Patch Management Procedure. e-governance
|
|
- Hugo Sullivan
- 8 years ago
- Views:
Transcription
1 for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
2 Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver ID Document Change History Version No. Revision Date Nature of Change Date of Approval For Internal Use Only Page 2 of 13
3 Table of Contents 1. INTRODUCTION SCOPE PURPOSE ROLES AND RESPONSIB ILITIES... Error! Bookmark not defined. 5. INCIDENTS AND INCIDE NT RESPONSE CLASSIFICATION OF SE CURITY INCIDENTS... Error! Bookmark not defined. 6.1 INCIDENT CATEGORY... Error! Bookmark not defined. 6.2 INCIDENT TYPE... Error! Bookmark not defined. 7. RECORDING AND ROUTIN G AN INFORMATION SEC URITY INCIDENT... Error! Bookmark not defined. 8. RESOLVING SECURITY INCIDNET... Error! Bookmark not defined. 8.1 IT SECURITY INCIDENT... Error! Bookmark not defined. 8.2 NON IT INCIDENT... Error! Bookmark not defined. 9. CLOSING SECURITY INCIDENTS... Error! Bookmark not defined. 10. ESCALATION M ATRIX... Error! Bookmark not defined. 11. POST IMPLEM ENTATION REVIEW... Error! Bookmark not defined. 12. REFERENCE... Error! Bookmark not defined. For Internal Use Only Page 3 of 13
4 1. INTRODUCTION The objective of Management Procedure is to control the deployment and maintenance of interim software releases into production environments. Effective Management maintains operational efficiency and effectiveness, overcome security vulnerabilities and maintains the stability of production environment. Assessing and maintaining the integrity of software in a networked environment through a well-defined patch management program is the key first step toward successful information security. 2. SCOPE management is designed to give an organization control over the software updates it deploys. Any organization planning to patch its operational environment should ensure that it has: Tools and technologies that are most appropriate for effective patch management. Effective project management processes. This document applies to all IT Infrastructures, applications used for e Gov service deivery 3. PURPOSE The objective of Management Procedure is to control the deployment and maintenance of interim software releases into production environments. Effective Management maintains operational efficiency and effectiveness, overcome security vulnerabilities and maintains the stability of production environment. Assessing and maintaining the integrity of software in a networked environment through a well-defined patch management program is the key first step toward successful information security. For Internal Use Only Page 4 of 13
5 4. DEFINITIONS Vulnerability This term characterises the absence or weakness of a risk-reducing safeguard. It is a condition that has the potential to allow a threat to occur frequently, with great impact, or both. Threat agent - The person or process attacking a system by exploiting its vulnerabilities to violate confidentiality, integrity and availability. Attack - A threat agent attempting to take advantage of vulnerabilities for unexpected/malicious purposes. Countermeasure - Software configurations, hardware, or procedures that reduce risk of getting exploited in an information system. It is also called safeguard. For Internal Use Only Page 5 of 13
6 5. PARCH MANAGEMENT PROCESS 5.1 PATCH MANAGEMENT PROCESS FLOW Management Input/Output Model Input Process Output Implementation Schedule Management Database Management Baselines & Profiles Preventive & Corrective Actions Implementation Reports Input Required For Internal Use Only Page 6 of 13
7 The key inputs to the Management process are: Scheduled patches to be deployed at e-gov Preventive or Corrective actions arising from identified incidents may require updation of patches on e-gov assets/applications used for e-gov service delivery. Output Generated The outputs from the Management process are: List of all successfully deployed patches on e-gov assets/applications shall need to be maintained in a centralised Management Database. Post successful deployment of certain critical patches, the baselines/profiles of servers/applications may be revised and updated. Management Tracker is Updated and closed. It has the list of es updated successfully and also the list of patches not deployed along with reasons. 5.2 PATCH MANAGEMENT PROCESS FLOWCHART Due diligence is exercised by the Management team to ensure that patch deployments are carried out in a timely manner. management process has a five-phase approach to manage patch deployments, which is designed to give control over the deployment and maintenance of interim software releases for software utilities, network appliances, operating systems and applications being used within e-gov service delivery For Internal Use Only Page 7 of 13
8 PMP01 Measurement and Assessment PMP02 PMP05 Identification and Classification Validation and Recording PMP03 PMP04 Estimation and Preparation Implementation Following is a brief description of the five phases. Measurement and Assessment (PMP01): Measurement and Assessment is the identification of current status of patch deployment in production environment. The outcome of this step is the list of security threats and vulnerabilities that e-gov service delivery might face and whether it is geared to respond appropriately. Identification and Classification (PMP02): Identification and Classification is reliable discovery of new software updates and deciding whether new software updates are relevant to the e-gov service delivery environment. It is important to classify the type of software updates and determine the type of change a software update represents. For Internal Use Only Page 8 of 13
