cloud business owners are often asked to show proof of quality in operation and management for users, including whether the user data are properly protected or if protected from outside intrusion; in this case, the acquisition of a public certification is found to be an effective method. FJC DSS offers content that matched with the global security standards as each of its requirements refers to the requirements of public certification such as PCI DSS and ISO Therefore, a part of demands for the public certification is implemented by observing FJC DSS. FJC DSS is a global security standard that considers public certification as a priority so that customers can utilize it with a sense of security. 3. Outline of FJC DSS (1) Areas subject to FJC DSS Measures The standard for security measures is a list of specific goals to achieve in order to satisfy each requirement in FJC DSS. As a device to set the goal more specifically, the cloud service environment is divided into multiple subjects of application, and each subject is adjusted with the security measures of appropriate strength. In addition, the subject area is classified from two viewpoints of IT factor ( component ) and human factor (account). Since it is necessary to address the security measure with the appropriate strength for each account authority and combine the security functions and methods of each component, the two viewpoints of component and account are adopted in domain classification: 1. Component viewpoint 2. Account viewpoint Component viewpoint Components that are the application units defined for each standard security measures are classified into 9 items as shown in Figure Maintenance terminal PC terminal used by the operations administrator of cloud business owners for operation and maintenance of the cloud service environment 2. Office Location where the operations administrator of cloud business owners conducts operation and maintenance on the cloud service environment 3. Remote access server Authentication server to access the cloud service environment from a maintenance terminal in operation and maintenance work 4. Network The network and network devices that comprise the internal parts of the cloud service environment 5. Management Web console / Cloud Resource Management Management Web console when managing the cloud resources 6. Management Web console / service management Web management console for managing the cloud service built in cloud resource 7. Operation and Management Server The server to control the authentication and log regarding access to the assets subject to operation and maintenance during cloud resource operation and maintenance 8. Host OS / Guest OS All server OS s within the cloud service environment 9. Development / Test environment Development environment for modules and programs to be installed on the cloud service environment Account viewpoint As for the account viewpoint, the account type is subdivided according to use for the following purposes: To check the operations administrator to prevent abuse of authority To localize the influence of the operations administrator To visualize where the responsibility lies (log / tracking after the fact) Four types of accounts are set for the three applications below with component with account as the focus in subdivision: Application - Routine work - Non-routine work - System application Account types - General operation account - Privilege account - System account - General-purpose account High privilege accounts in particular, is required that its influence to the service environment be limited to minimum necessary which includes the adoption of a mechanism that can identify the operations administrator who actually did the operation as well as the protection from falsification or destruction of logs by keeping the log administrator independent. Page 6 of 14

7 (2) Concept of Requirements The concepts of FJC DSS requirements are summarized into the following 13 items. A. Protection of remote access B. Network protection C. Protection against unauthorized server intrusion D. Protection of the maintenance terminal E. Password protection F. Imposing user authentication G. Tightening the privilege account management H. Thorough authority management I. Log management J. Management of development / test environment K. Data protection L. Office protection M. Contact system Taking into consideration the standard measures, these requirements clearly define the threats that need to be addressed in the cloud service environment and in the operation and maintenance environment, as well as the purpose of these measures. The details of these requirements are presented in Part 2. (3) Case Study: Alternative Control In a conceptual model of FJC DSS, alternative configuration is accepted if security strength is deemed equal to or better than the required configuration. This section provides an explanation using the management Web console a server that dynamically modifies the settings in the cloud service environment, as an example. The threats to be considered in management Web console are as follows: Unauthorized access Slipping through the maintenance terminal security functions In the measures recommended by FJC DSS, it is required to install a remote access server to perform authentication in between the maintenance terminal and the management Web console server as shown in Figure 1.6. This is a configuration with a purpose of technically restricting the terminals that can access the management Web console, and it is designed to protect the management Web console through the remote access server. By having the remote access server conduct centralized user control on the control Web console and implement log control, it is possible to record and track the operations. It also simplifies the operation and maintenance of account settings. In contrast, there is an alternative configuration in which a remote access server is not installed as shown in Figure 1.7. When this configuration is used, the cost of alternative measures for vulnerabilities of management Web console may rise or there may be delays in managing individual management server in the long run. Thus, correction of the required configuration is encouraged. FJC DSS has been developed in this manner; considering the appropriate balance between security strength and operation cost and inviting inputs from cloud business owners within Fujitsu Group. Page 7 of 14

