IT SECURITY PROGRAM MANAGEMENT
|
|
- Britney Shelton
- 8 years ago
- Views:
Transcription
1 G O E B E L A S S O C I A T E S IT Management with Value and Purpose IT SECURITY PROGRAM MANAGEMENT HOW TO ADD VALUE AND GIVE PURPOSE TO YOUR INFORMATION SECURITY PROGRAM (Suarez, K. 2007) DANIEL C GOEBEL, CISSP, ITIL, ISO GOEBEL ASSOCIATES KENNETH SUAREZ, CISSP - SUAREZ CONSULTING INC. JAMES AUSTIN, CISSP, PMP, - ENLIGHTENED INC. C o p y r i g h t G o e b e l A s s o c i a t e s A l l R i g h t s R e s e r v e d W 5 t h S t, F r e d e r i c k, M D telephone fax: w w w. g o e b e l a s s o c i a t e s. c o m
2 Executive Overview What is the best way to look at how to secure your Information? There is not an easy answer. Certainly information does not remain static, neither should your Security Program. The concept of Life Cycle management is not new. Cycles occur in nature all the time. The ability to mimic nature is very flattering, but to be able to direct it is an altogether different matter. We present a view on how an Information Security Program can be implemented. We see that there are some basic patterns that repeat themselves over and over. We see that there is a central viewpoint to which we can regain control of your Information Security. In essence, there are 4 areas that revolve around a central controlling area. We call the 4 areas Pillars and the central theme a Singular Purpose. The 4 Pillars are guided by a set of three triads that concern our information and how they are governed. We ll explore Strategy and Planning, Acquisition and Development, Risk Management, and Operations and Maintenance. These will revolve around the ability to measure value by using the correct metrics, whose stewards of this information are specifically trained to extract the best results possible. Each area will have specific controls attributed to it covering the 7 Security Principles of Governance, Monitoring, Continuous Improvement, Technical Management, Privacy, Business Continuity, and Awareness and Training. Strategy and Planning The 4 Pillars While we all know that it pays to measure twice and cut once, if you measure the wrong thing then you still end up with a piece that has to be redone. Careful planning involves considering where the organization needs to go in terms of how it provides product or service. Only then can a reasonable set of solutions can be offered. One would like to think that all one has to do is apply all the controls from a given frame- 2
3 work to cover any possible action, but some controls are costly to implement therefore one has to to look at the reasoning behind such an action. How the organization is set up matters as well. Is your organization set up to centrally mange it s resources, or is it set up to have individual business units do it for themselves? Or is it somewhere in between as is seen in a Federated model? Or is it that your model needs to change based upon the direction or regulations coming down the road? Attacking the implementation of Information Security Management is no less daunting. Some institutions keep Policy management separated from Engineering while others make no distinction. What s correct for your organization depends on many factors and there is no absolutely correct way of handling it. In any of the above scenarios it is important to communicate your vision, strategy, and mission to those who are implementing it. And those who implement it should be allowed to give feedback on improving how it is done. Regulations and Markets change with ease, so should your strategy. Acquisition and Development For organizations that are not in the business of developing their own software the option of acquiring off-the-shelf software requires due diligence, not only from a contracts management perspective, but from an architecture perspective. Not all software is secure. This becomes more apparent when it is introduced into a complex environment. The same amount of effort goes into testing whether it will adhere to the overall Enterprise Architecture requirements, whether it will give the results needed, and whether it plays well with others. There is no software that exists completely on its own. Proper testing is vital. Similarly, when it is decided that software is best to be developed in house, then the the concepts of how your development proceeds closely follows how quickly it needs to be developed and what the culture is like for your organization. Both of these will help 3
4 determine your methodology (i.e. Agile, Extreme, Waterfall, etc.). In any methodology chosen the PMO is closely involved to realize and track the organization s Earned Value. Risk Management Management of risk is well known among financial analysts and business people. the same principles hold true for Information professionals. There are some very good frameworks and methodologies, such as the OCTAVE method, NSA IAM/IEM, M_o_R, NIST, and etc. All these explore threats, vulnerabilities, likelihood, and impact. What s important is that Risk Management is continuous, but even more so is that it is done before the Information is put into production. The ability to properly transition information from acquisition or development into operations is an important aspect exercising the system fully before it is used. Even after it has been put into production, the procedures and containers of information need to be periodically reviewed, at minimum every year, preferably in real time. Operations and Maintenance The O&M arena has been the traditional cornerstone of the Security Program. It has been in this area that administrators