9 Severity Rating: Defined severity rating is used within the organization. Severity rating is applicable to all e-gov service delivery equipment (Servers, Application and network devices). Severity rating is decided by Manager. This helps determine the urgency of addressing vulnerabilities and deploying related updates. The following table lists the ratings used by the organization to classify the severity of a vulnerability and associated update. Rating Definition A publicly disclosed vulnerability whose exploitation could allow the propagation of an Internet worm without user action or whose High Severity exploitation could result in compromise of the confidentiality, integrity, or availability of user s data, or of the integrity or availability of processing resources. Medium Severity Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation. Low Severity Vulnerability whose exploitation is extremely difficult or whose impact is minimal. Estimation and Preparation (PMP03): Estimation and preparation is the evaluation and planning phase of patch management process. Estimation refers to the decision whether to deploy the software update or not. In addition to that, testing the software update in a production-like environment is required to validate the after-effects of patch deployment. Preparation is the planning for the type of process, technology and skills required to deploy software update and making a schedule for implementation. Taking approval for patch implementation also comes under this phase. For Internal Use Only Page 9 of 13
10 Management Schedule preparation: Steps 1 Definition Advisories are received and authenticated from respective sources Measurement As received Target 2 4 Advisories are validated for applicability and forwarded to Implementer. Number of patches that cannot be applied within due date. Within 1 Business Day Within 15 Business days 5 Change Management Process Change Management to be followed before applying patches Implementation (PMP04): Implementation is the successful deployment of the approved patches into the organisation s environment according to the plan prepared in the Estimation and Preparation phase Validation and Recording (PMP05): Validation and Recording is the monitoring and reporting activity, post deployment of the patch. This phase also acts as a closure for the patch management process. For Internal Use Only Page 10 of 13
11 5.3 PATCH MANAGEMENT PROCEDURE DETAILS Management No Implementer START Conduct Testing Is the test sucessful? No Communicate results to Manager Is it a retest? Communicate to Manager Implement and communicate to Implementation Team Lead Implementation Team Lead Receive Report from Software Prepare Implementation Schedule & Communicate to Team No No Inform Users of Update Timings and Schedule. Update Implementati on Tracker Manager Get issue resolved in consultation with vendor. Approve Tests & CR Form? Yes Conduct Weekly review meeting to review and close Implementation Tracker Stop Change Manager Yes Approve? Following steps should befollowed at e-gov service delivery for Management Procedure: The Implementation Team Lead decides on the schedule of the es in consultation with the Manager. Based on the schedule, the team tests the es on test beds. For Internal Use Only Page 11 of 13
12 Once the test is successful the results are communicated to the Manager and the results implemented after his approval and the approval of the change manager on a schedule communicated to users. The Implementation Lead updates the Management Tracker with the data. If the test is unsuccessful then the testing is retried under the guidance of Implementation Team Lead. If the test fails repeatedly then the Manager is informed. The Manager in co-ordination with the team contacts the Vendor. Vendor suggestions are sought for the implementation of patch. Once vendor has suggestions are incorporated. Testing is done again and results implemented if the tests are successful. If the tests fail again then the update is not carried out and the same is documented in the Management Tracker. Regular and periodic team meetings are held to review the management issues and schedules. For Desktops- Work Stations auto update facility is used and the above mentioned process is not used. 6. ROLES AND RESPONSIBILITIES Role Manager Responsibilities Receive the test results of patches from patch implementer and decide whether the test report is satisfactory or not. Approve Deployment Co-ordinate with Vendor to resolve sticky/complicated Management issues. Hold regular patch review meetings. Prepare a list of overdue patches. Review and close the list of not deployed patch. For Internal Use Only Page 12 of 13
13 Role Implementation Lead Responsibilities Coordinate with the Manager to decide on Scheduling. Update Management tracker. Work in close coordination with patch implementers for patches that have issues. Implementer Receive the patch advisory from the Manager. Receive the Updation Schedule from the Implementation team lead. Obtain the patches from the designated Trusted Source/ Vendor as per advisory. Install and verify the patch on Test bed. Provide the patch test results to the Manager. As per Change Management Procedure, deploy the patch and prepare the Updation Report. 7. PROCESS DEPENDENCY AND REFERENCE Incident Management Procedure Change Management Procedure For Internal Use Only Page 13 of 13
Information Security Incident Management Guidelines. e-governance
Information Security Incident Management Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationRemote Access Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationE-gov Asset Handling and Labelling Guidelines
Asset Handling Labeling guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control
More informationPatch Management Procedure. Andrew Marriott andrew.marriott@fylde.gov.uk 01253 658578 PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1
Title: Patch Management Andrew Marriott andrew.marriott@fylde.gov.uk 01253 658578 PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1 Contents 1. Introduction... 4 2. Objectives... 4 3. Context... 4 4. Responsibility...
