as4 SOX Compliance at AEB Gesellschaft zur Entwicklung von Branchen-Software mbh
|
|
- Samson Mills
- 8 years ago
- Views:
Transcription
1 as4 SOX Compliance at AEB Gesellschaft zur Entwicklung von Branchen-Software mbh January, 2014
2
3 1 Basic Information The requirements for service providers, especially those outlined in Section 404 of the Sarbanes- Oxley Act (SOX), oblige companies that are subject to SOX to include outsourced compliancerelevant tasks in their internal controls. These controls can be simplified by commissioning an SAS 70 report (certification) on the outsourced services. To comply with SOX requirements, this must be an SAS 70 type 2 report. 1 In this report, the service provider describes its own internal control system (data privacy, data security, access security, data integrity, etc.). This control system must be sophisticated enough to achieve the stated objectives. And it must be fully implemented. 2 The relevance is then certified by an external auditor. 3 This document fills that role by describing all the control systems of the AEB GmbH computer center services, including examples with applicable documents. The measures can be of technical or organizational type. They must be (proved) state-of-the-art and also cover the human factor. 1 Summarized from: Institute of Information Systems of the University of Bern, Switzerland, work report no. 190: Compliance Verification in IT Outsourcing, Gerhard F. Knolmayer, August Available online (in German) at 2 Summarized from: Institute of Public Auditors in Germany (IDW): IDW auditing standard: Auditing with partial outsourcing of accounting to service organizations (IDW AuS 331). In: Die Wirtschaftsprüfung 56 (2003) 18, pp American Institute of Certified Public Accountants: AICPA Audit Guide. Service Organizations: Applying SAS No. 70, as Amended. With Conforming Changes as of May 1, AICPA, New York Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act 1
4 2 Description of IT General Controls 2.1 Application Process Control» Ensures that applications are correctly implemented and process data correctly. Both the services and the associated technologies and processes are tested by the ATLAS coordinating office (KoSt) at the Karlsruhe Regional Finance Office and certified only if all requirements are mapped. The testing and certification logs are also available from the ATLAS coordinating office. 2.2 Organizational Control Data Privacy The company s Data Protection Officer tests and controls compliance with the provisions of the German Federal Data Protection Act (BDSG). Some of the following organizational and security controls are required in 9 BDSG. System Management assigns access rights. IT/Organization carries out regular random checks of access rights and a complete check each quarter with the authority to object to or veto a particular access right. Legal approves and initials contracts and provides guidance for the company s Data Privacy Officer and IT/Organization Input Control» Ensures that it is possible to subsequently check and determine whether and by whom personal data was entered into data processing systems, modified or deleted. All systems that process personal data keep a log of all data entry, modifications and deletions. Personalized user accounts in applications Order Control» Ensures that personal data from orders can only be processed according to the client s instructions. The customer handles user and rights administration at the user level. Contracts (f.e. concerning outsourced data processing) define the obligations of both parties Only the database administrators from System Management have access to this data, working according to defined purposes. 2 Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act
5 2.2.4 Separation Control» Ensures that data collected for different purposes can be processed separately. Separation of: Employee data Customer contact data Customer test data (project work, customer developments) Remote maintenance access data Customer data in the AEB computer center System level: Customer data in the computer center is administered in strict separation and in separate systems (databases, etc.) from customer data in the P.M. Belz Group. Different applications: Customer data and employee data are processed using separate applications. Rights within the application Customer contact data is strictly separated from remote maintenance access data. 2.3 Security Control From a high-level-view operation of ISMS (Information Security Management System in context with ISO 27001) ensures IT-security management in a continuous PDCA-life-cycle as a process. This process based on assets includes protection needs analysis and detailed risk management (estimation, evaluation, treatment). Most important security criterions: Availability Confidentiality Integrity ISMS itself includes regularly internal and external audits and management reviews. A further level is ensuring high security awareness for staff by adequate comprehensive package of measures (f.e. training). For an overview to Information Security please see also our Information Security Guideline in Physical Access Control» Blocks unauthorized parties from physical access to data processing systems that process and use personal data. Security patrol service Control of identity (reception desk, registration of guests, security awareness measures) Servers and remote maintenance routers are protected by controlled access (coded locks) to the server room. Remote maintenance systems are secured as follows: Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act 3
