esourcing MANAGED SERVICE CUSTOMER NOTICE Security Accreditation
|
|
- Jody Price
- 8 years ago
- Views:
Transcription
1 esourcing MANAGED SERVICE CUSTOMER NOTICE Security Accreditation Purpose The purpose of this Customer Notice is to provide details of the Security Accreditation for the esourcing Managed Service performed by OGCbuying.solutions and BravoSolution. Background 1. The OGCbuying.solutions esourcing Managed Service is a secure, hosted managed service provided by BravoSolution. It is accessed by customers and their suppliers via the internet. 2. A range of core services including help desk, system management and support services are provided to customers. 3. The esourcing Managed Service comprises four service elements that may be used individually or in any combination to support the sourcing and contract management activities. These service elements are: etendering; eevaluation; ecollaboration; and econtract Management 4. OGCbuying.solutions and BravoSolution have completed an accreditation process to ensure that the service is compliant with HMG Information Security Standards, the requirements of the Manual of Protective Security (MPS) and all UK legislation relevant to the processing of information 5. OGCbuying.solutions have accredited the esourcing Managed Service against HM Government Information Security Standards for information up to egov Impact Level 3 equating to a UK Protective Marking of Restricted. Scope 1. The accreditation relates to the esourcing managed service supplied by BravoSolution to public sector organisations through OGCbuying.solutions (OGCbs). 2. The initial accreditation includes only the etendering and eevaluation service modules that are hosted at the prime hosting site in Milan, the connectivity and associated systems that are provided by sub-contractors to BravoSolution as well as the connectivity that is provided for remote support purposes. 3. The Accreditation does not relate to the ecollaboration or econtract Management service modules which will be subject to further accreditation process at a later date. 4. The scope of the Accreditation encompasses the following: The esourcing service and application. This will include the following aspects:
2 User account allocation; User authentication; Data separation; Data storage; Access control to the data; Employment of encryption technologies; The security controls protecting the application from the Internet. All elements of the system/application from the Internet connection through the various tiers within the production environment that are provided by BravoSolution. The ADS will not address the other non-production environments that are in place or services provided by COLT. The latter is controlled and managed via a Service Level Agreement with COLT; All connectivity that is in place to the production environment; A review of the security surrounding the hosting facilities provided by Colt Telecoms. Hosted Solution 1. The primary hosting site is based in Milan with the hosting service provided by Colt Telecoms who also provide the Internet connectivity. COLT have a current BS 7799 certificate to support all the their hosting service provision services. All support and management of the BravoSolution environment is undertaken by BravoSolution staff. The only services provided by COLT are: Use of a shared load balancer; Media management COLT will change and store (both locally and remotely) the backup tapes. 2. There are aspects of the solution (eevaluation) that are provided by Commerce Decisions, a subcontractor to BravoSolution who are based in the U.K.. 3. The etendering and eevaluation service modules are hosted offshore by BravoSolution in Italy. The decision to host Restricted data offshore has been ratified by the Senior Information Risk Owner and Central Sponsor of Information Assurance (CSIA). The Accreditation Process 1. At the request of OGCbuying.solutions, BravoSolution appointed a CESG approved CLAS consultant from Insight Consulting to conduct a security risk assessment and develop a full Accreditation Document Set for the esourcing Managed Service in line with HMG InfoSec standards. The solution was also subject to a comprehensive security penetration test carried out under the CESG IT Health Check scheme. 2. This IT Check Report and the Accreditation Document Set was be reviewed by OGCbuying solutions own CLAS consultant from Newell & Budge Security prior to formal accreditation by the OGCbuying.solutions Senior Risk Owner for the solution.
