Janet Pietrofere, CIA, CISA, CICA, CRISC IS Digital Risk & Security Compliance Lead National Grid Corporation

Size: px
Start display at page:

Download "Janet Pietrofere, CIA, CISA, CICA, CRISC IS Digital Risk & Security Compliance Lead National Grid Corporation"

Transcription

1 MS SQL Database Auditing Janet Pietrofere, CIA, CISA, CICA, CRISC IS Digital Risk & Security Compliance Lead National Grid Corporation Donald Campanaro, CRISC, MBA Senior Compliance Analyst National Grid Corporation May 8, 2012

2 National Grid Corporation National Grid is an international electricity and gas company and one of the largest investor-owned energy companies in the world. Supplies electricity to approximately 3.4 million customers in the northeastern US Delivers e gas to almost 11 million homes and businesses in the US and UK. High voltage transmission owner and operator in England and Wales US Electric Territory US Gas Territory UK Gas Territory 2

3 Sample Company s Investment in Wintel Operating System Count Microsoft Windows 2000 Advanced Server 12 Microsoft Windows 2000 Professional 1 Microsoft Windows 2000 Server 125 Microsoft Windows Server 2008 R2 Enterprise 32 Microsoft Windows Server 2008 R2 Standard 53 Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition 37 Microsoft(R) Windows(R) Server 2003 Standard x64 Edition 28 Microsoft(R) Windows(R) Server 2003, Enterprise Edition 84 Microsoft(R) Windows(R) Server 2003, Standard Edition 1,190 Microsoft Windows Server 2008 Enterprise 2 Microsoft Windows Server 2008 Standard 30 1,594 Total Windows Clients (desktops and laptops) ~ 35,000 3

4 Sample of SQL Applications Electric SCADA System Gas SCADA system Field Force Automation System Graphical Information System Outage Management System Gas and Electric Revenue Transfers 4

5 Goals of the Session Learn to adapt the user and schema design to maximize SQL server reliability and to ensure that your enterprise is able to maximize delivered analytics Identify the audit and security review objectives right for your enterprise Discover what htaudit services are required dto dt determine underlying design and implementation to ensure reliability 5

6 Common Database Types 101 I. Hierarchical Model The hierarchical data model organizes data in a tree structure. There is a hierarchy of parent and child data segments (i.e. IMS). II. Relational Model In such a database the data and relations between them are organized in tables. A table is a collection of records and each record in a table contains the same fields (i.e. DB2; SQL Server). III. Relational Object Model relational model which integrates management oftraditional fielded data, complex objectssuchastime seriessuch time series and geospatial data and diverse binary media such as audio, video, images, and applets (i.e. Oracle). IV. Object Oriented one to one mapping of object programming language objects to database objects (i.e. C++; Java; Smalltalk) 6

7 SQL Schemas A database schema is a way to logically group objects such as tables, views, stored procedures etc. You can assign a user login permissions to a single schema so that the user can only access the objects they are authorized to access. Inversions prior to SQL Server 2005, schemas were equivalent to individual data base users. Starting with SQL Server 2005, schemas are collections of data base objects that are independent of individual users and can be owned by multiple users. This change makes the data base administration function more manageable and flexible an advantage over other data base types. 7

8 According to the Privacy Rights Clearinghouse, from February 2005 to April 2012: Over 596,357,000 data records have been breached! Over 3,000 breaches have been publicly reported! 8

9 The Cost of Data Breaches According to a study conducted by Symantic and the Ponemon Institute In 2011 theaverage cost of a data breach was US $5.5 million 9

10 Significant Data Breaches 2011 Nemours Assets Stolen/Affected: Names, addresses, dates of birth, Social Security numbers, insurance data, medical treatment data, and bank account information for 1.6 million patients, vendors, and employees. Tricare/SAIC Assets Stolen/Affected: Protected health information from 5.1 million patientsofu U.S. military hospitals andclinics clinics. SK Communications Assets Stolen/Affected: t Thirty five million names, addresses, phone numbers, and resident registration numbers of social media users at South Korean sites Cyworld and Nate. 10

