INTRODUCTION TO PENETRATION TESTING

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "INTRODUCTION TO PENETRATION TESTING"

Transcription

1 DATA SECURITY MANAGEMENT INTRODUCTION TO PENETRATION TESTING Stephen Fried INSIDE What is Penetration Testing? Terminology; Why Test? Types of Penetration Testing; What Allows Penetration Testing to Work? INTRODUCTION This article provides a general introduction to the subject of penetration testing and provides the security professional with the background needed to understand this special area of security analysis. Penetration testing can be a valuable tool for understanding and improving the security of a computer or network. However, it can also be used to exploit system weaknesses and attack systems and steal valuable information. By understanding the need for penetration testing, and the issues and processes surrounding its use, a security professional will be better able to use penetration testing as a standard part of the analysis toolkit. This article presents penetration testing in terms of its use, application, and process. It is not intended as an in-depth guide to specific techniques that can be used to test penetration-specific systems. Penetration testing is an art that takes a great deal of skill and practice to do effectively. If not done correctly and carefully, the penetration test can be deemed invalid (at best) and, in the worst case, actually damage the target systems. If the security professional is unfamiliar with penetration testing tools and techniques, it is best to hire or contract someone with a great deal of experience in this area to advise and educate the security staff of an organization. WHAT IS PENETRATION TESTING? Penetration testing is defined as a formalized set of procedures designed to bypass the security controls of a system or organization for the purpose of testing that system s or PAYOFF IDEA Here is where one learns all about penetration testing up to the point of actually using this powerful technique. It is important to know what one is trying to accomplish before actually attempting a penetration test because mistakes can be disastrous to computer operations. Mistakes might even be career limiting.

2 organization s resistance to such an attack. Penetration testing is performed to uncover the security weaknesses of a system and to determine the ways in which the system can be compromised by a potential attacker. Penetration testing can take several forms (which will be discussed later) but, in general, a test consists of a series of attacks against a target. The success or failure of the attacks, and how the target reacts to each attack, will determine the outcome of the test. The overall purpose of a penetration test is to determine the subject s ability to withstand an attack by a hostile intruder. As such, the tester will be using the tricks and techniques a real-life attacker might use. This simulated attack strategy allows the subject to discover and mitigate its security weak spots before a real attacker discovers them. The reason penetration testing exists is that organizations need to determine the effectiveness of their security measures. The fact that they want tests performed indicates that they believe there might be (or want to discover) some deficiency in their security. However, while the testing itself might uncover problems in the organization s security, the tester should attempt to discover and explain the underlying cause of the lapses in security that allowed the test to succeed. Simply stating that the tester was able to walk out of a building with sensitive information is not sufficient. The tester should explain that the lapse was due to inadequate attention by the guard on duty or a lack of guard staff training that would enable them to recognize valuable or sensitive information. There are three basic requirements for a penetration test. 1. The test must have a defined goal and that goal should be clearly documented. The more specific the goal, the easier it will be to recognize the success or failure of the test. A goal such as break into the XYZ corporate network, while certainly attainable, is not as precise as break into XYZ s corporate network from the Internet and gain access to the research department s file server. Each test should have a single goal. If the tester wishes to test several aspects of security at a business or site, several separate tests should be performed. This will enable the tester to more clearly distinguish between successful tests and unsuccessful attempts. 2. The test should have a limited time period in which it is to be performed. The methodology in most penetration testing is to simulate the types of attacks that will be experienced in the real world. It is reasonable to assume that an attacker will expend a finite amount of time and energy trying to penetrate a site. That time may range from one day to one year or beyond; but after that time is reached, the attacker will give up. In addition, the information being protected may have a finite useful lifetime. The penetration test should

3 acknowledge and accept this fact. Thus, part of the goal statement for the test should include a time limit that is considered reasonable based on the type of system targeted, the expected level of the threat, and the lifetime of the information. 3. The test should have the approval of the management of the organization that is the subject of the test. This is extremely important, as only the organization s management has the authority to permit this type of activity on its network and information systems. TERMINOLOGY There are several terms associated with penetration testing. These terms are used throughout this article to describe penetration testing and the people and events involved in a penetration test. Tester: Attacker: Attack: Subject of the test: Target of a penetration test: The person or group who is performing the penetration test. The purpose of the tester is to plan and execute the penetration test and analyze the results for management. In many cases, the tester will be a member of the company or organization that is the subject of the test. However, a company may hire an outside firm to conduct the penetration test if it does not have the personnel or the expertise to do it itself. A real-life version of a tester. However, where the tester works with a company to improve its security, the attacker works against a company to steal information or resources. The series of activities performed by the tester in an attempt to circumvent the security controls of a particular target. The attack may consist of physical, procedural, or electronic methods. The organization upon whom the penetration test is being performed. The subject can be an entire company or it can be a smaller organizational unit within that company. The system or organization that is being subjected to a particular attack at any given time. The target may or may not be aware that it is being tested. In either case, the target will have a set of defenses it presents to the outside world to protect itself against intrusion. It is those defenses that the penetration test is designed to test. A full penetration test usually consists of a number of attacks against a number of different targets.

