SNS Funding and IT Strategic Plan
|
|
- Deborah Cox
- 3 years ago
- Views:
Transcription
1 FY IT Budget Proposal IST: Systems & Network Security (SNS) ABBA Category One: Institutional Effectiveness ABBA Category Two: Information Technology For more information about this proposal, contact: Michael Green, SNS is responsible for managing risk associated with network attached hosts for all of the UCB campus. SNS currently offers host vulnerability scanning, detection of compromised hosts at the border, and scanning for hosts not regularly patching. SNS handles customer communication for all of these activities. 1. Alignment with IT Strategic Plan This budget request is for SNS funding to support the security, reliability, and access portion of the IT Strategic Plan. 2. Impact SNS is the central system and network security organization and serves the entire campus. 3. Risk assessment If we don t fund SNS, we will not have central host vulnerability assessments, intrusion detection at the border, or incident management. 4. Innovation The role of SNS is primarily operational. This does not preclude SNS from innovating in areas such as restricted data management, but the primary mission is to manage risk associated with network attached hosts. 5. Funding model The funding model for SNS is sustainable at the level being requested. The staff is fairly small and there are no efficiencies to be gained without reducing services. March 29,
2 Base Funding SNS is funded by a combination of campus and IST/CIO funding. In FY06-07, the campus allocated $960K to fund SNS, IST provided $120K to cover the cost of one FTE, and the CIO $280K for labor and software. At a high-level, funding for SNS in FY06-07 looked like this: Base Budget - Campus Funding Labor and benefits $492,640 Training for SNS employees $12,000 Supplies and expenses for SNS employees, includes hosting $33,932 Software (RDM, Pointsec, Foundstone, Symantec, Tripwire and host security bundle) $351,873 Hardware (purchase and refresh) $50,668 Hardware (maintenance) $5,067 Office space $13,680 Funding from campus $959,860 Base Budget- CIO and IST Funding Labor and benefits $342,032 Training $6,000 Supplies and expenses $29,766 Consultants (Security Training) $22,000 Funding from CIO and IST $399,798 Total funding $1,359,658 The FY06-07 numbers form the base for the FY07-08 budget. March 29,
3 Staff The core SNS group consists of five full-time employees, a half-time supervisor and.25 of an FTE to work on application vulnerability assessments. For day-to-day management, SNS reports through the IST Infrastructure Services group. The campus security group (CISPC) oversees SNS activities. Major SNS accomplishments in FY06-07 Release of the Restricted Data Management (RDM) application Working with IST Application Services, SNS developed an application that allows departments to register systems that contain restricted data. The RDM has been integrated into SNS notification and scanning systems. Hosts registered in the RDM are scanned more frequently and thoroughly. Any incidents associated with a system registered in RDM results in a priority ticket being generated and senior SNS staff being immediately notified. The RDM system has been well received by the UC security community and has been offered to other campuses at no charge. UCLA was the first to take us up on this offer Made progress in moving from compromise notification to risk management In the past, SNS primarily focused on notifying security contacts that a host in their department had been compromised and was attacking other systems. In FY06-07, SNS made significant progress toward the goal of working with campus departments to manage risks associated with running networked systems. Using results from the Foundstone host vulnerability scanner, SNS notified departmental security contacts of systems that had a high risk of being compromised. SNS also now routinely notifies security contacts of Windows systems that have not been patched. FY07-08 security priorities and estimated costs There are four key security initiatives that have been proposed for 07-08, the incremental cost of doing all four would be around $300K, increasing the total annual central campus security expense from $1.3M to $1.6M. The items below are in order of CISPC priority. The numbers in parenthesis are estimated annual costs, except for RDM modification (Priority 2), which is a one time cost. 1. Hire an education and outreach manager ($115,822) Hire a person to develop a more comprehensive campus security education and outreach program. This position, recommended by the PWC security audit and peer campuses, will coordinate campus security education efforts and work with committees like the Committee for Protection of Human Subjects, CISPC and DSC, as well as the FERPA and HIPAA officers to come up with communication plans for policies and compliance. Campus security committees and officers do a good job of developing policy and technical methods to monitor compliance, but are not extremely effective at March 29,