3 Risk Management 1. In producing the ADS, a risk assessment was performed using the Express Version of CRAMM. Based on the results of the risk assessment, the Measure of Risk for the esourcing Managed Service was considered to be at a very low or low level. 2. The calculations and resulting RRI are summarised below: No. Connection Type of Connection Barrier Total RRI Assurance Including Common Barrier ITSEC Criteria 1 Internet Megastream Firewall and Not Connection to DR Site 2 Internet Megastream Firewall and Connection to DR Site 3 Dedicated Circuit Megastream Connection to BravoSolution Head Office 4 Dedicated Circuit Megastream Connection to BravoSolution Head Office Not 5 Via the Internet Megastream Access to the E Evaluation server E1 EAL2 6 Via the Internet Megastream Access to the E Not Evaluation server 7 Via the Internet Direct Access to Controls for User E4 EAL5 8 Via the Internet Direct Access to Controls for User Not 9 Via the Internet Direct Access to Controls for User Not 10 Via the Internet Direct Access to Controls for User Direct access to the System Direct Access to the application Procedural controls E2 EAL3 Accreditation Document Set 1. The format of the ADS produced was compared with the requirements outlined in HMG Infosec Standard No.2. This document recommends that the ADS is organised under four main sections as follows: Part 1 Part 2 Part 3 Part 4 Basic Information. Risk Management Document Set. Security Operating Procedures (SyOps) and Interconnection Security Measures (ISMs) Inspection Reports and Accreditation Certificate. 2. The basic format and layout of Part 1 (Basic Information), within the esourcing ADS was found to be in line with the HMG Infosec Standard No2 recommendations. 3. The second section, Part 2 (Risk Management Report) of the ADS, was also found to be in line with the HMG Infosec Standard No2 recommendations. 4. The third section, Security Operating Procedures was found to be in line with the HMG Infosec Standard No2 recommendations. 5. The IT Health Check report was included within Part 4 of the ADS
4 Penetration Testing External Penetration Test 1. An External Penetration Test was carried out against BravoSolution s web application at This represents the instance for the British Library and was to all intents and purposes, running as a live service. The review was conducted from the Insight offices, based in Walton-on-Thames 2. The tests were conducted in May The aims of the test were to: Find known vulnerabilities in the targeted IP address; Exploit, where possible, vulnerabilities with a view to obtaining access to resources not permitted; Review of known vulnerabilities for identified software and hardware. 3. Automated scans and manual penetration tests were carried out in an attempt to gain access to the system. 4. No major vulnerabilities were identified and the infrastructure and web application were of a good security standard. Internal Penetration Test 1. An internal Penetration Test was carried out against BravoSolution s infrastructure based at the COLT hosting facility in Milan. The scope of the tests covered the internal network environment, the DMZ and a review of the firewall/switch configurations. 2. The tests were conducted in June The aims of the test were to: Find known vulnerabilities in the targeted IP addresses; Exploit, where possible, vulnerabilities with a view to obtaining access to resources not permitted; Assess the build of selected servers within the environment Review of known vulnerabilities for identified software and hardware. 3. Automated scans and manual penetration tests were carried out in an attempt to gain access to the targeted systems. 4. A number of issues were identified, however, some of these were brought to BravoSolutions attention and rectified immediately. Though a number of configurable issues were found, very few exploitable vulnerabilities were identified. Tests were conducted on these vulnerabilities to verify that they were not false positive results. All results and findings have been included in the report. 5. No major vulnerabilities were identified Re-accreditation Arrangements Re-Accreditation 1. The ADS is valid until May At this stage a re-examination should be carried out of the need for security and the type of countermeasures that need to be in place to provide the appropriate level of protection. 2. Re-accreditation is required every year and this will include an IT Health Check of the esourcing environment and any other key systems. This will follow the same approach as the initial ITHC that was performed. However, re-accreditation can occur at the discretion of the Accreditor and will be required when: The original solution is extended or significantly altered, e.g. the introduction of new external connections, major changes in functionality; The operating environment (e.g. site/location) changes from the current supplier. This will also apply to the DR site;
5 Information at markings higher than RESTRICTED are to be processed on the esourcing application; Major changes to the operating system (i.e. upgrades to new versions); Any changes to the application that affect the authentication, data and/or user separation and access control which could affect the OGCbs user base. Permitted Changes 1. The following changes will be allowed to the application without the need for re-accreditation: Installation of patches to the operating system/application; Installation of point release versions of the software (e.g. version 8.2 to 8.3 would not require reaccreditation); Software changes to the application that have no affect on the authentication, data/user separation or access controls measures that are in place; The take-on of additional customers irrespective of their geographical location; Changes implemented by the hosting company that have no affect on the esourcing infrastructure, service, connectivity or security; Software application changes that are made to instances of the application that do not affect OGCbs; Changes to the parameterisation values that are used to create the look and feel of the application; The implementation of additional components to increase the capacity of the esourcing infrastructure. Recommendations and Action Plan Newell and Budge Security advised OGCbuying.solutions that the esourcing ADS met HMG Infosec requirements, subject to successful implementation of the following agreed actions Recommendation The IS1 Risk Calculations should be reviewed to ensure that the RRI figure for systems administrators (Barrier 6) can be reduced to an acceptable level. This could be facilitated by ensuring that the small number of personnel involved were security cleared to an acceptable equivalent to UK Basic Check (BC) clearance. Some detailed technical issues of a non critical nature were raised by the IT Health Check. It is essential that the IT Health Check Report is released to BravoSolution on a need to know basis in order for appropriate remedial action to be taken by the service provider. Agreed Actions & Current Status OGCbuying.solutions and BravoSolution have obtained security clearance for BravoSolution and sub-contractor staff performing system and database administration activities. Full IT Health Check Report released to BravoSolution on a Need-To-Know basis on 27 July 2005.