6 Access to remote maintenance data is restricted to authorized persons. Customer remote maintenance computers are in a separate area protected by controlled access (coded locks). Workstation computers are secured as follows: Users must log on through a centrally controlled identity management system. Employees are required to lock their computers. Computers are automatically locked after 15 minutes of idle time Electronic Access Control» Ensures that those authorized to use a data processing system can only access the data for which they are authorized and that personal data is not subject to unauthorized viewing, copying, modification or deletion when it is processed or used or after it is stored. Central rights management separates system access from application access. Users can not change their own rights. Users can not request a change without approval by their supervisor. External access is restricted to VPN- or SSH-secured connections. Regularly Security checks of external access are carried out by appropriately specialized companies. Change management of user rights in accordance with changing roles (f.e. at movements within the company) Transmission Control» Ensures that personal data can not be viewed, copied, modified or deleted without authorization while it is electronically transmitted, transported or saved on storage media and that it is possible to monitor and determine the intended destinations of personal data transferred using data transmission equipment. The enterprise-wide data security policy prohibits all transmission of unencrypted data. All upload/download connections via Internet are secured through either SSL, SSH or VPN. All branch offices or mobile systems rely exclusively on VPN- or SSH-secured connections controlled by AEB. No personal data is stored locally; all data is stored centrally in Stuttgart/Germany. External connections are possible only through approved applications. External connections are possible only through approved services. All remote data transfer connections are logged wherever technically possible. Managed process for disposing of waste with confidential data in accordance with legal requirements Availability Control» Ensures that personal data is protected against random destruction or loss. Redundant systems 4 Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act
7 Database: clusters Fileserver: clusters File server: SAN systems Uninterruptible power supply, back-up generator (diesel units) Fire alarm or extinguishing systems (with argon pressure) Water detection system Connection to 24/7 security agency Tape protection Daily tape backups Data storage in separate fire containment section Additionally regularly data backups based on Database tools Sophisticated system for monitoring and alerting as part of business continuity management (principle of early detection) System for incident and problem management for external and internal use Providing emergency process Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act 5
8 3 Description of Application Controls 3.1 Quality Assurance by QM Team Quality is a top priority throughout AEB and is assigned a special status. A QM team is responsible for assuring quality in applications and processes. The QM team based on continuous PDCAlifecycle defines, optimizes and tests the processes of not only application development but maintenance and service. To manage and enforce these common tools like guides, various templates and checklists are used. Main aim is working service- and process-oriented and establishing of cross-product standards. The application testing includes both functional and usability tests. Each update is subject to multiple testing and approval phases. Constant monitoring and implementation ensures that the latest technical requirements are met. Maintenance and service is evaluated and optimized in close cooperation with customers. 3.2 Quality Assurance by Defined Processes All new development steps and application maintenance proceed according to defined processes (principle of transparency). All application development and maintenance tasks are executed as projects with a defined project workflow and a defined process using sample projects, a controlled sophisticated role concept and providing several steps of acceptances needed. In critical steps 4- eyes-principle is mandatory used. Where necessary compliance security checks are intregrated. 3.3 Quality Assurance by External Auditors Applications are tested and certified by external auditors. This testing and certification is based in part on IDW auditing standards and position papers such as IDW AuS 330 ( Auditing for the Use of Information Technology ) or IDS RS FAIT 1 ( Principles of Proper Accounting for the Use of Information Technology ). 6 Compliance with the requirements for service providers in Section 404 of the Sarbanes-Oxley Act
Business Continuity Policy
Business Continuity Policy Software, consultancy and services for global trade and supply chain management Business Continuity Policy Companies using AEB solutions for managing and monitoring their logistics
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationMemeo C1 Secure File Transfer and Compliance
Overview and analysis of Memeo C1 and SSAE16 & SOX Compliance Requirements Memeo C1 Secure File Transfer and Compliance Comply360, Inc Contents Executive Summary... 2 Overview... 2 Scope of Evaluation...