4 communicating with each other or the campus. One of the key responsibilities of the person in this position will be to make sure that there is more effective campus communication. The $115,882 is an annual ongoing cost. 2. Add registration of restricted data feeds to the RDM ($35,000) The purpose of this project is to modify the RDM so that data owners have a way to review, then approve or reject, requests for restricted data feeds. This work will be done by IST Applications Services who built the RDM application and who has already developed some basic code to provide restricted data feed management. The Data Stewardship Council (DSC) has formed a working group to evaluate the best way to handle restricted data feed registration. SNS will participate in the DSC effort, develop requirements, and work with IST Application Services to modify the RDM. The $35,000 is a one-time cost. 3. Develop an application vulnerability assessment service ($137,448) In the past, persons looking to gain unauthorized control of a computer system targeted weaknesses, typically weaknesses in software that had not been patched. Software with vulnerabilities, particularly system software that runs with access to all parts of a system, can be attacked to gain complete control of a system. Gaining access to a system with vulnerable system software is not difficult, but fortunately it is possible to keep a system reasonably patched and fend off the casual attacker. This is why SNS has spent so much effort in building systems to notify users that their systems need to be patched. There are other ways to gain access to system information. Two that are of some concern are cross site scripting (XSS) and SQL injection. The basic idea behind both of these is to get a server to run commands that the attacker sends to the server. In the case of SQL injection, the commands are designed to retrieve data. SNS needs to develop the capability of detecting Web applications that are vulnerable to XSS and SQL injection attacks and notifying the developers of those applications that they need to be fixed. IBM recently completed some consulting intended to help us review tools, both open source and commercial, which scan applications looking for vulnerabilities that can be exploited to gain access to, or information from, a system via its user interface. It is important that automated vulnerability scanners be accurate. Too many false positives cause alerts to be ignored. From our testing, and testing with IBM, we feel that the commercial product AppScan is a good product to use for application vulnerability scanning. UCOP is releasing an RFP, so the cost of the software may be lower than the quote that we got from the vendor. Doing application vulnerability assessments properly requires that the person interpreting the results of the scans have a clear understanding of how applications are developed. The estimated annual cost, listed above, includes 75% of a PA IV who has the appropriate level of experience with applications March 29,
5 development and understands how to interpret the results of the vulnerability scans. Part of the consulting engagement with IBM was to transfer knowledge of how to properly interpret the results of application vulnerability scans. To keep that experience relevant, the other 25% of this person s time will be spent in IST Applications Services as a member of the Web Applications team. The $137,448 is an annual ongoing cost. 4. Deploy IDS in the interior of the campus network ($16,000) SNS only monitors traffic at the border, and for the most part, only outgoing traffic. This would allow us to detect attacks that don t leave the campus network. The $16,000 is an annual ongoing cost. Impact of adding priorities 1 and 2 to the annual security budget If we hire an education