8 PART 2 FJC DSS REQUIREMENTS FJC DSS is comprised of 52 requirements which are classified into 13 categories listed below; each category shall be described in this chapter. In each category, the target requirements to be implemented and the policies of security measures are clearly indicated. Implementing optional security measures can further strengthen the security in the cloud service environment. A. Protection of Remote Access It is necessary to prevent access by unrelated parties (non-employees and employees not in charge of the service) from outside in order to ensure the safety of cloud services. It is also necessary to prevent unauthorized access even by a regular operations administrator after leaving the job or after work hours. Prevention of unauthorized access from outside the organization Prevention of unauthorized use for purposes other than regular work Prevention of unauthorized access by operations administrator after leaving the job or after work hours Prevention of password leak and password brute force attacks 1. Reinforcement of user authentication and encryption of data transmission channel In remote access, strict user authentication is implemented in order to limit the use to regular operations administrators and prevent unauthorized use. Furthermore, encrypted communication protocol is used for the data transmission channel to prevent information leak to external parties. 2. Minimization of exposure to external networks To minimize attack surface (the part of external network directly exposed to attacks), the number of servers, ports and services to which IP packets can arrive from the internet is minimized as much as possible. 3. Concentration of remote access user authentication (optional) By setting up a common authentication server (choke point) for the entire remote access apart from user authentication for individual servers, the safety of remote access can be improved. Since it is complicated to implement the security measures for each of the individual servers, it is feared that the changes might not be made as necessary and improper settings may be left unattended. By using the choke point, the invalidation of the user authentication when someone leaves the job can be handled in one place and the security management will be implemented promptly. 4. Multifactor authentication (optional) It is possible to further strengthen remote access by utilizing multifactor authentication. Multifactor authentication strengthens user authentication by combining multiple methods other than password, such as hardware tokens which includes possession factor and inherence factor of the user such as fingerprints. 5. Restriction on accessible location (optional) By limiting the location where remote access is possible to company office and maintenance terminal, unauthorized access in the case of password leak, password brute force attacks and unauthorized access by parties outside the business establishment or employees who are not in charge can be prevented. B. Network Protection To prevent someone from slipping through the security functions of the cloud service environment, it is important to maintain the network restriction properly. It is necessary to prevent the occurrence of back doors from inside the cloud service environment to the outside and block any loopholes in the internal network. Maintenance of security functions Prevention of attacks on known vulnerabilities 1. Establishment of network configuration change procedures The procedures to maintain the latest condition are organized by documenting the network device settings. In addition, gaps in setting information are checked by regularly comparing the actual device settings with the design document. 2. Prohibition of wireless network Utilization of the wireless network susceptible of becoming a back door into the cloud service environment is prohibited. In addition, use of the wireless network is also prohibited for the maintenance terminal to be used for operation and maintenance work as well as in the office. C. Protection against Unauthorized Server Intrusion To prevent someone from slipping through the security functions and intruding the server from outside the cloud service environment, it is important to know the vulnerabilities of the server and network devices inside the cloud service environment and to protect them from attacks. Detection of malware Protection against server intrusion 1. Implementation of vulnerability inspection Vulnerability inspections such as network scanning and Web application inspection are regularly implemented. These are also implemented when there are large-scale system changes. 2. Detection of intrusion Intrusions and malwares are detected by introducing IDS / IPS and antivirus software programs. 3. Vulnerability handling Vulnerability information on servers, network devices, etc., which compose the cloud service environment, are regularly collected from the vulnerability information database and from its developers. Page 8 of 14