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationInternal Control Guide & Resources
Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationGeneral Computer Controls
1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationSMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales
SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,
More informationSNAP WEBHOST SECURITY POLICY
SNAP WEBHOST SECURITY POLICY Should you require any technical support for the Snap survey software or any assistance with software licenses, training and Snap research services please contact us at one
More informationSAS 70 Exams Of EBT Controls And Processors
Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationHIPAA Security Matrix
HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationOnline Lead Generation: Data Security Best Practices
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationBrainloop Cloud Security
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationOIT OPERATIONAL PROCEDURE
OIT OPERATIONAL PROCEDURE Title: DATA CLASSIFICATION GUIDELINES Identification: OIT 1 Page: 1 of 5 Effective Date: 3/31/2014 Signature/Approval: Guidelines and Handling Procedure (9 10 ) specifies that
More informationBirst Security and Reliability
Birst Security and Reliability Birst is Dedicated to Safeguarding Your Information 2 Birst is Dedicated to Safeguarding Your Information To protect the privacy of its customers and the safety of their
More informationDDV Declaration (VE 12/2009) Commissioned Data Processing and Data Treatment
DDV Declaration (VE 12/2009) Commissioned Data Processing and Data Treatment Service provider: (in the following Service Provider ) Street, number: Country: ZIP code, city: E-mail address: Website: www...
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationSAS 70 Type II Audits
Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationLeonardo Hotels Group Page 1
Privacy Policy The Leonardo Hotels Group, represented by Sunflower Management GmbH & Co.KG, respects the right to privacy of every individual who access and navigate our website. Leonardo Hotels takes
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationMCR Checklist for Automated Information Systems (Major Applications and General Support Systems)
MCR Checklist for Automated Information Systems (Major Applications and General Support Systems) Name of GSS or MA being reviewed: Region/Office of GSS or MA being reviewed: System Owner: System Manager:
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationService Asset & Configuration Management PinkVERIFY
-11-G-001 General Criteria Does the tool use ITIL 2011 Edition process terms and align to ITIL 2011 Edition workflows and process integrations? -11-G-002 Does the tool have security controls in place to
More informationSystem Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012
System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123
More informationSecurity Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT / FIPS 199 Compliant
Brochure More information from http://www.researchandmarkets.com/reports/3302152/ Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT /
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationWhite Paper. BD Assurity Linc Software Security. Overview
Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationThe Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation
The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation Copyright, AlgoSec Inc. All rights reserved The Need to Ensure Continuous Compliance Regulations
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationPerformance Characteristics of Data Security. Fabasoft Cloud
Performance Characteristics of Data Security Valid from October 13 th, 2014 Copyright GmbH, A-4020 Linz, 2014. All rights reserved. All hardware and software names used are registered trade names and/or
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationLauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationWhite Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationCHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS
11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78
More informationINFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationVendor Audit Questionnaire
Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be
More informationStorage Guardian Remote Backup Restore and Archive Services
Storage Guardian Remote Backup Restore and Archive Services Storage Guardian is the unique alternative to traditional backup methods, replacing conventional tapebased backup systems with a fully automated,
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationDokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11
Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationINFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationMAXIMUM DATA SECURITY with ideals TM Virtual Data Room
MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationGiftWrap 4.0 Security FAQ
GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels
More informationWe Believe in Security with a Capital S
Security Consulting by arvato Systems We Believe in Security with a Capital S The number of attacks on IT systems has increased dramatically in recent years, with the style and approach of such attacks
More informationWhitepaper: 7 Steps to Developing a Cloud Security Plan
Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationHMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE
HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE This plan describes the standards for the security of all data contained in the Philadelphia Continuum of Care Homeless Management Information System
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationMUSC Information Security Policy Compliance Checklist for System Owners Instructions
Instructions This checklist can be used to identify gaps in compliance with MUSC's information security policies and standards, which are published on the Web at http://www.musc.edu/security. Each of the
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationVendor Risk Assessment Questionnaire
Vendor Risk Assessment Questionnaire VENDOR INFORMATION: Vendor Name: Vendor Address: Vendor Contact Name: Vendor Contact Phone No: Vendor Contact Email: DATA SENSITIVITY What is the nature of data that
More informationHosting. Simply Different. www.iso-gruppe.com
Hosting. Simply Different. www.iso-gruppe.com Hosting. ISO Professional Services offers more All the SAP expertise of the ISO Group is focused in ISO Professional Services, which is among the firmly established
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationUNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1
UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 As organizations unlock the true potential of meeting over the web as an alternative to costly and timeconsuming travel,
More informationIBM Connections Cloud Security
IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationPRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES
PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More information