4 Management: Penetration test (or more simply the test): The term used to describe the leadership of an organization involved in the penetration test. There may be several levels of management involved in any testing effort, including the management of the specific areas of the company being tested, as well as the upper management of the company as a whole. The specific levels of management involved in the penetration testing effort will have a direct impact on the scope of the test. In all cases, however, it is assumed that the tester is working on behalf of (and sponsored by) at least one level of management within the company. The actual performance of a simulated attack on the target. WHY TEST? There are several reasons why an organization will want a penetration test performed on its systems or operations. The first (and most prevalent) is to determine the effectiveness of the security controls the organization has put into place. These controls may be technical in nature, affecting the computers, network, and information systems of the organization. They may be operational in nature, pertaining to the processes and procedures a company has in place to control and secure information. Finally, they may be physical in nature. The tester may be trying to determine the effectiveness of the physical security a site or company has in place. In all cases, the goal of the tester will be to determine if the existing controls are sufficient by trying to get around them. The tester may also be attempting to determine the vulnerability an organization has to a particular threat. Each system, process, or organization has a particular set of threats to which it feels it is vulnerable. Ideally, the organization will have taken steps to reduce its exposure to those threats. The role of the tester is to determine the effectiveness of these countermeasures and to identify areas for improvement or areas where additional countermeasures are required. The tester may also wish to determine whether the set of threats the organization has identified is valid and whether or not there are other threats against which the organization might wish to defend itself. A penetration test can sometimes be used to bolster a company s position in the marketplace. A test, executed by a reputable company and indicating that the subject s environment withstood the tester s best efforts, can be used to give prospective customers the appearance that the subject s environment is secure. The word appearance is important here because a penetration test cannot examine all possible aspects of the subject s environment if it is even moderate in size. In addition, the

5 security state of an enterprise is constantly changing as new technology replaces old, configurations change, and business needs evolve. The environment the tester examines may be very different from the one the customer will be a part of. If a penetration test is used as proof of the security of a particular environment for marketing purposes, the customer should insist on knowing the details, methodology, and results of the test. A penetration test can be used to alert the corporation s upper management to the security threat that may exist in its systems or operations. While the general knowledge that security weaknesses exist in a system, or specific knowledge of particular threats and vulnerabilities may exist among the technical staff, this message may not always be transmitted to management. As a result, management may not fully understand or appreciate the magnitude of the security problem. A well-executed penetration test can systematically uncover vulnerabilities that management was unaware existed. The presentation of concrete evidence of security problems, along with an analysis of the damage those problems can cause to the company, can be an effective wake-up call to management and spur them into paying more attention to information security issues. A side effect of this wake-up call may be that once management understands the nature of the threat and the magnitude to which the company is vulnerable, it may be more willing to expend money and resources to address not only the security problems uncovered by the test but also ancillary security areas needing additional attention by the company. These ancillary issues may include a general security awareness program or the need for more funding for security technology. A penetration test that uncovers moderate or serious problems in a company s security can be effectively used to justify the time and expense required to implement effective security programs and countermeasures. TYPES OF PENETRATION TESTING The typical image of a penetration test is that of a team of high-tech computer experts sitting in a small room attacking a company s network for days on end or crawling through the ventilation shafts to get into the company s secret room. While this may be a glamorous image to use in the movies, in reality the penetration test works in a variety of different (and very nonglamorous) ways. The first type of testing involves the physical infrastructure of the subject. Very often, the most vulnerable parts of a company are not found in the technology of its information network or the access controls found in its databases. Security problems can be found in the way the subject handles its physical security. The penetration tester will seek to exploit these physical weaknesses. For example, does the building provide adequate access control? Does the building have security guards, and do the