9 Necessary security patch application and measures to reduce attacks are implemented by making judgments based on the results of vulnerability inspection and intrusion detection. 4. System consistency monitoring tool (optional) Server intrusions and unauthorized actions can be detected by using the system consistency monitoring tool. Changes in server settings caused by carelessness or by deliberate acts of the operations administrator as well as backdoor intrusion are detected by regularly inspecting the files and system setting changes. D. Protection of the Maintenance Terminal It is important to limit the operation and maintenance environments that can connect to the cloud service environment and prevent unauthorized utilization by outside parties (non-employees and employees not in charge). It is also necessary to prevent any unauthorized use of the maintenance terminal or abuse through springboard attacks. Protection from malwares and targeted attacks Prevention of unauthorized use when the person in charge leaves the desk Prevention of taking out or theft of data 1. Specialization of the terminal To reduce the damages of malware infection or targeted attacks on the maintenance terminal, a special maintenance terminal for operation and maintenance of the subject cloud service is prepared. It is physically separated from the terminals that are used for other work processes so that the mail servers and websites accessible from the special terminal are limited to those that are necessary for work. 2. Measures against unauthorized use of maintenance terminal The user authentication at the terminal is thoroughly implemented in order to prevent unauthorized use. Unauthorized use of the maintenance terminal when the person in charge is away is also prevented by implementing screen-lock, session lockout and so forth. 3. Physical security To prevent information leak or unauthorized access when the maintenance terminal is stolen, physical measures against theft, such as security wires are implemented. Use of portable media is also prohibited for any purpose other than the required work including backup so as to prevent the operations administrator from taking the data out intentionally or not. 4. Restriction on accessible terminals (optional) By restricting the maintenance terminals that can access the cloud service environment to registered terminals only, the use of terminals without prescribed security measures and those brought in from outside is prevented. This will prevent the spread of malware caused by using terminals without enough security measures and the unauthorized use of portable media. E. Password Control Since password is the basis for all types of security, it is important that it is managed thoroughly and that unauthorized use such as spoofing is prevented. It is necessary to identify who made what type of operation or data access in order to identify the cause of the attack or the range of damage in the event of security accident. It is important to appropriately manage the password by using a unique account that can identify the user to prevent unauthorized use through spoofing. Prevention of unauthorized use by spoofing Prevention of password brute force attacks Reduction of damages in case the of password leak 1. Establishment of procedure for password issuance The person in charge of account management shall issue a password according to the request of a regular user when registering a new account or when password will be reissued for account that will be used in operation and maintenance. The notification for the password is made in such a way that only the regular user can view it. The identity verification method and the notification method that can maintain the confidentiality of the information are ensured particularly for requests received from a remote location. 2. Changing the initial password The initial password shall be changed since default password prepared by the provider for logging in to a network device or server can be easily found in manuals or the internet and is at high risk of getting abused. In addition, only after the user changes the password can the account be used to prevent password guessing and abuse. 3. Maintenance of password quality To prevent password guessing and brute force attacks, complex passwords are used. Conditions such as necessary length and combination of character types are set up for the passwords. Moreover, the password is changed regularly. 4. Offline notification method (optional) transmission and reception are not always encrypted, and s can be easily spoofed. Requests for issuance of account or password notification and such made through s and other forms of online communication might lower the safety of cloud services. Offline methods of notification such as those done in person or in writing may be adopted if these do not cause inconvenience. 5. Hierarchical user management (optional) As for users outside the organization such as customers, it is possible to set up an administrator of users within the customer organization and transfer the administrative tasks as it is difficult to verify identities in remote locations. Reissuance of passwords to users among the customers is carried out online while the password reissuance to administrator of users is implemented offline. Page 9 of 14

