1 FISMA NIST (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST (Rev. 4) CloudCheckr Action AU-3/ AU3(1) AU-3 CONTENT OF AUDIT RECORDS Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and eventspecific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. Change Monitoring integrates CloudTrail to track changes on daily, weekly, and monthly basis EC2 Security Groups Security Group Rules Key Pairs AMIs Spot Instances Reserved Instance Instances Volumes Snapshots Placement Groups Elastic Load Balancers (including attaching or detaching instances to them) Network Interfaces Elastic IPs IAM Account Aliases Account Summaries Access Keys MFA Devices Policies Password Policies Groups Users S3 Bucket Logging Logging Target Bucket Bucket Logging Prefix Bucket Website Enabled Bucket Website Index Document Bucket Website Error Document Bucket Notifications Enabled Public Buckets Bucket Notifications Bucket Lifecycle Rules Bucket Permissions
2 Control Enhancements: (1) CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION Supplemental Guidance: Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. ElastiCache ElastiCache Clusters Cache Nodes Security Groups Parameter Groups Reserved Nodes AU-4/ AU- 4(1) AU-4 AUDIT STORAGE CAPACITY Historical records and environment changes are stored for the life of service
3 Control: The organization allocates audit record storage capacity. Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU- 11, SI-4. Control Enhancements: (1) AUDIT STORAGE CAPACITY TRANSFER TO ALTERNATE STORAGE Supplemental Guidance: Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred. All records of service usage are available through Trending Analysis reporting. All records of deployments changes are available through Change Monitoring and CloudTrail. CloudCheckr storage retains sufficient capacity to maintain the integrity of the records. SLA guarantees confidentiality of records. AU-5 RESPONSE TO AUDIT PROCESSING FAILURES Automated audit collection features with failure alerts Control: The information system: a. Alerts in the event of an audit processing failure; and Automated notifications for failures to correctly process collection procedures. b. Takes the following additional actions: [organizationdefined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. Ability to automatically recollect and reprocess information if failure occurs.
4 Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. AU-6/ AU- 6(1)(3) AUDIT REVIEW, ANALYSIS, AND REPORTING Control: The organization: a. Reviews and analyzes information system audit records with organization-defined frequency for indications of organization-defined inappropriate or unusual activity; and b. Reports findings to organization-defined personnel or roles. Information is available on a regular and asrequested basis. Delivery can be pre-set and automated. Account and information access controls are available. All reporting is fully automated.
5 Supplemental Guidance: Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA- 3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. Control Enhancements: (1) AUDIT REVIEW, ANALYSIS, AND REPORTING PROCESS INTEGRATION The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
6 Supplemental Guidance: Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. (3) AUDIT REVIEW, ANALYSIS, AND REPORTING CORRELATE AUDIT REPOSITORIES The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. Supplemental Guidance: Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports crossorganization awareness. Related controls: AU-12, IR-4. AU-7/ AU- 7(1) AUDIT REDUCTION AND REPORT GENERATION Control: The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and b. Does not alter the original content or time ordering of audit records. User-defined detailed and summary reporting Reporting across multiple cloud resource groups available on service and granular levels Filtering, sorting, and export capabilities. Automated controls are available. Reporting is fully customizable.
7 Supplemental Guidance: Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. Control Enhancements: (1) AUDIT REDUCTION AND REPORT GENERATION AUTOMATIC PROCESSING The information system provides the capability to process audit records for events of interest based on organizationdefined audit fields within audit records. Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) Audit records contain unalterable information, time stamp, and sequencing.
8 AU-8/ AU- 8(1) TIME STAMPS Control: The information system: a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. Supplemental Guidance: Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. Control Enhancements: (1) TIME STAMPS SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE: The information system: All reports are time stamped to UTC. Single internal clock used for logging changes. Reporting is also customizable to local time zones.