IT Heath Check Scoping guidance ALPHA DRAFT
IT Heath Check Scoping guidance ALPHA DRAFT Version 0.1 November 2014 Document Information Project Name: ITHC Guidance Prepared By: Mark Brett CLAS Consultant Document Version No: 0.1 Title: ITHC Guidance
More informationA. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template
G-Cloud Service Pan Government Security Accreditation Scope This form is intended for Suppliers of services on the G-Cloud to complete. Upon receipt, the G-Cloud Programme will check Section A, Reference
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationWe are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review
We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review The security threat landscape is constantly changing and it is important to periodically review a business
More informationHow To Secure Cloud Compute At Eduserv
Implementing the CESG Cloud Security Principles February 2015 Eduserv Public www.eduserv.org.uk Contents Introduction... 4 The principles... 4 About our claims... 5 1 Data in transit protection... 6 2
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More information28400 POLICY IT SECURITY MANAGEMENT
Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT
More informationThales Service Definition for PSN Secure Email Gateway Service for Cloud Services
Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationBusiness Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:
Module Db Technical Solution Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Cost is reduced through greater economies of scale, removal of duplication
More informationU06 IT Infrastructure Policy
Dartmoor National Park Authority U06 IT Infrastructure Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement
More informationLot 1 Service Specification MANAGED SECURITY SERVICES
Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services
More informationDVLA ELISE GSi Closed User Group Code of Connection
DVLA ELISE GSi Closed User Group Code of Connection Security Warning Notice The following handling instructions apply to this document: - Handle, use and transmit with care - Take basic precautions against
More informationSoftware as a Service (SaaS) Online HR
Software as a Service (SaaS) Online HR Contents Service Definition... 3 An overview of the G-Cloud Service... 3 Key Service Attributes... 4 Information assurance... 4 Details of the level of backup/restore
More informationHow To Comply With The Loss Prevention Certification Board
Loss Prevention Standard LPS 1014: Issue 5.3 This Loss Prevention Standard is the property of BRE Global Ltd. and is made publicly available for information purposes only. Its use for testing, assessment,
More informationSCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT
SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT Issue 1.0 Date 24/03/2011 Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration
More informationEllucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant
Ellucian Cloud Services Joe Street Cloud Services, Sr. Solution Consultant Confidentiality Statement The information contained herein is considered proprietary and highly confidential by Ellucian Managed
More informationNIST Cyber Security Activities
NIST Cyber Security Activities Dr. Alicia Clay Deputy Chief, Computer Security Division NIST Information Technology Laboratory U.S. Department of Commerce September 29, 2004 1 Computer Security Division
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationThales Service Definition for NOC Services for Cloud
Thales Service Definition for UK NOC Services Thales Service Definition for NOC Services for Cloud April 2014 Page 1 of 13 Thales Service Definition for UK NOC Services CONTENT Page No. Introduction...