11 Significant Data Breaches 2011 (cont) Valve, Inc. Assets Stolen/Affected: Personally identifiable information for 35 million users of Valve's online gaming gsite. RSA Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens. Sutter Physicians Services and Sutter Medical Foundation Assets Stolen/Affected: Personally identifiable information of 3.3 million patients supported by Sutter Physicians Services and medical information of another 934,000 Sutter Medical Foundation patients. SONY Corporation Assets Stolen/Affected: Names, addresses and credit card information from over 77 million user accounts from its online gaming network. In addition, SQL injection attacks exposed data on SONY Music Japan and SONY Music Greece. 11

12 Discussion of Top Threats Break out into groups Brainstorm/Discussion Chart it Share and Compare 12

13 Top 10 Database Threats (BSC s List) 1. Excessive privileges Users (or applications) are granted database privileges that exceed the requirements oftheirjobfunction function 2. Privilege abuse Users may abuse legitimate data access privileges for unauthorized purposes. 3. Unauthorized privilege elevation Attackers may take advantage of vulnerabilities in database management software to convert low level access privileges to highlevel access privileges. 4. Platform vulnerabilities i Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. 13

14 Top 10 Database Threats (cont) 5. SQL injection SQL injection attacks involve a user who takes advantage of vulnerabilities in front end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. 6. Weak audit Weak audit policy and technology represent risks in terms of compliance, deterrence, detection, forensics and recovery. 7. Denial of service Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. 14

15 Top 10 Database Threats (cont) 8. Database protocol vulnerabilities Vulnerabilities bl in database protocols may allow unauthorized ddata access, corruption or availability. 9. Weak authentication ti ti Weak authentication schemes allow attackers to assume the identity of legitimate database users. 10. Exposure of backup data Some recent high profile attacks have involved theft of database backup tapes and hard disks. 15

16 SQL Injection Example 16

17 Where to Begin? Auditing using a Consolidated Control Approach 1. Define a consolidated control universe that maps to your companies policies, standards and regulatory requirements 2. Identify the controls appropriate for your auditing scope 3. Build a detailed audit plan using the identified controls as a guideline 17

18 Define the Control Universe Ngrid IS Consolidated Control Set May-2011 The IS Consolidated Control Set is an culmunation of internal policies, standards, external authoritative sources, governing bodies for best practice and required IS controls for Nationalgrid compliance. IS Control Category Number of Controls 1 ACCESS CONTROL 19 2 ASSET MANAGEMENT (LOGICAL AND PHYSICAL) 9 3 SECURITY AWARENESS 7 4 BUSINESS CONTINUITY AND DISASTER RECOVERY 7 5 CHANGE MANAGEMENT 9 6 COMPLIANCE 8 7 DEVELOPMENT (ACQUISITION, DEVELOPMENT, CHANGE) 17 8 HUMAN RESOURCE MANAGEMENT 5 9 EVENTS (INCIDENT, PROBLEM, SUPPORT) 6 10 LOGGING AND MONITORING 7 11 OPERATIONS MANAGEMENT PHYSICAL SECURITY POLICY 5 14 PRIVACY 8 15 RISK MANAGEMENT 3 16 SYSTEMS AND DATA PROTECTION THIRD PARTY MANAGEMENT 10 Total

19 Indentify the Controls to be Audited Control Num Short Description Control Description ACCESS CONTROL ACS-001 Access Management Program An access management program is established and is periodically reviewed and approved. ACS-002 "Need to Know" Access Access to information and systems is granted based on a "need to know" basis. ACS-003 Segregation of Duties Incompatible access rights are properly segregated or are mitigated and monitored. ACS-004 User Authentication An approved unique username and password or authentication item (i.e., token, securid, certificates, public key, biometrics etc.) is required before access is granted. ACS-005 User Access - New An established and documented process for authorizing new users is in place. ACS-006 Privileged User Access - New Number of users with privileged access rights (i.e., systems administrators, super users, database administrators) is limited. ACS-007 Privileged Account Use Privileged accounts are not used for regular user activities ACS-008 User Access Review User access, included privileged access, is reviewed on a periodic basis to ensure access is commensurate with job responsibilities. Inappropriate access is promptly removed. ACS-009 Password Encryption Passwords stores and transmissions are encrypted. ACS-010 Access Configuration Settings Systems are configured to require the following: (1) use of complex passwords (i.e., minimum length; alpha, numeric, and/or special characters) (2) password change on a regular basis (3) previous password cannot be reused (4) system lockout ou after a predetermined e number of unsuccessful u logon attempts Application Security Database Security Platform Security Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Network Security 19