has had to come up with their own innovative methods of protecting the information on IT systems. From the days of the Morris worm to modern day botnets, these hardworking people have had to spend inordinate amount of time and effort to combat everyday threats. There is a solution. This solution involves defining what is done on a day to day basis and categorizing those processes into service areas. Luckily this has been done for IT in general. The IT Infrastructure Library (ITIL) is in its third revision and provides guidance to any organization involved in information stewardship. With the latest revision of ITIL, now an international effort, the organization can view the services it provides in terms of a life cycle. The steps in this life cycle are: Strategy, Design, Transition, Operations, and Continuous Improvement. These phases of Information Management make it possible to mature a 4
5 program to become proactive, not just reactive. What needs to be kept in mind is that since Security Operations mirrors IT Operations in general all ITIL concepts equally apply. Some argue that Security Management is not an area that should be separated out, but rather that it should be fully integrated within. Tenants Triad of Three Confidentiality - Is defined as limited to persons authorized to use information, documents, etc., so classified. It is this capability to ensure that only those that are authorized to access the information are easily allowed to do so, and those that are not allowed are denied access. This touches on the principle of Privacy. Integrity - Knowing that the information you are using at has not been altered is the assurance of this tenant. Simple techniques, such as a CRC or Hash are examples of an integrity check. Availability - This tenant follows closely on the requirement that the business side of an organization be involved in defining what constitutes as available or not. Business continuity is called that for a reason. Information does not care if it is available or not, the users of that information do, however. The business of Disaster Recovery, Continuity of Operations, and Business Continuity Planning all involve how the organization defines its business and any Service Level agreements that it has in place with their customers. Areas Management - The area of Management identifies those principles that cover Governance and Policy. In tune with this is that the improvement of the IT program has to be done 5
6 by taking a look at those metrics that are defined and agreed upon. When an organization has achieved this level of maturity, it can be said that they possess a continuously improving Program of Security. Operational - The area defined under operational is where the rubber meets the road. Unless you can operationalize how your Security Program is implemented, then it is of no use to the organization. In order to help in this area, the procedures and run books have to defined, mapped to other procedures, and reviewed periodically so that there is a basic understanding of how the facility is run on a daily, weekly, monthly, and yearly basis. Technical - This the area that much of the present day attention is given. While this is obviously necessary, it is also unfortunate. When we talk of a technical control area we do not imply that technology will be a panacea, but rather that when technology is applied toward safeguarding your information that these technical considerations will be given, regardless of the technical solution. In the adage of People, Process, and Technology, Technology is the final consideration after you decided who and how it is to be done. In any maturity model the actual technology is not even a consideration. Information Protection At Rest - Information sitting around in file shares and file cabinets are waiting for someone to come along and look at it. The information does not care who looks at it, but the owner of that information does care. It may be sensitive military information or it may be intellectual property, either way, denying access to those that are unauthorized to see it is important while the data is just sitting there. Simple tools as a lock for the file cabinet of encryption for all laptops, which are seeing ever increasing rates of being stolen or lost, is vitally important. In Transit - Encryption of information is as old as Caesar. With the simple alphabetic substitution ciphers of the Roman army to the vastly complicated modern algorithms, 6
7 information protection while the information is being transmitted is important and even easier to implement these days. During Processing - This particular information state is often an under considered state for information to be in. Normally one considers whether the information is in transit or at rest, but the usually transient state when the information is being transformed or searched has to be considered as well. Singular Purpose IT Value The overall goal of having an IT Security Program is to bring value and protection to all areas of your business. We have to keep in mind that it is information we are protecting. This means protecting the people that are stewards of an organization s data, protecting the places that this information is being stored, and the resources that will make use of this information. To do that will require some oversight. The Project Management Institute and it s Project Management Body of Knowledge can help. This will lead to the ability to provide continuous improvement for all future IT Security projects. Project Management Office A successful IT project requires accurate estimation, careful planning, constant monitoring, and the ability to learn from past mistakes. The Project Management Institute (PMI) has been engaged in understanding how projects can become successful for quite a few years. It is their ability to comprehensively and succinctly put together a body of knowledge around project management that allows organizations to successfully implement a full blown Program Management Office (PMO). The PMO can be as simple as an in-house consultancy by providing guidance to more autonomous areas of project management or it can be that over arching management structure collating and keeping track of all projects within an organization. Most likely 7