6 guards check people as they enter or leave a building? If intruders are able to walk unchecked into a company s building, they will be able to gain physical access to the information they seek. A good test is to try to walk into a building during the morning when everyone is arriving to work. Try to get in the middle of a crowd of people to see if the guard is adequately checking the badges of those entering the building. Once inside, check if sensitive areas of the building are locked or otherwise protected by physical barriers. Are file cabinets locked when not in use? How difficult is it to get into the communications closet where all the telephone and network communication links terminate? Can a person walk into employee office areas unaccompanied and unquestioned? All the secure and sensitive areas of a building should be protected against unauthorized entry. If they are not, the tester will be able to gain unrestricted access to sensitive company information. While the physical test includes examining protections against unauthorized entry, the penetration test might also examine the effectiveness of controls prohibiting unauthorized exit. Does the company check for theft of sensitive materials when employees exit the facility? Are laptop computers or other portable devices registered and checked when entering and exiting the building? Are security guards trained not only on what types of equipment and information to look for, but also on how equipment can be hidden or masked and why this procedure is important? Another type of testing examines the operational aspects of an organization. Whereas physical testing investigates physical access to company computers, networks, or facilities, operational testing attempts to determine the effectiveness of the operational procedures of an organization by attempting to bypass those procedures. For example, if the company s help desk requires each user to give personal or secret information before help can be rendered, can the tester bypass those controls by telling a particularly believable sob story to the technician answering the call? If the policy of the company is to scramble or demagnetize disks before disposal, are these procedures followed? If not, what sensitive information will the tester find on disposed disks and computers? If a company has strict policies concerning the authority and process required to initiate ID or password changes to a system, can someone simply claiming to have the proper authority (without any actual proof of that authority) cause an ID to be created, removed, or changed? All these are attacks against the operational processes a company may have, and all of these techniques have been used successfully in the past to gain entry into computers or gain access to sensitive information. The final type of penetration test is the electronic test. Electronic testing consists of attacks on the computer systems, networks, or communications facilities of an organization. This can be accomplished either manually or through the use of automated tools. The goal of electronic testing is to determine if the subject s internal systems are vulnerable to

7 an attack through the data network or communications facilities used by the subject. Depending on the scope and parameters of a particular test, a tester may use one, two, or all three types of tests. If the goal of the test is to gain access to a particular computer system, the tester may attempt a physical penetration to gain access to the computer s console or try an electronic test to attack the machine over the network. If the goal of the test is to see if unauthorized personnel can obtain valuable research data, the tester may use operational testing to see if the information is tracked or logged when accessed or copied and determine who reviews those access logs. The tester may then switch to electronic penetration to gain access to the computers where the information is stored. WHAT ALLOWS PENETRATION TESTING TO WORK? There are several general reasons why penetration tests are successful. Many of them are in the operational area; however, security problems can arise due to deficiencies in any of the three testing areas. A large number of security problems arise due to a lack of awareness on the part of a company s employees of the company s policies and procedures regarding information security and protection. If employees and contractors of a company do not know the proper procedures for handling proprietary or sensitive information, they are much more likely to allow that information to be left unprotected. If employees are unaware of the company policies on discussing sensitive company information, they will often volunteer (sometimes unknowingly) information about their company s future sales, marketing, or research plans simply by being asked the right set of questions. The tester will exploit this lack of awareness and modify the testing procedure to account for the fact that the policies are not well-known. In many cases, the subjects of the test will be very familiar with the company s policies and the procedures for handling information. Despite this, however, penetration testing works because often people do not adhere to standardized procedures defined by the company s policies. Although the policies may say that system logs should be reviewed daily, most administrators are too busy to bother. Good administrative and security practices require that system configurations should be checked periodically to detect tampering, but this rarely happens. Most security policies indicate minimum complexities and maximum time limits for password, but many systems do not enforce these policies. Once the tester knows about these security procedural lapses, they become easy to exploit. Many companies have disjointed operational procedures. The processes in use by one organization within a company may often conflict with the processes used by another organization. Do the procedures