10 F. Imposing User Authentication To minimize accidents due to negligence of or damages intended by the operations administrator, it is important to give them the minimum authority necessary for the operation. It is important to conduct user authentication using an account unique to each operations administrator and to control their access rights. Moreover, the administrator responsible for the operation and maintenance should be identified from the unique account recorded in the logs in order to prevent unauthorized use. Localization of the influence of the operations administrator Visualization of where work responsibility lies 1. Thorough implementation of unique accounts A unique account is assigned for each of the operations administrators so that logging in with a unique account is required for operation and maintenance. 2. Prohibition of direct log-in with a shared account To identify the operations administrator who performed the work, operations administrators are not allowed to log-in using a general account (such as guest) or accounts shared by multiple operations administrators. In addition, direct log-in to the server using the root account or system account (accounts used by the program including DB connection account for Web server) is prohibited, and log-in using unique account is required. G. Tightening the Privilege Account Management By placing the use of high privilege accounts (including root account) on the cloud service environment under special control, it becomes necessary to keep them from using this privilege beyond the originally permitted range of work. It is important to limit the number of people who can use the privilege accounts in advance, so as not to exceed the management load such as verifying the work details of privilege accounts. It is also important to design the operation and maintenance in such a way that the work that would require the use of privilege accounts will be minimized. Localization of the influence of the operations administrator Minimization of the authority to the system 1. Reduction of work that would require privilege accounts Work that requires privilege accounts or root password input is reduced. Access authority settings for files and commands are reviewed and sudo command is used. 2. Management of root account Since it is especially difficult to restrict the permission or prohibition of the operations on a specific server for the root account among the privilege accounts, the condition of use shall be grasped using logs and shall be managed by checking if this account is being used only in the appropriate range. Furthermore, the root password is often shared by multiple operations administrators and it is set up in such a way that the operations administrator who performed the work can be identified. 3. Verification of work with privilege account (optional) The status of changes in file and system settings before and after operation and maintenance using privilege accounts is understood using logs, system consistency monitoring tools and such. The validity of work processes is checked by comparing the work notification in advance and the actual changes. H. Thorough Authority Management It is important to know who among the operations administrators hold what type of authority for system change or data access in the cloud service environment and to design an authority which is not fully concentrated in a specific operations administrator. It is also necessary to have an operation procedure to manage the account appropriately should there be reshuffling among operations administrators. Prevention of granting excessive authority Division of duty and mutual check and balance 1. Documentation of authorization matrix The assigned account, granted authority to each operations administrator and the server connected to are documented and managed in an authorization matrix that can be easily grasped. It also appropriately reflects the changes in account settings on the authorization matrix. 2. Regular inventory of unnecessary accounts The authorization matrix is updated by regularly reviewing the authority assignment with the operations administrator. At the same time, the authorization matrix is also being checked if it matches with the actual server settings. Unnecessary accounts of those who already left the job, accounts that have not been used for a long period and unauthorized accounts are invalidated. 3. Division of duty for operations administrators (optional) By prohibiting the grant of privilege that is very wide in scope for specific operations administrators and setting up a mutual check-and-balance system that would require the cooperation of multiple operations administrators, operation mistakes and abuse are kept under control. In addition, division of duty is implemented to limit the number of operations administrators with extensive privileges to a selected few, assigning another person to take charge of work monitoring. For example, concentration of excessive authority on specific operations administrators is prevented by dispersing the management of remote access authority and server authority over different operations administrators. Page 10 of 14