and outreach manager, and add registration of restricted data feeds to the RDM, the SNS base budget increases from $960K to 1.1M, bringing the total annual cost of central campus security to $1.5M. Base Budget + Priorities 1 and 2 - Campus Funding Labor and benefits $601,540 Training for SNS employees $14,000 Supplies and expenses for SNS employees, includes hosting $38,854 Software (RDM, Pointsec, Foundstone, Symantec, Tripwire, host security bundle, RDM restricted data feed registration) $386,873 Hardware (purchase and refresh) $50,668 Hardware (maintenance) $5,067 Office space $13,680 Funding from campus $1,110,682 Base Budget + Priorities 1 and 2 - CIO and IST Funding Labor and benefits $342,032 Training $6,000 Supplies and expenses $29,766 Consultants (Security Training) $22,000 Funding from CIO and IST $399,798 Total funding $1,510,480 March 29,
6 AVC-IT CIO FY BUDGET SUBMISSION Summary of Funding Model: IST: SYSTEMS & NETWORK SECURITY (SNS) (Base + Priorities 1 & 2) Summary of funding: campus vs other ACTUAL PROJECTED FY FY FY FY FY Campus funding sources Temporary/development $0 -$140 $0 $0 $0 Permanent/on-going -$597,897 -$959,860 -$1,110,682 -$1,075,682 -$1,075,682 Total campus funding sources -$597,897 -$960,000 -$1,110,682 -$1,075,682 -$1,075,682 Other funding sources (IST/CIO) Temporary/development -$456,164 -$399,658 -$399,798 -$399,798 -$399,798 Permanent/on-going -$3,134 $0 $0 $0 $0 Total other funding sources -$459,298 -$399,658 -$399,798 -$399,798 -$399,798 TOTAL ALL FUNDING SOURCES -$1,057,195 -$1,359,658 -$1,510,480 -$1,475,480 -$1,475,480 Note: In accordance with the University's accounting system, positive numbers are expenses or deficits, while negative numbers are funding or surpluses. March 29, 2007 Page 17
Project Update December 2, 2008 2008 Innovation Grant Program
Tri-University Vulnerability Scanning/Management Solution Project Update December 2, 2008 2008 Innovation Grant Program 1 Project Summary This grant application is part of a previous project report presented
More informationFor more information about this proposal, contact: [David Greenbaum, Director IST Data Services, 2195 Hearst Avenue #250B, 510-642-7429]
FY 07-08 IT Budget Proposal Chief Information Officer: Data Management Governance ABBA Category One: Institutional Effectiveness ABBA Category Two: Information Technology For more information about this
More informationIceCube Cybersecurity Improvement Plan Recommendations to Enhance IceCube s Cybersecurity Program
Blue bar should align at far right with the far right text of the title IceCube Cybersecurity Improvement Plan Recommendations to Enhance IceCube s Cybersecurity Program January 2014 Version 1.0 For Public
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationData Center Colocation - SLA
1 General Overview This is a Service Level Agreement ( SLA ) between and Data Center Colocation to document: The technology services Data Center Colocation provides to the customer The targets for response
More information933 COMPUTER NETWORK/SERVER SECURITY POLICY
933 COMPUTER NETWORK/SERVER SECURITY POLICY 933.1 Overview. Indiana State University provides network services to a large number and variety of users faculty, staff, students, and external constituencies.
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationUnit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.
Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2
More informationState of Vermont. Intrusion Detection and Prevention Policy. Date: 11-02-10 Approved by: Tom Pelham Policy Number:
State of Vermont Intrusion Detection and Prevention Policy Date: 11-02-10 Approved by: Tom Pelham Policy Number: 1 Table of Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope...
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHow To Perform An External Security Vulnerability Assessment Of An External Computer System
External Vulnerability Assessment -Executive Summary- Prepared for: ABC ORGANIZATION On March 9, 2008 Prepared by: AOS Security Solutions 1 of 5 Table of Contents Executive Summary... 3 Immediate Focus
More informationIntegrigy Corporate Overview
mission critical applications mission critical security Application and Database Security Auditing, Vulnerability Assessment, and Compliance Integrigy Corporate Overview Integrigy Overview Integrigy Corporation
More information3. Department(s) to receive funding: Various potential Remedy ticketing users.