8 it lies somewhere in between the two extremes and that it is based upon how the organization is set up (i.e. centralized, federated, etc. See section on Strategy and Planning). The purpose of the PMO is to manage resources and monitor the progress of ongoing projects, as well as to see that value is derived from the projects. Since Information Security has become such an integrated aspect of how the organization engages in business, there should be dedicated project managers to the various security projects. An example of this are titles such as Security Officers (SO) or Information System Security Officer (ISSO). The people that are designated as such should be given every opportunity to not only have enough accountability for the implementation of the Security Program, but should also be empowered enough to make reasonable judgements in how the program should be improved. Continuous Improvement How does one improve the overall Security Program? With the PMI s Body of Knowledge and the 5 stages of a project (Initiation, Planning, Developing, Monitoring, and Closing), the organization can set up metrics and controls during the project life cycle to gauge overall performance. It is precisely to ability to marry the correct and easily gathered metrics to the overall goals and mission of an organization that will provide the most benefit for the organization. Coming up with metrics for metric sake and it having no relevance to what the business deems valuable will prove to be a red herring for business decisions and ultimately will be of no value to anyone. Metrics for a security program requires what we like to call a lot of front loading. This extra effort up front will go along way in helping everyone on the project keep the end goals in mind and strive for what s important for the business. When even the least significant person is involved in determining what should be measured and how it can be measured then the whole team presents a coherent picture of what needs to be accomplished. 8
9 To help illustrate the complexity of a good metric we have an example. An organization measures how many s contain viruses on a weekly basis and thus blocked. What is it that we are measuring? In simple terms we can measure the percentage of s that contain viruses compared to non virus carrying s and eventually get a trend over a year s period. But what does that measure? It might measure that spam s versus virus s are changing proportions and that we will need to bolster resources towards spam. But the real question should be how many virus laden s did we NOT catch? This is a difficult question. Yes we are blocking viruses and this goes to show that at least that one control in an enterprise security management is being handled, but how can we improve the implementation of that control? This is where the organization has to sit down and talk it over with subject matter experts and come up with meaningful measurements. Summary Information Security is more than tossing some technology at the problem, it involves full cooperation of all involved, especially those business stakeholders who have the most to lose. The coordination of strategy, development, risk management, and operations, with the continual monitoring and improving of security services is an engagement unlike any that has been experienced in the past. There are no cookie cutter approaches of how to do it, that is why it is important to ensure all stakeholders understand the goals and mission of the organization as a whole. The capacity of an organization rests in the effort of everyone to carry out that mission to their own specific capability. Finding the experts to accurately engage the organization is half the battle. 9
10 Acknowledgements Daniel C Goebel, CISSP, ITIL Foundations, ISO27001 certified - Dan has been involved in the IT industry since He has worked on Wall Street, for Hospitals, at Bell Labs, at Rutgers University, and since 2003 has been consulting in the federal and civilian enterprise security space. He has an undergraduate degree in Biology from Rutgers University and is presently finishing up his Executive IT Masters degree with the CIO certificate from the University of Maryland, University College. 10
ITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationThird-Party Risk Management for Life Sciences Companies
April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More information1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Answer: TRUE Diff: 1 Page Ref: 268
Enterprise Systems for Management, 2e (Motiwalla/Thompson) Chapter 10 Global, Ethics, and Security Management 1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Diff:
More informationBusiness Analysis Standardization & Maturity
Business Analysis Standardization & Maturity Contact Us: 210.399.4240 info@enfocussolutions.com Copyright 2014 Enfocus Solutions Inc. Enfocus Requirements Suite is a trademark of Enfocus Solutions Inc.