20 Build the Detail Audit Plan Control Number Short Description Control Description ACCESS CONTROL ACS-001 Access Management Program An access management program is established and is periodically reviewed and approved. Documentation Requirement 1. Copy of organization's Access Management Policy ACS-002 "Need to Know" Access Access to information and systems is granted based on a "need to know" basis. 1. Copy of the Database Access Management standards/procedures 2. System generated access listing from the database servers with the query/screen used to generate it. The listing should list username, id, access/security group, date access provided and last login date. ACS-004 User Authentication An approved unique username and password or authentication item (i.e., token, secured, certificates, public key, biometrics etc.) is required before access is granted. 1. Screen Shot of Login Screen 2. Screen shot of error message encountered for failed login attempt. 3.Screen Shot/ Script of Configuration setting for user access management. ACS-005 User Access - New An established and documented process for authorizing new 1. Policies/procedures related to providing access to new user. users is in place. 2. List of new employees/contractor/third Party that started during the audit period. This list should include employee name, employee number, start date, job title, department, and manager's name 3. Current roles/access table 4. For selected sample copy of the New User Request form 5. For selected sample screen print of the actual user access that has been configured or setup for the individuals. ACS-006 Privileged User Access - New Number of users with privileged access rights (i.e., systems administrators, super users, database administrators) is limited. 1. Standard/Procedure for providing privileged access. 2. System generated list of all active IDs and the query/screen used to generate it. The listing should have username, id, access/security group, date access provided and last login date. 3. System generated list of all administrators accounts in production environment (Operating system, Database) and the query/screen used to generate it. The listing should ldhave username, id, access/security group, date access provided dand dlast tlogin date. 20

21 Suggested Audit Tests Access Provisioning of new Id s Does access to the data base/application require a unique Id and password? Have all default Id s/passwords (i.e. guest user) been turned off in the databases and applications? Are generic or shared Id s/passwords protected and how (manual al procedure)? re)? Is access granted only after documented approval? Is access granted commensurate with the request (SQL injection use of least privileges)? Emergency access Requests Is there a background check performed for users who have direct access to strictly confidential data and/or cyber assets (i.e. servers; data bases)? 21

22 Suggested Audit Tests Access Password configuration are strong passwords being utilized? 22

23 Suggested Audit Tests Access Privileged Access Reviews (Environment) Are periodic reviews of Domain Admin groups performed to determine if the members of the group are limited and legitimate? Are periodic reviews of Server Admin groups performed to determine if the members of the group are limited and legitimate? Is there periodic sampling of critical servers to see which groups/id s have local admin rights on the servers? 23

24 Snap Shot of Local Administrators for a SQL data base server 24

25 Suggested Audit Tests Access Privileged Access Are there periodic reviews of users and groups with sysadmin rights at the application level? In the following example: sa standard SQL Server system admin id managed by DBA s op is the SQL Server standard login id that is used to execute jobs NMPC\Group 1 contain all of the DBA's network id's NMPC\Group 2 contain all of the DBA's admin network id's sqlbackup is the SQL Server standard login that is used to execute the backup/recover jobs through Tivoli TDP NMPC\Account 1 is the domain account that is used to run SQL Server service NMPC\Account 2 is the cluster name that is used to run SQL Server service 25

26 26

27 Suggested Audit Tests Access Terminates and Transfers Are the DBA and application administrators notified in a timely manner when employees and contractors terminate or transfer? Does a sample of terminated and transferred employees and contractors verify that data base access is being removed in a timely manner when no longer needed? 27

28 Suggested Audit Tests Change Management Is there a classification system in place to identify critical applications and data? Are all changes to databases and applications approved before being migrated to production? Is access to production (data bases, executables, source libraries) adequately protected? Are migration tools adequately protected and does segregation of duties exist between the developers, migrators and DBA s? Are direct updates to data approved prior to being made? 28

29 Suggested Audit Tests Patch Management Is there a process in place to apply security patches in a timely manner? Does a sample of servers reveal that they are patched with the latest service pack and patch level? Does a sample of client workstation laptops indicate that they contain the latest service pack and patches? 29