AVCIT & CIO FY 200910 BUDGET PLANNING SECTION V: BLOCK GRANT REQUEST Ticketing System for IST and Campus Departments (A continuation of the Remedy for Campus Block Grant Request for FY 0910) ABBA Category
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationProduction Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com
Production Security and the SDLC Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com Building Security Into the Development Process Production Test existing deployed apps Eliminate security
More informationAuburn Montgomery. Registration and Security Policy for AUM Servers
Auburn Montgomery Title: Responsible Office: Registration and Security Policy for AUM Servers Information Technology Services I. PURPOSE To outline the steps required to register and maintain departmental
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationIT Security Standard: Patch Management
IT Security Standard: Patch Management Introduction This standard defines specific procedural and configuration elements needed to implement the Bellevue College policy # 5250: Information Technology (IT)
More informationServer Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating
Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating to all users of UNH IT resources, and improve the availability
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationSystems Support - Standard
1 General Overview This is a Service Level Agreement ( SLA ) between document: and Enterprise Windows Services to The technology services Enterprise Windows Services provides to the customer The targets
More informationThe New PCI Requirement: Application Firewall vs. Code Review
The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationEffective Practice: Integrating Vulnerability Scanning with Web Authentication
Effective Practice: Integrating Vulnerability Scanning with Web Authentication Submitting Institution: University of California, Davis Date Submitted: 8/2/2004 Category: Vulnerability Assessment Subject
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationECRC Privacy and Security Subcommittee, DTC and TIF-S Recommendations for Five Central Security Program Initiatives
ECRC Privacy and Security Subcommittee, DTC and TIF-S Recommendations for Five Central Security Program Initiatives ECRC Subcommittee Web Application Vulnerability Scanning DTC (6/1/0) TIF (23/3/0) All
More informationCredit Card Data Security Compliance
Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT Policy Manager Office of the CIO Kate Riley IT Security
More informationContemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited
Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationFIREWALL POLICY November 2006 TNS POL - 008
FIREWALL POLICY November 2006 TNS POL - 008 Introduction Network Security Services (NSS), a department of Technology and Network Services, operates a firewall to enhance security between the Internet and
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationTwo-factor authentication service for applications and desktops
AVC-IT & CIO FY 2011-12 BUDGET PLANNING INTERNAL USE Two-factor authentication service for applications and desktops ABBA Category Two: Information Technology 1. Amount of One-Time Funding Request (FY
More informationINFORMATION TECHNOLOGY RISK MANAGEMENT PLAN
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
More informationSecurity Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada
Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada ITSB-96 Last Updated: March 2015 1 Introduction Patching operating systems and applications is one of the
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationChallenges of Automated Web Application Scanning
1 Challenges of Automated Web Application Scanning "Why automated scanning only solves half the problem." Blackhat Windows 2004 Seattle, WA Jeremiah Grossman (CEO) WhiteHat Security, Inc. 2 Speaker Bio
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationPenetration testing: exposure of fallacies 1-14
Penetration testing: exposure of fallacies 1-14 Statistics of the vulnerabilities distribution (2014) Network perimeter: 73% 52% 34% Ability to connect third-party equipment without pre-authorization Weak
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationEnterprise UNIX Services - Systems Support - Extended
1 General Overview This is a Service Level Agreement ( SLA ) between and Enterprise UNIX Services to document: The technology services Enterprise UNIX Services provides to the customer. The targets for
More informationApplication and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium
Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium Organizations need an end-to-end web application and database security solution to protect data, customers, and their businesses.