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationAB 1149 Compliance: Data Security Best Practices
AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California
More informationInformation Security It s Everyone s Responsibility
Information Security It s Everyone s Responsibility The University of Texas at Dallas Information Security Office (ISO) Purpose of Training Information generated, used, and/or owned by UTD has value. Because
More informationikompass PMP Exam tips
ikompass PMP Certification Singapore ikompass PMP Exam tips Taking an exam can be a daunting task for people of any age. The unique structure of the PMP exam which involves rules like being sensitive to
More informationMergers and Acquisitions: The Data Dimension
Global Excellence Mergers and Acquisitions: The Dimension A White Paper by Dr Walid el Abed CEO Trusted Intelligence Contents Preamble...............................................................3 The
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationCertification for Information System Security Professional (CISSP)
Certification for Information System Security Professional (CISSP) The Art of Service Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by
More information82-01-16 Certification of Externally Developed Software Craig A. Schiller Payoff
82-01-16 Certification of Externally Developed Software Craig A. Schiller Payoff Developers of large systems spend thousands of dollars ensuring that the software they create performs as expected, that
More informationJohn P Zelsnack CISSP/CISM/CRISC/Securty+/ITILv3 Senior Technical Manager/Cyber Security Engineer General Dynamics - Advanced Information Systems
John P Zelsnack CISSP/CISM/CRISC/Securty+/ITILv3 Senior Technical Manager/Cyber Security Engineer General Dynamics - Advanced Information Systems AGENDA Who Am I? Breaking it down Why Do We Care Questions
More informationMaximizing Configuration Management IT Security Benefits with Puppet
White Paper Maximizing Configuration Management IT Security Benefits with Puppet OVERVIEW No matter what industry your organization is in or whether your role is concerned with managing employee desktops
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationTechnology Services Strategic Plan
Technology Services Strategic Plan 2014 Table of Contents A Changing Landscape... 3 Values... 4 Technology Services Goals... 5 Employee Engagement... 6 Operational Efficiency... 7 Agency Satisfaction...
More informationNational Cyber Security Month 2015: Daily Security Awareness Tips
National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationUncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity
Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationExpert Reference Series of White Papers. Intersecting Project Management and Business Analysis
Expert Reference Series of White Papers Intersecting Project Management and Business Analysis 1-800-COURSES www.globalknowledge.com Intersecting Project Management and Business Analysis Daniel Stober,
More informationEnsuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationHealthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council
Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Presented by Doug Copley, Chairman Michigan Healthcare Cybersecurity Council Mr. Chairman and Committee Members,
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More information1 P a g e. Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University
1 P a g e Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University Trust is to rely upon or place confidence in someone or something. However, this is not a definition that
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationGuidelines Related To Electronic Communication And Use Of Secure E-mail Central Information Management Unit Office of the Prime Minister
Guidelines Related To Electronic Communication And Use Of Secure E-mail Central Information Management Unit Office of the Prime Minister Central Information Management Unit Office of the Prime Minister
More informationDocument Management with Workflow Helps IFP Improve Efficiency as Firm Expands
Reprint from June 2012 Document Management with Workflow Helps IFP Improve Efficiency as Firm Expands By Jennifer Tanck, Esq. Several years ago, our company, Independent Financial Partners (IFP), embarked
More informationCYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE
CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE WHITE PAPER www.cibecs.com 2 Table of ontents 01 02 03 04 05 EXECUTIVE SUMMARY: CYBER SECURITY MANAGING YOUR ATTACK SURFACE DATA VULNERABILITY 1 THE ENDPOINT
More informationQuality Management Systems. Compliance Driven or Quality Driven?