30 Patch Management Process 30

31 Suggested Audit Tests Configuration Management Is there a baseline security configuration document for server builds? Do all active ports and services match those approved in the baseline document and are they supported according to the documented and approved use (NetIQ)? Has a recent vulnerability study has been performed to identify security exposures (Foundstone, Nessus)? If there were exposures identified in the latest vulnerability study, have they been mitigated? 31

32 Check Sever Configuration using NetIQ 32

33 Check Client Security Status using Microsoft Baseline Security Analyzer (MBSA) 33

34 Perform Vulnerability Assessment using Foundstone Enterprise 34

35 Suggested Audit Tests Logging and Monitoring i Are critical SQL data bases protected in a secured electric security perimeter (ESP)? Is activity logging turned on for all critical cyber assets? Are privileged accounts monitored? Is there a regular review of the activity logs? Is there on going performance monitoring of the data bases to ensure reliability? Is there a defined incident management program and escalation procedure to handle breaches? 35

36 Monitoring Activity Logs using Counterpane 36

37 Monitoring Privileged Accounts using Guardium 37

38 Performance Monitoring Using Spotlight Enterprise 38

39 Suggested Audit Tests Backups Are back ups of critical SQL data bases being performed on a regular basis? Has a recent restore test been performed? If physical tapes are being cut are they cataloged/handled properly and being stored at a secured site? Is logical access to back up data protected? If virtual tapes are being utilized are there enough copies being retained to meet business and regulatory requirements? 39

40 Suggested Audit Tests Physical Security Are critical data base servers secured in a six walled physical security perimeter (PSP)? Is unescorted access to the PSP reviewed on a regular basis? Are visitor logs utilized (and saved) to document escorted access? If managed by a third party are the data base servers, etc. segregated and protected from access by individuals not working on your account? 40

41 In Sum What the Audit Should Ensure Limited access least privileges Production changes are appropriately approved Timely security patching Regular monitoring of activity logs and performance indicators Configuration vulnerabilities are limited Viable back up and recovery strategy Strong physical security around infrastructure and media 41

42 Questions 42

43 Collaborate Contribute Connect The Knowledge Center is a collection of resources and online communities that connect ISACA members globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!

Security and Control Issues within Relational Databases

Security and Control Issues within Relational Databases Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats

More information

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Database Auditing: Best Practices Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Verizon 2009 Data Breach Investigations Report: 285 million records were compromised

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Database Security & Auditing

Database Security & Auditing Database Security & Auditing Jeff Paddock Manager, Enterprise Solutions September 17, 2009 1 Verizon 2009 Data Breach Investigations Report: 285 million records were compromised in 2008 2 Agenda The Threat

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

QuickBooks Online: Security & Infrastructure

QuickBooks Online: Security & Infrastructure QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Security Whitepaper: ivvy Products

Security Whitepaper: ivvy Products Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Guidelines for Website Security and Security Counter Measures for e-e Governance Project and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online

More information

CYBER SECURITY POLICY For Managers of Drinking Water Systems

CYBER SECURITY POLICY For Managers of Drinking Water Systems CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan

More information

MySQL Security: Best Practices

MySQL Security: Best Practices MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

CrossBow NERC CIP Compliance Matrix

CrossBow NERC CIP Compliance Matrix Section Requirement CIP-002-1 Cyber Security Critical Cyber Asset Identification R3, M3 the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the

More information

Top 10 Database. Misconfigurations. mtrinidad@appsecinc.com

Top 10 Database. Misconfigurations. mtrinidad@appsecinc.com Top 10 Database Vulnerabilities and Misconfigurations Mark Trinidad mtrinidad@appsecinc.com Some Newsworthy Breaches From 2011 2 In 2012.. Hackers carry 2011 momentum in 2012 Data theft, hacktivism, espionage

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions

InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Hacking Database for Owning your Data

Hacking Database for Owning your Data Hacking Database for Owning your Data 1 Introduction By Abdulaziz Alrasheed & Xiuwei Yi Stealing data is becoming a major threat. In 2012 alone, 500 fortune companies were compromised causing lots of money