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationService Level Agreement (SLA)
Service Level Agreement (SLA) Between [Add your department and acronym ()] Technology Systems Division (TSD) Information Technology Unit (ITU) and XYZ For XYZ Service Document Version History Version #
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Efforts to Update Aging Computer Hardware Are Underway, but Program Improvements Are Needed to Minimize Risks November 6, 2007 Reference Number: 2008-20-002
More informationWHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION
WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the
More informationNETWORK PENETRATION TESTING
Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes
More informationHow Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER
WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationBuilding Assurance Into Software Development Life- Cycle (SDLC)
Application Software Assurance Center of Excellence (ASACoE) Building Assurance Into Software Development Life- Cycle (SDLC) James Woody Woodworth Operations Chief, ASACoE & Sean Barnum, Principal Consultant
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
More informationAltiris Asset Management Suite 7.1 from Symantec User Guide
Altiris Asset Management Suite 7.1 from Symantec User Guide Altiris Asset Management Suite 7.1 from Symantec User Guide The software described in this book is furnished under a license agreement and may
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationSTATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013
STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810 October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationTrend Micro. Advanced Security Built for the Cloud
datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers
More informationOut of the Frying Pan and Into the Fire: Protecting the Security of Research Data. Vice Chancellor for IT & CIO July 19, 2011 UNC Chapel Hill
Out of the Frying Pan and Into the Fire: Protecting the Security of Research Data Larry Conrad ISTS Dartmouth College Vice Chancellor for IT & CIO July 19, 2011 UNC Chapel Hill First the Context: Information
More informationMANAGED SECURITY SERVICES (MSS)
MANAGED SECURITY SERVICES (MSS) THE CYBER SECURITY INITIATIVE. Cybercrime is becoming an important factor for CIOs and IT professionals, but also for CFOs, compliance officers and business owners. The
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationASDI Full Audit Guideline Federal Aviation Administration
ASDI Full Audit Guideline Federal Aviation Administration Purpose of this Document This document is intended to provide guidance on the contents of the Aircraft Situation Display to Industry (ASDI) full
More informationUniversity of California Larry L. Sautter Award Submission for Innovation in Information Technology
University of California Larry L. Sautter Award Submission for Innovation in Information Technology Project Name Physical Plant Computerized Maintenance Management System (CMMS) Project Institution University
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationPrinciples of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance
Principles of Information Security, Fourth Edition Chapter 12 Information Security Maintenance Learning Objectives Upon completion of this material, you should be able to: Discuss the need for ongoing
More informationWEB Penetration Testing
FTA Annual Conference WEB Penetration Testing and Vulnerability Analysis June 10, 2008 Timothy R. Blevins, KDOR Chief Information Officer 1 WEB Penetration Testing What is WEB Penetration Testing? When
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationStudent Tech Security Training. ITS Security Office
Student Tech Security Training ITS Security Office ITS Security Office Total Security is an illusion security will always be slightly broken. Find strategies for living with it. Monitor our Network with
More informationDepartment of Information Technology Software Change Control Audit - Mainframe Systems Final Report
Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report March 2007 promoting efficient & effective local government Introduction Software change involves modifications
More informationDETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD Protecting your infrastructure requires you to detect threats, identify suspicious
More informationAudit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon
U.S. Department of Agriculture Office of Inspector General Western Region Audit Report Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland,
More informationOffice of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits
Office of the Inspector General United States Office of Personnel Management Statement of Michael R. Esser Assistant Inspector General for Audits before the Committee on Appropriations United States Senate
More informationAn Evaluation of Privacy and Security Issues at a Small University
An Evaluation of Privacy and Security Issues at a Small University Abstract by Michael North Carolina Agricultural and Technical State University mejones@ncat.edu Colleges and universities process large
More informationThe Berkeley Desktop
Project Details Title The Berkeley Desktop Submitter The Berkeley Desktop Bill Allison, wallison@berkeley.edu Director, Architecture, Platforms and Integrations, Information Services & Technology, University
More informationHosts HARDENING WINDOWS NETWORKS TRAINING
BROADVIEW NETWORKS Hosts HARDENING WINDOWS NETWORKS TRAINING COURSE OVERVIEW A hands-on security course that teaches students how to harden, monitor and protect Microsoft Windows based networks. A hardening
More informationInformation Security Plan May 24, 2011
Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised
More informationMANAGED SECURITY SERVICES (MSS)
MANAGED SECURITY SERVICES (MSS) The Cyber Security Initiative. Cybercrime is becoming an important factor for CIOs and IT professionals, but also for CFOs, compliance officers and business owners. The
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationBitrix Software Security. Powerful content management with advanced security features
Bitrix Software Security Powerful content management with advanced security features Internet Security 2009 Quick Facts* 210,000 websites are attacked every month on the Internet $234,244 is your approx.
More informationAutomated vulnerability scanning and exploitation
Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering July 4, 2013 Dennis Pellikaan, Thijs Houtenbos Automated vulnerability
More informationAudit Report. Management of Naval Reactors' Cyber Security Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Naval Reactors' Cyber Security Program DOE/IG-0884 April 2013 Department of Energy Washington,
More information