9 (a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. Supplemental Guidance: This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. AU-9/ AU- 9(4) PROTECTION OF AUDIT INFORMATION Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. Control Enhancements: All reporting securely stored Users do not have ability to modify, alter, or delete data. Individual permissioning and access control is available.
10 (4) PROTECTION OF AUDIT INFORMATION ACCESS BY SUBSET OF PRIVILEGED USERS: The organization authorizes access to management of audit functionality to only organization-defined subset of privileged users. Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with auditrelated privileges. Related control: AC-5. AU-11 AUDIT RECORD RETENTION Automated report retention for life of service is standard Control: The organization retains audit records for organization-defined time period consistent with records retention policy to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
11 Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP- 6. AU-12 AUDIT GENERATION Provides complete monitoring and reporting of the Control: The information system: infrastructure layer and its associated changes. a. Provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components; Special Publication Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Automated Change Monitoring and CloudTrail alerts provide notice and records of all auditable events. b. Allows organization-defined personnel to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
Security Control Standards Catalog Version 1.2 Texas Department of Information Resources April 3, 2015 Contents About the Security Control Standards Catalog... 1 Document Life Cycle... 1 Revision History...
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication
Security Standards Compliance CSEC ITSG-33 Trend Micro Products (Deep Security and SecureCloud) - Version 1.0 Document TMIC-003-C Version 1.0, 24 August 2012 1 Guide to Managing Security Risks from Using
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
Solution Brief EventTracker Enterprise v7.x Publication Date: July 22, 2014 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical solutions that
Bellingham Control System Cyber Security Case Study Marshall Abrams Joe Weiss Presented at at 2007 Annual Computer Security Applications Conference Case Study Synopsis Examine actual control system cyber
FISMA NIST 800-53 (Rev 4) Shared Public Cloud Infrastructure Standards NIST CONTROL CLOUDCHECKR SUPPORT ACTIVITY AC-2 ACCOUNT MANAGEMENT Control: The organization: a. Identifies and selects the following
Compliance Overview: FISMA / NIST SP800 53 FISMA / NIST SP800 53: Compliance Overview With Huntsman SIEM The US Federal Information Security Management Act (FISMA) is now a key element of the US Government
1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
Department of the Interior Security Control Standard Maintenance January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information Officer
Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology
FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide
Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 An Assessment of Cyber-Ark's Solutions z September 2011 Table of Contents EXECUTIVE SUMMARY... 3 CYBER-ARK
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
UNCLASSIFIED September 2013 Enterprise Audit Management Instruction for National Security Systems (NSS) THIS DOCUMENT PRESCRIBES STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION UNCLASSIFIED
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
Information System Security s Catalog V 1.0 Table of Contents DOCUMENT HISTORY... 3 1. Purpose... 4 2. Security s Scope... 4 3. Security s Compliance... 4 4. Security s Catalog Ownership... 4 5. Security
5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
Audit Logging Security Training by Arctec Group (www.arctecgroup.net) 1 Overall Goals Building Visibility In Audit Logging Domain Model 2 1 Authentication, Authorization, and Auditing 3 4 2 5 6 3 Auditing
Meeting RMF Requirements around Audit Log Management An EiQ Networks White Paper Purpose The purpose of this paper is to provide some background on the transition from DIACAP to the Risk Management Framework
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft firstname.lastname@example.org 703-437-9451 ext 12 The Foundation
Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE INSTRUCTION 60-702 December 21, 2009 Information Technology INFORMATION TECHNOLOGY
Deriving Software Measures from Standards of Practice Julia Allen Christopher Alberts Robert Stoddard February 2012 2012 Carnegie Mellon University Copyright 2012 Carnegie Mellon University. This material
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
sm Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Reference Framework... 5 Context... 6 Applicability...