11 I. Log Management To visualize where the responsibility for operation and maintenance lies, it is important to record in a log what type of system configuration changes or data access are made in the cloud service environment by the operations administrator and to have a grasp of it. It is important to keep the log information from being deleted or falsified since it is necessary to assume an undesirably large range of damage if the method of attack or the range of information leak could not be identified in the log. Visualization of where work responsibility lies Prevention of log falsification and destruction of evidence Ensuring log analysis method and efficiency 1. Recording the details of operation and maintenance Understand the operations that are made by the operations administrator. Changes that are related to the status of system utilization, system configuration and security as well as the status of access to the protected data are recorded. In addition, measures to integrate and analyze multiple logs are ensured so that the operations administrator that deals with each log item can be uniquely identified. 2. Log accumulation by log management server Falsification and deletion of logs are technically prevented. A log manager is assigned and an independent log management server to which operations administrators with server privileges cannot access is set up. J. Management of Development / Test Environment There is a tendency for security not to be strictly implemented in the development / test environment compared to the actual environment. Especially for development / test environment constructed on cloud, it is important that the security strength is set high as well so that it will not be used to intrude the actual environment. It is necessary not to give a hint of attack from the system configuration, password setting, etc. common to the two environments. Prevention of system intrusion from development / test environment Prevention of information leak from development / test environment Prevention of abuse of developer s authority 1. Matching security strength with actual environment Vulnerability inspection and vulnerability handling equivalent to the actual operation environment are implemented to protect the development / test environment against intrusion from external networks. 2. Separating the system and data of development / test environment from the actual system and data Servers and networks for the actual environment and development / test environment are separated to prevent abuse of the access line or test settings for development / test environment with weak security and not to provide foothold for intrusion into the actual environment. Furthermore, using the actual data for the development/test environment is not allowed. 3. Division of duties by persons in charge of development / test environment (optional) Use of privilege accounts may be necessary to a wide range of servers in the actual environment in order to examine failures. Permission for access to the actual operation by personnel in charge of development / test is set up while work periods or server accesses that are not permitted are prohibited. It is also prohibited for anyone to act as both the operations administrator for the actual operation environment and the person in charge of development / test. K. Data Protection It is necessary to prevent spoofing and information leak from the cloud service environment or from s. It is also important to prevent damages to system data essential to service continuity of cloud service environment. Prevention of information leak from the cloud service environment Establishment of safety in external communication and s Prevention of data damage due to system failures 1. Data access restriction The data that requires protection is clearly identified along with the method of storage and the people who can access the data. Access control is implemented using a unique account connected to the operations administrator as accesses are also recorded. 2. Protection of data communication Encryption is used when sensitive data are transferred between an external environment and the cloud service environment. Measures against information leak such as encryption are implemented when sensitive data are transmitted via from the cloud service environment to an external environment. 3. Implementation of backup Backup of data essential to the continuation of services is regularly implemented. To prevent information leak from the backup data, access to the backup data is restricted as strict as in the main unit data. Page 11 of 14

12 L. Protection of the Office It is important to prevent unauthorized use by third parties (non-employees and employees not in charge) by increasing the physical security of the office that conducts operation and maintenance work and improving the safety of terminals, recording media, etc. that are connected to the cloud service environment. Prevention of physical theft 1. Management of office entrance and exit Entrance to and exit from the office where operation and management work on the cloud service environment is conducted are managed to keep third parties from entering. In addition, measures against thefts of maintenance terminals are implemented to prevent slipping through the security functions such as restriction of terminals connected to the cloud service environment. Taking out the documents and recording media from the office without prior consent is also prohibited. M. Contact System If an external cloud service is used for building a cloud service environment, its security level shall be checked if it satisfies Fujitsu s own security policies and standards. It is also important to ensure that a system which can respond accordingly in case of emergency is established. Consistency of security measures and strength of IT resource providers Prompt emergency measures in case of security incidents 1. Checking the security measures implemented by IT resource providers The security measures of the procured cloud services and so forth are checked with the providers to confirm if they can comply with Fujitsu s security policy and standards. It is also examined here if they can comply with the set standards either by reviewing the scope of access to cloud services or by introducing alternative measures. Checking is conducted particularly in vulnerability management and privilege management where inconsistency is likely to occur. 2. Ensuring the emergency contact system Both the IT resource provider and Fujitsu establish a system that can respond to emergencies 24 hours a day, 365 days a year, should security incident occurs. Moreover, emergency procedures are also confirmed by the two parties. Page 12 of 14

13 CONCLUSION This document presented Fujitsu s initiatives to security measures through FJC DSS in providing the customers a trusted (highly reliable) cloud services. Fujitsu will continue to tackle the various threats against cloud services with further efforts so that its customers can utilize cloud services in their business with a sense of security. Page 13 of 14

