PROTECTING SYSTEMS AND DATA PASSWORD ADVICE
|
|
- Domenic Fox
- 8 years ago
- Views:
Transcription
1 PROTECTING SYSTEMS AND DATA PASSWORD ADVICE DECEMBER 2012 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances. 1
2 Contents Introduction..3 Passwords Areas for attention Origin of the advice given in this document CPNI advice.4 Non-administrator account - specific advice Administrator account - specific advice Password strength Lockout configuration Password storage Hardware Remote connection Testing and automation Third parties Monitoring of accounts for anomalous usage Security skills and awareness Further guidance 7 2
3 Introduction Passwords A password is a string of characters used in combination with other information to identify an individual. Password protection is used to prevent unauthorised access to systems and/or material. Areas for attention There are techniques which attackers can use to determine or to discover password data. Approaches include cracking or guessing of passwords, interception during transmission and conducting a search throughout an IT infrastructure for stored password information. Many of these techniques can be applied by automated tools. Focusing on the following areas will make it more difficult for an attacker to establish and make use of passwords. Default passwords Weak passwords Password composition Password re-use and password sharing Storage of passwords Transmission of passwords Measures to protect administrator-level accounts need extra consideration. An attacker will seek escalated privileges through the compromise of these accounts. It is important that robust measures are in place to protect administrator-level accounts. Origin of the advice given in this document CPNI is participating in an international government-industry effort to promote the Top 20 Critical Security Controls for Effective Cyber Defence, published by SANS (see Further Guidance section document 3). Within the 20 controls (and sub-controls) there are measures relating to the use of passwords. CPNI have undertaken work to pull-together the password-related content within Version 4 of the Consensus Audit Guidelines (CAG4) document. The following notation is used in this document to reference advice given within the Critical Security Controls: [CSC XX-YY] where XX is the control number (1-20) and YY is the sub-control (00 indicates advice outside of the sub-control list, but within the control text). In addition, to ensure that a balanced view is provided, CPNI have captured some additional comments covering both conventional and new thinking in the area. This password advice document is intended to be an evolving document that seeks to reflect new thinking and different views on the topic. t is anticipated that this short reference document will be updated periodically. 3
4 CPNI advice Non-administrator account - specific advice Non-administrator accounts should have strong passwords that contain letters, numbers and special characters [CSC 16-08]. Non-administrator accounts should be configured to require password changes every 90 days [CSC 16-08]. Non-administrator accounts should have passwords that have a minimal age of 1 day [CSC 16-08]. Non-administrator accounts should not permit the re-use of the previous 15 passwords [CSC 16-08]. Administrator account - specific advice Administrator accounts must have strong passwords that are complex containing letters, numbers and special characters intermixed with no dictionary words present [CSC 12-02]. Administrator accounts must be configured to require regular password changes on a frequent interval tied to the complexity of the password. Interval should not exceed 90 days [CSC & 12-05]. Administrator accounts must not permit re-use of the previous 15 passwords. Re-use must not be permitted within a certain timeframe [CSC 12-09]. Administrator accounts must not be shared or even occasionally used by anyone other than the account holder [CSC 12-08]. Administrators must establish different passwords for their administrator and nonadministrator accounts [CSC 12-08]. All administrative access, including domain administrative access, should use two-factor authentication [CSC 12-12]. Password strength Complexity and length are important in preventing passwords being cracked or guessed. Recommendations for password complexity are provided above for non-administrator and administrator accounts. 4
5 It is recommended that organisations insist on the use of strong passwords for all accounts. Strong passwords should be of sufficient length to increase the difficulty it takes to crack the password [CSC 12-02]. Techniques for the generation of strong passwords are covered by documents listed within the Further Guidance section document 1 (section 3.2.4) and also in document 2. Some organisations are abandoning the practice of changing passwords at regular intervals, taking the view that changing encourages the storage of passwords by less secure means (e.g. hardcopy). Emphasis is placed instead on the use of strong passwords. However, strong passwords can be more difficult to remember, leading to increased requests for reset and the temptation to use the same password across multiple systems. Pass phrases containing multiple dictionary words along with special characters can be easier to remember, but can only be considered acceptable if they are of a reasonable length [CSC 12-02]. Lockout configuration Account lockout should be used and configured such that after a set number of failed login attempts the account is locked for a standard period of time [CSC 16-09]. Disabling an account is a denial of service. An exponentially increasing delay after each failed authentication attempt could also be considered (also known as exponential back-off). Systems should automatically create a report on a daily basis that includes a list of lockedout and disabled accounts [CSC 16-03]. Password storage Passwords must not be stored as clear text. Passwords for all systems should be stored in a hashed format, produced using an established cryptographic hashing function [CSC 12-06]. An iterated hashing function should be used. The hashed representation of a password should be produced using a salt. A unique salt should be used for each account, and should be changed when the password is changed. Salt values should be held separately from the hashed values. Files containing encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges [CSC 12-06]. Hardware Before deploying any new devices in a networked environment, organisations should change all default user IDs and passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value [CSC & 12-04]. 5