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft email@example.com 703-437-9451 ext 12 The Foundation
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
Requirements For Computer Security FTA/IRS Safeguards Symposium & FTA/IRS Computer Security Conference April 2, 2008 St. Louis 1 Agenda Security Framework Safeguards IT Security Review Process Preparing
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
Report from the Technology Subcommittee to the Data Privacy and Integrity Advisory Committee Task On January 27, 2014, the DHS Data Privacy and Integrity Advisory Committee (DPIAC) received a request from
Report 2014-02 of the Data Privacy and Integrity Advisory Committee on Privacy Recommendations regarding Auditing and Oversight of the DHS Data Framework Task As Approved in Public Session September 22,
VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY Version 2., 2012 Revision History Version Date Purpose of Revision 2.0 Base Document 2.1 07/23/2012 Draft 1 Given to ISO for Review 2.2 08/15/2012
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Audit Logging Standard Domain: Security Date Issued: 09/07/2012 Date Revised:
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
Log Management Standard Effective Date: 7/28/2015 1.0 INTRODUCTION The California State University, Chico system/application log management standard identifies event logging requirements, log review frequency,
CASE STUD QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust
WHITE paper Complying with the Federal Information Security Management Act How Tripwire Change Auditing Solutions Help page 2 page 3 page 3 page 3 page 4 page 4 page 5 page 5 page 6 page 6 page 7 Introduction
privileged identities management best practices abstract The threat landscape today requires continuous monitoring of risks be it industrial espionage, cybercrime, cyber-attacks, Advanced Persistent Threat
Service Organization Controls 3 Report Report on the Amazon Web Services System Relevant to Security For the Period April 1, 2013 March 31, 2014 Ernst & Young LLP Suite 1600 560 Mission Street San Francisco,
Security Standards Compliance NIST S 800-53 Revision 4 (Security and rivacy Controls for Federal Information Systems and Organizations) -- Trend Micro roducts (Deep Discovery Inspector, Deep Security and
Security Features in Written by Einar Mykletun, Ph.D. security and compliance architect for research and development at Dell Introduction Information system security is a priority for every organization,
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
October 2011 Security Plan Checklist Overview The SPC is meant for technical reviewers/developers of security plans in State health and human services agencies; based on guidance from NIST*, FIPS*, and
For: Great Lakes Computer System (GLCS) Great Lakes Educational Loan Services, Inc. (GOALS) Date: June 18, 2013 Point of Contact: Gregory Plenty (202) 377-3253 Gregory.Plenty@ed.gov System Owner: Keith
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
!!!!!!!!!!!!! A Draft List of Software Assurance (SwA) Related NIST SP 800-53 Revision 4 Controls* Technical Report: UNO-TGRS-20131121-1 Robin Gandhi, Harvey Siy, Sayonnha Mandal The University of Nebraska
Standard: Event Monitoring Page 1 Executive Summary The Event Monitoring Standard defines the requirements for Information Security event monitoring within SJSU computing resources to ensure that information
FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL Clifton Gunderson LLP s Independent Audit of the Federal Housing Finance Agency s Information Security Program - 2011 Audit Report: AUD-2011-002
IT Monitoring Code of Practice 1.4 University of Ulster Code of Practice Cover Sheet Document Title IT Monitoring Code of Practice 1.4 Custodian Approving Committee Deputy Director of Finance and Information
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
Full Compliance for and EU Annex 11 With the regulation support of Contents 1. Introduction 2 2. The regulations 2 3. FDA 3 Subpart B Electronic records 3 Subpart C Electronic Signatures 9 4. EU GMP Annex
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM MAINTENANCE PROCEDURES V1.8 JULY 18, 2012 1. PURPOSE The purpose of this procedure
Department of the Interior Security Control Standard Program Management April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
FISMA: Securing National Infrastructure Using a Holistic Approach to Lower Total Cost of Ownership (TCO) of FISMA Compliance by 50% or More an eiqnetworks White Paper by John Linkous Security and Compliance
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 firstname.lastname@example.org This revision incorporates comments from the public. Page Use case 1 Comments
OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.