14 APPENDIX A GLOSSARY Term Description / URL Page CSA ENISA IaaS ISMS ISO27001 PaaS PCI DSS SaaS Spoofing Password brute force attack Abbreviation for Cloud Security Alliance. https://cloudsecurityalliance.org/ Abbreviation for European Network and Information Security Agency. Abbreviation for Infrastructure as a Service. An IT service model in which system resources such as servers, storages, OS and middleware can be utilized as services. Fujitsu provides FUJITSU Cloud IaaS, which includes Trusted Public S5 for customers to utilize only the resource environment that they need at the moment they need it, Special services for Trusted Public S5 in which customers can utilize the same environment as Trusted Public S5 without sharing the space with other customers, and Private Hosted for customers who wish to fully utilize the server specifications. Abbreviation for Information Security Management System. A management framework used to develop the measures to minimize the risks by identifying what type of threats and vulnerabilities exist with respect to the information assets owned by an organization and by calculating the risks considering the frequency at which such threats may occur. ISO is a document that defines the requirements of ISMS. Definition document on requirements in ISMS construction in organizations. The contents were corrected by ISO based on the British Standard BS7799-2: 2002 issued in It is standardized domestically as JIS Q Abbreviation for Platform as a Service. An IT service model in which application development / execution / operation environment and utilities can be utilized as services. Fujitsu offers PaaS in one of the services of "Fujitsu Cloud A5 for Microsoft Azure" that provides Microsoft Azure by Microsoft.It also offers "Convergence Service" to support the utilization of Big Data. Abbreviation for Payment Card Industry Data Security Standard. It refers to the global security standard for evaluation of the safe management of credit card information transaction information prepared by the five international credit card brand companies. https://ja.pcisecuritystandards.org/minisite/en/pci-dss.php Abbreviation for Software as a Service. A software delivery model that allows the use of only the necessary functions as services. Fujitsu provides various services in both specialized fields such as municipalities, education, manufacturing, distribution and medicine and common fields such as CRM, groupware and e-learning. In general, the act of a person trying to profit illegally by pretending to be someone else. In electronic commercial transactions, it refers to a person trying to steal products or money by pretending to be the trading partner and taking advantage of the other party who cannot see him or her on the network. It is one of the methods to decipher character strings such as passwords. They search for a match by using meaningful words or all combinations of the characters ,6 5 5,6 5 9, 11 8, 9 Targeted attack It is a type of cyber-attack that focuses on a specific target such as a user or an organization. 9 Privacy mark Malware It is a system that authorizes the use of PrivacyMark to private enterprises that appropriately handle personal information in compliance with JIS Q 15001:2006 (Personal Information Protection Management System - Requirements). It is managed by Japan Information Processing Development Corporation (JIPDEC). The designated organization assigned by JIPDEC accepts application from private enterprises, reviews their qualifications and grants them the authority to use the Privacy Mark. Software programs with malicious intent. There are various types including programs that invade computers at remote locations and execute infection and destructive activities and those that leak information to external destinations. Malware is a coined word that abbreviates malicious software. 5 8,9 Contact FUJITSU LIMITED CLOUD BUSINESS UNIT SECURITY TECHNOLOGY CENTER 17-25, Shinkamata 1-chome, Ota-ku, Tokyo , Japan Page 14 of 14 April 2014

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Technical Standards for Information Security Measures for the Central Government Computer Systems

Technical Standards for Information Security Measures for the Central Government Computer Systems Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...

More information

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...

More information

Chapter 1: Introduction

Chapter 1: Introduction Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure

More information

Technical Information

Technical Information Technical Information Recorders, Data Loggers, and Control Products Security Standard Contents 1. Introduction... 1-1 Why Security Is Essential... 1-1 Applicable Products... 1-2 Trademarks... 1-2 2. Assets

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

CONTENTS. PCI DSS Compliance Guide

CONTENTS. PCI DSS Compliance Guide CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not

More information

Fujitsu s Approach to Cloud-related Information Security

Fujitsu s Approach to Cloud-related Information Security Fujitsu s Approach to Cloud-related Information Security Masayuki Okuhara Takuya Suzuki Tetsuo Shiozaki Makoto Hattori Cloud computing opens up a variety of possibilities but at the same time it raises

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

IT Compliance Volume II

IT Compliance Volume II The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Network and Workstation Acceptable Use Policy

Network and Workstation Acceptable Use Policy CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Uncover security risks on your enterprise network

Uncover security risks on your enterprise network Uncover security risks on your enterprise network Sign up for Check Point s on-site Security Checkup. About this presentation: The key message of this presentation is that organizations should sign up

More information

System Security Policy Management: Advanced Audit Tasks

System Security Policy Management: Advanced Audit Tasks System Security Policy Management: Advanced Audit Tasks White Paper October 6, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

WORKSTATION SECURITY STANDARD

WORKSTATION SECURITY STANDARD WORKSTATION SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Standard Improperly configured computer systems