More information

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions Database Auditing & Security Brian Flasck - IBM Louise Joosse - BPSolutions Agenda Introduction Drivers for Better DB Security InfoSphere Guardium Solution Summary Netherlands Case Study The need for additional

More information

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

General DBA Best Practices

General DBA Best Practices General DBA Best Practices An Accelerated Technology Laboratories, Inc. White Paper 496 Holly Grove School Road West End, NC 27376 1 (800) 565-LIMS (5467) / 1 (910) 673-8165 1 (910) 673-8166 (FAX) E-mail:

More information

1B1 SECURITY RESPONSIBILITY

1B1 SECURITY RESPONSIBILITY (ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,

More information

SECURITY DOCUMENT. BetterTranslationTechnology

SECURITY DOCUMENT. BetterTranslationTechnology SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of

More information

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Database security issues PETRA BILIĆ ALEXANDER SPARBER Database security issues PETRA BILIĆ ALEXANDER SPARBER Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information

More information

Sample Data Security Policies

Sample Data Security Policies This document provides three example data security policies that cover key areas of concern. They should not be considered an exhaustive list but rather each organization should identify any additional

More information

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a

More information

GiftWrap 4.0 Security FAQ

GiftWrap 4.0 Security FAQ GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

INFORMATION SECURITY FOR YOUR AGENCY

INFORMATION SECURITY FOR YOUR AGENCY INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection

More information

Fortinet Solutions for Compliance Requirements

Fortinet Solutions for Compliance Requirements s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

SNAP WEBHOST SECURITY POLICY

SNAP WEBHOST SECURITY POLICY SNAP WEBHOST SECURITY POLICY Should you require any technical support for the Snap survey software or any assistance with software licenses, training and Snap research services please contact us at one

More information

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY

More information

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc. Database Security and Auditing: Leading Practices Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc. Getting to Know Database Threats and Vulnerabilities Key Objectives Understand

More information

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process. CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Date: Completed By: Name: Department: Position: Phone: Email Address: Section 1: Security Education and Awareness

More information

Physical Protection Policy Sample (Required Written Policy)

Physical Protection Policy Sample (Required Written Policy) Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the

More information

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...

More information

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE R1 Provide Risk Based Assessment Methodology (RBAM) R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased R1.2 Provide evidence

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Policy Title: HIPAA Security Awareness and Training

Policy Title: HIPAA Security Awareness and Training Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Security Standard: Servers, Server-based Applications and Databases

Security Standard: Servers, Server-based Applications and Databases Security Standard: Servers, Server-based Applications and Databases Scope This standard applies to all servers (including production, training, test, and development servers) and the operating system,

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

Mitigating Risks and Monitoring Activity for Database Security

Mitigating Risks and Monitoring Activity for Database Security The Essentials Series: Role of Database Activity Monitoring in Database Security Mitigating Risks and Monitoring Activity for Database Security sponsored by by Dan Sullivan Mi tigating Risks and Monitoring

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

SANS Institute First Five Quick Wins

SANS Institute First Five Quick Wins #1 QUICK WIN- APPLICATION WHITELISTING SANS Critical Controls: #2: Inventory of Authorized and Unauthorized Software 1) Deploy application whitelisting technology that allows systems to run software only

More information

1 Introduction 2. 2 Document Disclaimer 2

1 Introduction 2. 2 Document Disclaimer 2 Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

Installation Instruction STATISTICA Enterprise Small Business

Installation Instruction STATISTICA Enterprise Small Business Installation Instruction STATISTICA Enterprise Small Business Notes: ❶ The installation of STATISTICA Enterprise Small Business entails two parts: a) a server installation, and b) workstation installations

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

Windows Remote Access

Windows Remote Access Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

8070.S000 Application Security

8070.S000 Application Security 8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx

More information

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS Notes 1. The installation of STATISTICA Enterprise Small Business entails two parts: a) a server installation, and b)

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

Automating Compliance Reporting for PCI Data Security Standard version 1.1

Automating Compliance Reporting for PCI Data Security Standard version 1.1 PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2 RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks

More information

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013 Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory

More information

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0 Medical Device Security Health Imaging Digital Capture Security Assessment Report for the Kodak DR V2.0 Version 1.0 Eastman Kodak Company, Health Imaging Group Page 1 Table of Contents Table of Contents

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information