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationINSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.
Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationMWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010
al al MWR InfoSecurity Security Advisory Symantec s Altiris Deployment Solution File Transfer Race Condition 7 th January 2010 20010-01-07 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description...4
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationApplication Security Framework. e-governance
Application Security Framework for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L
More informationChange Management Process
Change Management Process Version 1.0 1 Table of Contents 1 About This Document... 3 1.1 Document Objective... 3 1.2 Process Objectives... 3 2 Change Request Lifecycle Stages... 4 3 Change Request (CR)
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationGuideline on Vulnerability and Patch Management
CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board
More informationHow To Use Qqsguard At The University Of Minneapolis
Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored
More informationINTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET) International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 3,
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationSTATE OF ARIZONA Department of Revenue
STATE OF ARIZONA Department of Revenue Douglas A. Ducey Governor September 25, 2015 David Raber Director Debra K. Davenport, CPA Auditor General Office of the Auditor General 2910 North 44 th Street, Suite
More informationUMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY Originator: IT Performance and Capacity Management Policy Approval and Version Control Approval Process: Position or Meeting
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationHow To Manage A Patch Management Process
PATCH MANAGEMENT: CHANGE, CONFIGURATION AND RELEASE OR SOMETHING MORE? By Grant Adams Principal Consultant Fox IT March 2007 Fox IT 2007 Page 1 of 6 PATCH MANAGEMENT Ask many IT Managers what Patch Management
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationSecurity Patch Management
The knowledge behind the network. Security Patch Management By Felicia M. Nicastro Senior Network Systems Consultant International Network Services Security Patch Management March 2003 INS Whitepaper 1
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationComputer Security Incident Response Team
University of Scranton Computer Security Incident Response Team Operational Standards Information Security Office 1/27/2009 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0 Establishment
More informationThird Party Security Guidelines. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationAPPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW
EHIBIT H to Amendment No. 60 APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT SECURITY SERVICES SOW EHIBIT H to Amendment No. 60 Table of Contents 1.0 Security Services Overview
More informationVulnerability Management Policy
Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully
More informationComputer Security Incident Response Team
Computer Security Incident Response Team Operational Standards The University of Scranton Information Security Office August 2014 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationInfrastructure Information Security Assurance (ISA) Process
Infrastructure Information Security Assurance (ISA) Process Handbook AS-805-B March 2005 Transmittal Letter A. Explanation. As part of the Postal Service s efforts to enhance security across all technology
More informationPatch Management Policy
Patch Management Policy L2-POL-12 Version No :1.0 Revision History REVISION DATE PREPARED BY APPROVED BY DESCRIPTION Original 1.0 2-Apr-2015 Process Owner Management Representative Initial Version No.:
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationInformation Security. Incident Management Program. What is an Incident Management Program? Why is it needed?