More informationUK IT SECURITY EVALUATION AND CERTIFICATION SCHEME
UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME 122-B CERTIFICATION REPORT No. P149 CHECK POINT VPN-1/FIREWALL-1 Issue 1.0 January 2001 Crown Copyright 2001 Reproduction is authorised provided the report
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationProtective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 1.0, Issue Date: 05/02/201405/02/2014. Classification: Open
Protective Monitoring as a Service Version: 1.0, Issue Date: 05/02/201405/02/2014 Classification: Open Classification: Open ii MDS Technologies Ltd 2014. Other than for the sole purpose of evaluating this
More informationInformation security due diligence
web applications and websites W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com Identifying information security risk for web applications
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationHow To Help Your Business Succeed
G Cloud III Framework Lot 4 (SCS) CHECK Accredited Penetration Testing Services Contents Executive Summary 3 CHECK Accredited Penetration Testing Services 4 Why Deloitte? 5 Package Cost 7 Contact 9 Service
More informationThird Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide
Third Party Identity Services Assurance Framework Information Security Registered Assessors Program Guide Version 2.0 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationFebruary 2015 Issue No: 5.2. CESG Certification for IA Professionals
February 2015 Issue No: 5.2 CESG Certification for IA Professionals Issue No: 5.2 February 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationSecurity Accreditation, Management and Monitoring - Getting the Balance Right!
Security Accreditation, Management and Monitoring - Getting the Balance Right! Author Peter J Fischer, Asset Security Manager, Government Communications Headquarters, Cheltenham, UK Tel: +44-1242-221491,
More informationHow to gain accreditation for a G-Cloud Service
www.ascentor.co.uk How to gain accreditation for a G-Cloud Service Demystify the process As a registered supplier of G-Cloud services you will be keenly aware that getting onto the G-Cloud framework does
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationSecurity aspects of e-tailing. Chapter 7
Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing
More informationBottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.
Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationESKISP6064.03 Conducts vulnerability assessment under supervision
Conducts vulnerability assessment under supervision Overview This standard covers the competencies required to conduct vulnerability assessments under supervision. This includes following processes for
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationPractitioner Certificate in Information Assurance Architecture (PCiIAA)
Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More information93% of large organisations and 76% of small businesses
innersecurity INFORMATION SECURITY Information Security Services 93% of large organisations and 76% of small businesses suffered security breaches in the last year. * Cyber attackers were the main cause.
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationHuman Factors in Information Security
University of Oslo INF3510 Information Security Spring 2014 Workshop Questions Lecture 2: Security Management, Human Factors in Information Security QUESTION 1 Look at the list of standards in the ISO27000
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationManaging internet security
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationIBM QRadar Security Intelligence April 2013
IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence
More informationFujitsu s Approach to Cloud-related Information Security
Fujitsu s Approach to Cloud-related Information Security Masayuki Okuhara Takuya Suzuki Tetsuo Shiozaki Makoto Hattori Cloud computing opens up a variety of possibilities but at the same time it raises
More informationUK IT SECURITY EVALUATION AND CERTIFICATION SCHEME DESCRIPTION OF THE SCHEME
UKSP 01 UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME UK Scheme Publication No 1 DESCRIPTION OF THE SCHEME Issue 4.0 February 2000 Crown Copyright 2000 This document must not be copied or distributed
More informationCitrix Password Manager, Enterprise Edition Version 4.5
122-B COMMON CRITERIA CERTIFICATION REPORT No. CRP235 Citrix Password Manager, Enterprise Edition Version 4.5 running on Microsoft Windows and Citrix Presentation Server Issue 1.0 June 2007 Crown Copyright
More informationFear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!
Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured! Presented by: Kristen Zarcadoolas, Jim Soenksen, and Ed Sale PART 2: plan, act, repeat (from the look, plan,
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationTHALES. www.thalesgroup. corn
THALES www.thalesgroup. corn c Understanding cyber security is a challenge faced by all businesses and organisations around the world. New threats emerge on a daily basis and it can be difficult to understand
More informationNew Systems and Services Security Guidance
New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates
More informationPrepared by: CACI Digital Services Date issued: March 2014. CACI Managed Cloud Hosting Overview
Prepared by: CACI Digital Services Date issued: March 2014 Overview Document Control This section details document control in terms of its distribution, configuration management, amendment history and
More informationasktel Business Connect
Why go through the hassle and expense of maintaining your own firewall or Virtual Private Network when we can do it for you? Significant savings Increased speed at lower cost Business Connect will increase
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationAN OVERVIEW OF VULNERABILITY SCANNERS
AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole
More informationPublication 805-A Revision: Certification and Accreditation
Postal Bulletin 22358 (3-7-13) Policies, Procedures, and Forms Updates Publication 805-A Revision: Certification and Accreditation Effective immediately, the January 2013 edition of Publication 805-A,
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationSAA Consultants. B2B Exchange Management. Managed File Transfer. Enterprise Application Integration Management. Compliant Audit Security Management
SAA Consultants B2B Exchange Management Managed File Transfer Enterprise Application Integration Management Compliant Audit Security Management Secure Commerce Delivering improved efficiency via products
More informationHow To Ensure The C.E.A.S.A
APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT TUGeneral TUSecurity TURequirements TUDesign TUIntegration
More informationI.T. Security Specialists. Cyber Security Solutions and Services. Caretower Corporate Brochure 2015 1
I.T. Security Specialists Cyber Security Solutions and Services Caretower Corporate Brochure 2015 1 about us As an independent IT security specialist, with over 17 years experience, we provide tailored
More informationSpillemyndigheden s Certification Programme Instructions on Vulnerability Scanning
SCP.05.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics
More informationCertification Report
Certification Report HP Network Automation Ultimate Edition 10.10 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationPrint4 Solutions fully comply with all HIPAA regulations
HIPAA Compliance Print4 Solutions fully comply with all HIPAA regulations Print4 solutions do not access, store, process, monitor, or manage any patient information. Print4 manages and optimize printer
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationWHITE PAPER. An Introduction to Network- Vulnerability Testing
An Introduction to Network- Vulnerability Testing C ONTENTS + Introduction 3 + Penetration-Testing Overview 3 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and
More informationInformation Security Network Connectivity Process
Information Security Network Connectivity Process Handbook AS-805-D September 2009 Transmittal Letter A. Purpose It is more important than ever that each of us be aware of the latest policies, regulations,
More informationThales Service Definition for IL3 Encrypted Overlay for Cloud Services
Thales Service Definition for UK IL3 Encrypted Overlay Thales Service Definition for IL3 Encrypted Overlay for Cloud Services April 2014 Page 1 of 11 Thales Service Definition for UK IL3 Encrypted Overlay
More informationU09 Remote Access Policy
Plymouth City Council U09 Remote Access Policy December 2008 This document is copyright to Plymouth City Council and should not be used or adapted for any purpose without the agreement of the Council.
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationWEB APPLICATION SECURITY TESTING GUIDELINES
WEB APPLICATION SECURITY TESTING GUIDELINES 1 These guidelines were developed to support the Web Application Security Standard. Please refer to this standard for additional information and/or clarification
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationProtective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open
Protective Monitoring as a Service Version: 2.1, Issue Date: 05/02/201405/02/2014 Classification: Open Classification: Open ii MDS Technologies Ltd 201416/12/2014. Other than for the sole purpose of evaluating
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
More informationSERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open
SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE Classification: Open Classification: Open ii MDS Technologies Ltd 2015. Other than for the sole purpose of evaluating this Response, no part of this
More informationInformation Security Attack Tree Modeling for Enhancing Student Learning
Information Security Attack Tree Modeling for Enhancing Student Learning Jidé B. Odubiyi, Computer Science Department Bowie State University, Bowie, MD and Casey W. O Brien, Network Technology Department
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationDIGITAL MARKETPLACE (G-CLOUD 7) OFFERING. Sopra Steria OneMobile SaaS Service. Introduction. Service Definition. Sopra Steria in the public sector
DIGITAL MARKETPLACE (G-CLOUD 7) OFFERING Sopra Steria OneMobile SaaS Service Sopra Steria in the public sector Organisations across the public sector choose Sopra Steria to deliver transformation programmes
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationICANWK406A Install, configure and test network security
ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationDefence Cyber Protection Partnership Cyber Risks Profile Requirements
Good Governance L.01 Define and assign information security relevant roles and responsibilities. L.02 Define and implement a policy that addresses information security risks within supplier relationships.
More informationIT Security Testing Services
Context Information Security T +44 (0)207 537 7515 W www.contextis.com E gcloud@contextis.co.uk IT Security Testing Services Context Information Security Contents 1 Introduction to Context Information
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More information