More information

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with

More information

Guideline on Access Control

Guideline on Access Control CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 26, 2012 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

Windows Remote Access

Windows Remote Access Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Information Disclosure Guidelines for Safety and Reliability of IaaS / PaaS

Information Disclosure Guidelines for Safety and Reliability of IaaS / PaaS Information Disclosure Guidelines for Safety and Reliability IaaS / PaaS Condition 1: Objective information disclosure Information disclosure would be made in a unit each IaaS/PaaS. Condition 2: Definition

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance Mobile Security Checklist An Easy, Achievable Plan for Security and Compliance Introduction Are mobile devices the weak link in your security defenses? Today, organizations are pouring millions of dollars

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Introducing FUJITSU Software Systemwalker Centric Manager V15.1.1

Introducing FUJITSU Software Systemwalker Centric Manager V15.1.1 Introducing FUJITSU Software Centric Manager V15.1.1 < Version 1.0 > May 2015 FUJITSU LIMITED 0 Contents Integrated Monitoring Required in Virtualization/Server Integration Characteristics of Centric Manager

More information

Information Security Measures for ASP/SaaS - From the Report from the Study Group on ASP/SaaS Information Security Measures -

Information Security Measures for ASP/SaaS - From the Report from the Study Group on ASP/SaaS Information Security Measures - International Affairs Department, Telecommunications Bureau Vol. 19 No. 4 Biweekly Newsletter of the Ministry of Internal Affairs and Communications (MIC), Japan ISSN 1349-7987 Please feel free to use

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

On-Site Computer Solutions values these technologies as part of an overall security plan:

On-Site Computer Solutions values these technologies as part of an overall security plan: Network Security Best Practices On-Site Computer Solutions Brian McMurtry Version 1.2 Revised June 23, 2008 In a business world where data privacy, integrity, and security are paramount, the small and

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

86-10-15 The Self-Hack Audit Stephen James Payoff

86-10-15 The Self-Hack Audit Stephen James Payoff 86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Result of the Attitude Survey on Information Security

Result of the Attitude Survey on Information Security Presentation Result of the Attitude Survey on Information Security Conducted toward the companies Operating in Thailand February, 2009 Center of the International Cooperation for Computerization of Japan

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Fujitsu Enterprise Security Architecture

Fujitsu Enterprise Security Architecture Fujitsu Enterprise Security Architecture V Tetsuo Shiozaki V Masayuki Okuhara V Nobuo Yoshikawa (Manuscript received November 9, 2006) Recently, there has been a growing need for enterprises to respond

More information

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Information Security Baseline (minimal measures)

Information Security Baseline (minimal measures) Information Security Baseline (minimal measures) 1 Version management Version 0.1 9 September 2013 1st draft Version 0.2 23 September 2013 2nd draft after review by Erik Adriaens Version 0.3 8 October

More information

Policy for Protecting Customer Data

Policy for Protecting Customer Data Policy for Protecting Customer Data Store Name Store Owner/Manager Protecting our customer and employee information is very important to our store image and on-going business. We believe all of our employees

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge

More information

Earth-Life Science Institute Tokyo Institute of Technology. Operating Guidelines for Information Security

Earth-Life Science Institute Tokyo Institute of Technology. Operating Guidelines for Information Security Earth-Life Science Institute Tokyo Institute of Technology Operating Guidelines for Information Security 2013 1. Purpose The Operating Guidelines for Information Security (hereinafter, the Operating Guidelines

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Information Technology Engineers Examination. Network Specialist Examination. (Level 4) Syllabus. Details of Knowledge and Skills Required for

Information Technology Engineers Examination. Network Specialist Examination. (Level 4) Syllabus. Details of Knowledge and Skills Required for Information Technology Engineers Examination Network Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination Version 2.0

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Information Security Operational Procedures Banner Student Information System Security Policy

Information Security Operational Procedures Banner Student Information System Security Policy Policy No: 803 Area: Information Technology Services Adopted: 8/6/2012 Information Security Operational Procedures Banner Student Information System Security Policy INTRODUCTION This document provides

More information

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data Security Kit Outline How do you protect your critical

More information