Information Security Incident Management Program What is an Incident Management Program? It is a coordinated program of people, processes, tools and technology, which prevents and manages information security
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationIBM Managed Security Services Vulnerability Scanning:
IBM Managed Security Services August 2005 IBM Managed Security Services Vulnerability Scanning: Understanding the methodology and risks Jerry Neely Network Security Analyst, IBM Global Services Page 2
More informationUBC Incident Response Plan
UBC Incident Response Plan Contents 1. Rationale... 1 2. Objective... 1 3. Application... 1 4. Definitions... 1 4.1 Types of Incidents... 1 4.2 Incident Severity... 2 4.3 Information Security Unit... 2
More informationHow To Ensure The C.E.A.S.A
APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT TUGeneral TUSecurity TURequirements TUDesign TUIntegration
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationFeedback Ferret. Security Incident Response Plan
Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationFortinet Solutions for Compliance Requirements
s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationIncident Response Plan for PCI-DSS Compliance
Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible
More informationMicrosoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and lesssecure
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationIncident Response Team Responsibilities
Scope Any incidents that originate from, are directed towards, or transit Department of Earth and Planetary Sciences controlled computer or network resources will fall under the purview of this Incident
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationAcceptable Usage Guidelines. e-governance
Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationPATCH MANAGEMENT POLICY IT-P-016
IT-P-016 Date: 28 th March, 2016 Stamford International University ( STIU ) Patch Management Policy Rationale Stamford International University ( STIU ) is responsible for ensuring the confidentiality,
More informationCyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology
Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationObtaining Enterprise Cybersituational
SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational
More informationE Governance Security Standards Framework:
Version: 1.0 January, 2010 E Governance Security Standards Framework: An Approach Paper Government of India Department of Information Technology Ministry of Communications and Information Technology New
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationCyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.
Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000 Security Threats & Vulnerabilities in assets are two most fundamental
More informationDIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.
ICSA Labs Web Application Firewall Certification Testing Report Radware Inc. V5.6.4.1 May 30, 2013 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com WAFX RADWAREINC-2013-0530-01
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 17 IT Security Controls, Plans and Procedures First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Implementing IT Security
More informationVulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationStandard: Vulnerability Management and Assessment
Standard: Vulnerability Management and Assessment Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members.
More informationU.S. SECURITIES & EXCHANGE COMMISSION
PBX and Analog Lines Security Assessment U.S. SECURITIES & EXCHANGE COMMISSION March 31, 2000 Prepared by Deloitte & Touche LLP Enterprise Risk Services - 1 - 1 Executive Summary 1.1 Overview Deloitte
More informationPolicy Title: HIPAA Security Awareness and Training
Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationAsset management guidelines
Asset management guidelines 1 IT asset management (ITAM) overview Objective Provide a single, integrated view of agency assets in order to allow agencies to identify the asset location and assess the potential
More informationImplementing Security Update Management
Implementing Security Update Management Wayne Harris MCSE Senior Consultant Certified Security Solutions Business Case for Update Management When determining the potential financial impact of poor update
More informationUnderstanding changes to the Trust Services Principles for SOC 2 reporting
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
More informationCommon Cyber Threats. Common cyber threats include:
Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationNCUA LETTER TO CREDIT UNIONS
NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA DATE: August 2001 LETTER NO.: 01-CU-11 TO: SUBJ: ENCL: Federally Insured Credit Unions Electronic Data
More informationOverview of Service Support & Service
Overview of Service Support & Service Delivery Functions ITIL Service Support / Delivery- 1 Service Delivery Functions Availability Management IT Services Continuity Management Capacity Management Financial
More informationInformation Technology Policy
ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose
More informationStep-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses
Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses 2004 Microsoft Corporation. All rights reserved. This document is for informational purposes only.
More informationMANAGED FIREWALL SERVICE. Service definition
MANAGED FIREWALL SERVICE Service definition Page 1 of 4 Version 1.2 (03/02/2015) NSMS Managed Firewalls Service Definition Understanding of a firewall service The function of any firewall service is to
More informationUTH ihltli. The University of Texas Health Science Center at Houston. July 10, 2015. Report on Exchange System Audit #15-206
-- UTH ihltli The University of Texas Health Science Center at Houston Office of Auditing & Advisory Services July 10, 2015 Report on Exchange System Audit #15-206 We have completed our audit of the Microsoft
More informationPATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5
Page 1 of 5 TABLE OF CONTENTS 1. OVERVIEW... 3 2. DEFINITIONS... 3 3. PURPOSE... 3 4. SCOPE... 3 5. POLICY... 4 6. WORKSTATIONS... 4 7. SERVERS... 4 8. ROLES AND RESPONSIBILITIES... 4 9. MONITORING AND
More information