6 Network devices should be managed using true two-factor authentication and encrypted sessions [CSC 10-05]. Where sensitive data is held on a laptop or other portable device, the use of measures such as BIOS passwords and disk encryption should be considered. Remote Connection Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication [CSC 13-07]. Testing and automation For all types of account, checks should be in place to ensure that chosen passwords meet the requirements in terms of complexity and originality. Built-in operating system features can enforce this [CSC 12-00]. Password composition and entropy should be tested, preferably when the password is set or changed by the account user. Weak scores should result in the proposed password being rejected. Software tools are available to do this. Testing must be conducted periodically to ensure that the password policy is enforced. This can be achieved by creating a temporary, disabled, limited privilege test account on 10 different systems and then attempting to change the password on the account to a value that does not meet the organisation s password policy. Temporary test accounts should be established in a number of different, randomly-selected systems across an organisation s IT infrastructure [CSC 12-00]. An automated process should be established to periodically search for clear text s and documents containing the word password, as well as other likely indicators of password information, in the filename or body [CSC 20-05]. Systems should automatically create a report on a daily basis that includes a list of accounts with passwords that exceed the maximum password age and accounts with passwords that never expire. This list should be sent to the associated systems administrator in a secure fashion [CSC 16-03]. Third parties Where services are outsourced, instructions should be provided that clearly describe the measures which must be taken (and those which should be taken) by a third party to protect credentials which allow access to systems or data relating to the issuing organisation [CSC 12-14]. 6
7 Where a third party uses passwords to restrict access to systems or data relating to the issuing organisation, the third party should be accountable for the use of the passwords. This should form part of the contractual agreement [CSC 12-14]. Monitoring of accounts for anomalous usage In addition to good security measures directly relating to passwords, organisations must monitor user accounts. Failed login attempts should be always be logged. Attempts to access deactivated accounts should be captured, as should the use of credentials from new devices. User profiles should be constructed using information relating to typical account usage such as time-of-day access and typical duration [12-10]. Timely alerting must be established for serious anomalies and daily reporting should also be configured. In addition, configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators group [12-11]. Security Skills and Awareness Some end-users will be fooled via social engineering scams in which they are tricked into providing passwords. Understand technical skills gaps within the workforce and fill these gaps through policy, training and awareness [CSC 09-00]. Further guidance 1. Guide to Enterprise Password Management, Recommendations of the National Institute of Standards and Technology. Scarfone K., Souppaya M., NIST Special Publication , April 2009, source: [correct as of August 2012]. 2. Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology. Burr, W.E., Dodson, D.F., Polk, W.T., NIST Special Publication Version 1.0.2, April 2006, source: [correct as of September 2012]. This document has been written to be consistent with: 3. Top 20 Critical Controls for Effective Cyber Defense, Version 4. Published by The SANS Institute, October 2012, source: [correct as of November 2012]. End of document 7
SANS Institute First Five Quick Wins
#1 QUICK WIN- APPLICATION WHITELISTING SANS Critical Controls: #2: Inventory of Authorized and Unauthorized Software 1) Deploy application whitelisting technology that allows systems to run software only
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationThe City of New York
The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope
More informationSimplifying Your Approach. Password Guidance
Simplifying Your Approach Password Guidance Page 2 Password Guidance Simplifying Your Approach Contents Foreword... 3 Introduction: the problems with passwords... 4 Tip 1: Change all default passwords...
More informationSPEAR PHISHING UNDERSTANDING THE THREAT
SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business
More informationidata Improving Defences Against Targeted Attack
idata Improving Defences Against Targeted Attack Summary JULY 2014 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does
More informationGuideline on Access Control
CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0
More informationCPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Cyber Security Assessments of Industrial Control Systems Good Practice
More informationTECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK
TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre
More informationBYOD Guidance: Architectural Approaches
GOV.UK Guidance BYOD Guidance: Architectural Approaches Published Contents 1. Service separation 2. Scenario 1: Exposing internal web applications 3. Scenario 2: Exposing email, calendar and contacts This
More informationCLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH
CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH March 2016 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationPassword Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.
DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result
More informationMusina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-
Musina Local Municipality Information and Communication Technology User Account Management Policy -Draft- Version Control Version Date Author(s) Details V1.0 June2013 Perry Eccleston Draft Policy Page
More informationCal State Fullerton Account and Password Guidelines
Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationICT USER ACCOUNT MANAGEMENT POLICY
ICT USER ACCOUNT MANAGEMENT POLICY Version Control Version Date Author(s) Details 1.1 23/03/2015 Yaw New Policy ICT User Account Management Policy 2 Contents 1. Preamble... 4 2. Terms and definitions...