Quality Management Systems Compliance Driven or Quality Driven? Written by N. Richard Puglielli Page 1 of 7 Overview ISO standards have been around for quite some time now and the concept behind these
More informationState of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017
State of Montana Montana Board of Crime Control Agency IT Plan Fiscal Year 2012-2017 Prepared July 2012 Brooke Marshall, Executive Director Jerry Kozak, IT Manager Board of Crime Control 5 S Last Chance
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationOverview. Introduction. Purpose. Goal. Perspectives (of our goal) Strategic Direction. Connected
2 South Australia Connected Introduction Government is in the connections business. Everything we do ultimately comes down to better connecting the people of South Australia with the things they want and
More informationInformation Security Awareness: How to Get Users Asking for More
Information Security Awareness: How to Get Users Asking for More Kelley J. Bogart, CISSP Senior Information Security Analyst, University of Arizona Synopsis Any effective information security program has
More informationpm4dev, 2007 management for development series Introduction to Project Management PROJECT MANAGEMENT FOR DEVELOPMENT ORGANIZATIONS
pm4dev, 2007 management for development series Introduction to Project Management PROJECT MANAGEMENT FOR DEVELOPMENT ORGANIZATIONS PROJECT MANAGEMENT FOR DEVELOPMENT ORGANIZATIONS A methodology to manage
More informationDisaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know
Disaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know Copyright by Gladys Noel Notice of rights All rights reserved. No part of this
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More information10 Critical Requirements for Cloud Applications. How to Recognize Cloud Providers and Applications that Deliver Real Value
10 Critical Requirements for Cloud Applications How to Recognize Cloud Providers and Applications that Deliver Real Value 1 10 Critical Requirements for Cloud Applications How to Recognize Cloud Providers
More informationViewpoint Paper. Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities*
Viewpoint Paper Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities* Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory The following
More informationTHE CMI CONTENT MARKETING FRAMEWORK. 7 Building Blocks to Success
THE CMI CONTENT MARKETING FRAMEWORK 7 Building Blocks to Success Your company is probably already exploring the role that compelling content can play in your own marketing programs just as many other companies
More informationIT Security Management 100 Success Secrets
IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management
More informationEnsuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
More informationAssessing the Appropriate Level of Project, Program, and PMO Structure
PMI Virtual Library 2011 Daniel D. Magruder Assessing the Appropriate Level of Project, Program, and PMO Structure By Daniel D. Magruder, PMP Executive Summary Does your organization have in-flight projects
More informationEnsuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services
Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and
More informationBALEFIRE GLOBAL OPEN DATA STRATEGIC SERVICES
1 BALEFIRE GLOBAL OPEN DATA STRATEGIC SERVICES TWO SIDED SUSTAINABLE DATA MARKETPLACES Governments around the world cite many different reasons for starting open data initiatives, including increasing
More informationFive Steps to Getting Started with Contract Management
Five Steps to Getting Started with Contract Management White Paper (281) 334-6970 sales@prodagio.com www.prodagio.com Contracts play a major role in your daily interactions with clients and suppliers alike.
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationFRAMEWORK. 7 Building Blocks to Success
The CMI Content MarketING FRAMEWORK 7 Building Blocks to Success Your company is probably already exploring the role that compelling content can play in your own marketing programs just as many other companies
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationThe Business Benefits of Logging
WHITEPAPER The Business Benefits of Logging Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 The Business Benefits of Logging 4 Security as
More informationContents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.
iii Contents List of figures List of tables OGC s foreword Chief Architect s foreword Preface Acknowledgements v vii viii 1 Introduction 1 1.1 Overview 4 1.2 Context 4 1.3 Purpose 8 1.4 Usage 8 2 Management
More informationReliable, Repeatable, Measurable, Affordable
Reliable, Repeatable, Measurable, Affordable Defense-in-Depth Across Your Cyber Security Life-Cycle Faced with today s intensifying threat environment, where do you turn for cyber security answers you
More informationHow Much Do I Need To Do to Comply? Vice president SystemExperts Corporation
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
More informationIS YOUR DATA WAREHOUSE SUCCESSFUL? Developing a Data Warehouse Process that responds to the needs of the Enterprise.
IS YOUR DATA WAREHOUSE SUCCESSFUL? Developing a Data Warehouse Process that responds to the needs of the Enterprise. Peter R. Welbrock Smith-Hanley Consulting Group Philadelphia, PA ABSTRACT Developing
More informationTop 20 IT Risks for the Healthcare Industry and How to Mitigate Them
Top 20 IT Risks for the Healthcare Industry and How to Mitigate Them By Raj Chaudhary, CRISC, CGEIT, and Robert L. Malarkey, CISSP, CISA Moving into 2015, the healthcare industry continues to undergo dramatic
More informationBOYD- Empowering Users, Not Weakening Security
BOYD- Empowering Users, Not Weakening Security Table of Contents Exec summary... 3 Benefits of BYOD... 4 Threats that BYOD Harbours... 5 Malware... 5 Data Leakage... 5 Lost or Stolen Devices... 5 Public
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification is a unique new certification which
More informationStable and Secure Network Infrastructure Benchmarks
Last updated: March 4, 2014 Stable and Secure Network Infrastructure Benchmarks 501 Commons has developed a list of key benchmarks for maintaining a stable and secure IT Infrastructure for conducting day-to-day
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationTom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh
Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification differentiates you from your competition.