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationCAPITAL UNIVERSITY PASSWORD POLICY
1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's
More informationOPEN DATA: ADOPTING A SECURITY-MINDED APPROACH
OFFICIAL OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH November 2015 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationThe Advantages of a Firewall Over an Interafer
FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection
More informationTHE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005
THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationFAQs about PAS 1192-5, A Specification for securityminded building information modelling, digital built environments and smart asset management
FAQs about PAS 1192-5, A Specification for securityminded building information modelling, digital built environments and smart asset management May 2015 Disclaimer Reference to any specific commercial
More informationCompliance Guide: PCI DSS
Compliance Guide: PCI DSS PCI DSS Compliance Compliance mapping using Huntsman INTRODUCTION The Payment Card Industry Data Security Standard (PCI DSS) was developed with industry support by the PCI Security
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationPASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PASSWORD MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationVice President of Information
Name of Policy: Password security policy 1 Policy Number: Approving Officer: Responsible Agent: Technology Scope: 3 3364-65-07 President all University campuses New policy proposal Major revision of existing
More informationUse of tablet devices in NHS environments: Good Practice Guideline
Use of Tablet Devices in NHS environments: Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Technology Office Prog. Director Chris Wilber Status APPROVED Owner James Wood
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationCatapult PCI Compliance
Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationRSA SecurID Software Token Security Best Practices Guide
RSA SecurID Software Token Security Best Practices Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA, the RSA
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationPassword regulations for Karolinska Institutet
Password regulations for Karolinska Institutet Dnr 1-213/2015 Version 2.0 Applicable from 2015-05-18 Password regulations for Karolinska Institutet - Summary Purpose The main purpose of these regulations
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationSESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support
SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer, Bomgar bhood@bomgar.com Session Description
More informationPortal Administration. Administrator Guide
Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec
More informationService Accounts A Secant Standards White Paper
Service Accounts A Secant Standards White Paper Publication No.:101 Version: 11/28/11 ABOUT STANDARDS Secant is pleased to publicly release several key technology standards for reference by our clients
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationSection 12 MUST BE COMPLETED BY: 4/22
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
More informationNetwork Security Policy
KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationInformation Technology Services Standards
Owner: IT Security and Page 1 of 10 Table of Contents 1 Purpose... 2 2 Entities Affected by this Standard... 2 3 Definitions... 2 4 Standards... 3 4.1 General... 3 4.2 Password Construction... 4 4.2.1
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationWeb Plus Security Features and Recommendations
Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationUse QNAP NAS for Backup
Use QNAP NAS for Backup BACKUP EXEC 12.5 WITH QNAP NAS Copyright 2010. QNAP Systems, Inc. All Rights Reserved. V1.0 Document revision history: Date Version Changes Apr 2010 1.0 Initial release Note: Information
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationAdobe Systems Software Ireland Ltd
Adobe Systems Software Ireland Ltd Own motion investigation report 13/00007 Timothy Pilgrim, Australian Privacy Commissioner Contents Overview... 2 Background... 3 Relevant provisions of the Privacy Act...
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationAccount Management Standards
Account Management Standards Overview These standards are intended to guide the establishment of effective account management procedures that promote the security and integrity of University information
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationDefense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4
More informationCITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT
CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationAuthentication Solutions Buyer's Guide
WHITE PAPER: AUTHENTICATION SOLUTIONS BUYER'S GUIDE........................................ Authentication Solutions Buyer's Guide Who should read this paper Individuals who would like more details regarding
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationPension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update
Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationAssuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices
The Payment Card Industry (PCI) Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process. The Payment Application Data Security Standard
More informationTECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS
TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS 19 NOVEMBER 2003 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationIntroduction. Clarification of terminology
Initiating a dialogue about the security of digital built assets: a guide for managers (with regard to PAS 1192-5, A Specification for security-minded building information modelling, digital built environments
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationWhite Paper: Consensus Audit Guidelines and Symantec RAS
Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with
More informationUsing Remote Desktop Clients
CYBER SECURITY OPERATIONS CENTRE December 2011 Using Remote Desktop Clients INTRODUCTION 1. Remote access solutions are increasingly being used to access sensitive or classified systems from homes and
More informationSecurity Guide for the BD Remote Instrument Support Solution BD Biosciences workstations
Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations 11/2010 This document includes the following topics: About this guide (page 2) TeamViewer remote desktop support
More informationCNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:
1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus
More informationAlert (TA14-212A) Backoff Point-of-Sale Malware
Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity
More informationRFG Secure FTP. Web Interface
RFG Secure FTP Web Interface Step 1: Getting to the Secure FTP Web Interface: Open your preferred web browser and type the following address: http://ftp.raddon.com After you hit enter, you will be taken
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on
More informationTECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS
TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS 1 OCTOBER 2004 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More information