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationMAXIMUM PROTECTION, MINIMUM DOWNTIME
MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is
More informationHow To Use A Real Time Performance Management System
OSIsoft, Inc. 777 Davis Street Suite 250 San Leandro, CA 94577 www.osisoft.com Copyright 2007 OSIsoft, Inc. All rights reserved. OSIsoft and the OSIsoft logo are trademarks of OSIsoft, Inc. 1 Overview
More informationOPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.
OPTIMUS SBR CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE. Optimizing Results with Business Intelligence Governance This paper investigates the importance of establishing a robust Business Intelligence (BI)
More informationHow to Leverage HIPAA for Meaningful Use
How to Leverage HIPAA for Meaningful Use The overlap between HIPAA and Meaningful Use requirements 2015 SecurityMetrics How to Leverage HIPAA for Meaningful Use 2 About this ebook Who should read this
More informationDeveloping and Implementing a Strategy for Technology Deployment
TechTrends Developing and Implementing a Strategy for Technology Deployment Successfully deploying information technology requires executive-level support, a structured decision-making process, and a strategy
More informationHow To Protect Your Information From Being Hacked By A Hacker
DOL New Hire Training: Computer Security and Privacy Table of Contents Introduction Lesson One: Computer Security Basics Lesson Two: Protecting Personally Identifiable Information (PII) Lesson Three: Appropriate
More informationBlending Corporate Governance with. Information Security
Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power
More informationHP Cyber Security Control Cyber Insight & Defence
HP Cyber Security Control Cyber Insight & Defence Security awareness at board level Security leadership is under immense pressure Cyber threat Extended supply chain Financial loss Reputation damage Cost
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationCommand Center Handbook
Command Center Handbook P r o a c t i v IT e Monitoring Protecting Business Value Through Operational Excellence Abdul A Jaludi Copyright 2014 Abdul A Jaludi abby@tag-mc.net www.tag-mc.net All rights reserved.
More informationHow To Understand And Understand The Concept Of Business Architecture
WHITE PAPER Business Architecture: Dispelling Ten Common Myths William Ulrich, TSG, Inc. Whynde Kuehn, S2E Consulting Inc. Business Architecture: An Evolving Discipline B usiness architecture is a maturing
More informationEmail Archiving, Retrieval and Analysis The Key Issues
Email Archiving, Retrieval and Analysis The "If you are going to find a smoking gun, you will find it in email." Abstract Organisations are increasingly dependent on email for conducting business, internally
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationTen Mistakes to Avoid
EXCLUSIVELY FOR TDWI PREMIUM MEMBERS TDWI RESEARCH SECOND QUARTER 2014 Ten Mistakes to Avoid In Big Data Analytics Projects By Fern Halper tdwi.org Ten Mistakes to Avoid In Big Data Analytics Projects
More informationPreparing for the Convergence of Risk Management & Business Continuity
Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationCOUNCIL POLICY R180 RECORDS MANAGEMENT
1. Scope The City of Mount Gambier Records Management Policy provides the policy framework for Council to effectively fulfil its obligations and statutory requirements under the State Records Act 1997.
More informationEvaluate the Usability of Security Audits in Electronic Commerce
Evaluate the Usability of Security Audits in Electronic Commerce K.A.D.C.P Kahandawaarachchi, M.C Adipola, D.Y.S Mahagederawatte and P Hewamallikage 3 rd Year Information Systems Undergraduates Sri Lanka
More informationEliminating Infrastructure Weaknesses with Vulnerability Management
A Guidance Consulting White Paper P.O. Box 3322 Suwanee, GA 30024 678-528-2681 http://www.guidance-consulting.com Eliminating Infrastructure Weaknesses with Vulnerability Management By Guidance Consulting,
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996.
HIPAA Training What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It provides the ability to transfer and continue health insurance coverage for workers
More informationHOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM
HOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM Prepared by Gwen Thomas of the Data Governance Institute Contents Why Data Governance?... 3 Why the DGI Data Governance Framework
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationGovernment Worker Privacy Survey. Improper Exposure of Official Use, Sensitive, and Classified Materials
Government Worker Privacy Survey Improper Exposure of Official Use, Sensitive, and Classified Materials 1 Introduction Data privacy is a growing concern for the US government as employees conduct business
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationINFORMATION SECURITY PROGRAM
WSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM November 30, 2012 Version 5.2 Table of Contents A. Introduction.Page 1 B. Program Coordinators..Page 2 C. Security Risk Assessment.Page 3 1. Employee
More information