8 used by one application to authenticate users complement the procedures used by other applications, or are there different standards in use by different applications? Is the access security of one area of a company s network lower than that of another part of the network? Are log files and audit records reviewed uniformly for all systems and services, or are some systems monitored more closely than others? All these are examples of a lack of coordination between organizations and processes. These examples can be exploited by the tester and used to get closer to the goal of the test. A tester needs only to target the area with the lower authentication standards, the lower access security, or the lower audit review procedures in order to advance the test. Many penetration tests succeed because people often do not pay adequate attention to the situations and circumstances in which they find themselves. The hacker s art of social engineering relies heavily on this fact. Social engineering is a con game used by intruders to trick people who know secrets into revealing them. People who take great care in protecting information when at work (locking it up or encrypting sensitive data, for example) suddenly forget about those procedures when asked by an acquaintance at a party to talk about their work. Employees who follow strict user authentication and system change control procedures suddenly forget all about them when they get a call from the Vice President of Such and Such needing something done right away. Does the Vice President himself usually call the technical support line with problems? Probably not, but people do not question the need for information, do not challenge requests for access to sensitive information even if the person asking for it does not clearly have a need to access that data, and do not compare the immediate circumstances with normal patterns of behavior. Many companies rely on a single source for enabling an employee to prove identity, and often that source has no built-in protection. Most companies assign employee identification (ID) numbers to their associates. That number enables access to many services the company has to offer, yet is displayed openly on employee badges and freely given when requested. The successful tester might determine a method for obtaining or generating a valid employee ID number in order to impersonate a valid employee. Many hackers rely on the anonymity that large organizations provide. Once a company grows beyond a few hundred employees, it becomes increasingly difficult for anyone to know all employees by sight or by voice. Thus, the IT and HR staff of the company need to rely on other methods of user authentication, such as passwords, key cards, or the above-mentioned employee ID number. Under such a system, employees become anonymous entities, identified only by their ID number or their password. This makes it easier to assume the identity of a legitimate employee or to use social engineering to trick people into divulging in-

9 formation. Once the tester is able to hide within the anonymous structure of the organization, the fear of discovery is reduced and the tester will be in a much better position to continue to test. Another contributor to the successful completion of most penetration tests is the simple fact that most system administrators do not keep their systems up to date with the latest security patches and fixes for the systems under their control. A vast majority of system break-ins occur as a result of exploitation of known vulnerabilities vulnerabilities that could have easily been eliminated by the application of a system patch, configuration change, or procedural change. The fact that system operators continue to let systems fall behind in security configuration means that testers will continuously succeed in penetrating their systems. The tools available for performing a penetration test are becoming more sophisticated and more widely distributed. This has allowed even the novice hacker to pick up highly sophisticated tools for exploiting system weaknesses and applying them without requiring any technical background in how the tool works. Often these tools can try hundreds of vulnerabilities on a system at one time. As new holes are found, the hacker tools exploit them faster than the software companies can release fixes, making life even more miserable for the poor administrator who has to keep pace. Eventually, the administrator will miss something, and that something is usually the one hole that a tester can use to gain entry into a system. Stephen Fried is the senior manager for Global Risk Assessment and Secure Business Solutions at Lucent Technologies, leading the team responsible for determining the security threats to Lucent's internal systems and services. Stephen is a Certified Information Systems Security Professional and has been a featured speaker on information security and technology at meetings and conferences worldwide.

PERFORMING PENETRATION TESTING

PERFORMING PENETRATION TESTING 82-02-68 DATA SECURITY MANAGEMENT PERFORMING PENETRATION TESTING Stephen Fried INSIDE Basic Attack Strategies; Planning the Test; Performing the Test; Reporting Results BASIC ATTACK STRATEGIES Every security

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

PDSA Special Report. Is your Company s Security at Risk

PDSA Special Report. Is your Company s Security at Risk PDSA Special Report Introduction There is probably no such thing as a completely secure company. However, if you are not thinking about security in your company, you are running a big risk. We are not

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements A Forrester Consulting Thought Leadership Paper Commissioned By Oracle Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

More information

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report

More information

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing Service. By Comsec Information Security Consulting Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your

More information

U.S. SECURITIES & EXCHANGE COMMISSION

U.S. SECURITIES & EXCHANGE COMMISSION PBX and Analog Lines Security Assessment U.S. SECURITIES & EXCHANGE COMMISSION March 31, 2000 Prepared by Deloitte & Touche LLP Enterprise Risk Services - 1 - 1 Executive Summary 1.1 Overview Deloitte

More information

What is Penetration Testing?

What is Penetration Testing? White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

Five PCI Security Deficiencies of Restaurants

Five PCI Security Deficiencies of Restaurants Whitepaper The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus- Senior Security Architect, Vendor Safe 2011 7324 Southwest Freeway, Suite 1700, Houston, TX 77074

More information

Information Security Technology?...Don t Rely on It A Case Study in Social Engineering

Information Security Technology?...Don t Rely on It A Case Study in Social Engineering The following paper was originally published in the Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake City, Utah, June 1995. Information Security Technology?...Don t Rely on It A Case Study

More information

AN INFORMATION GOVERNANCE BEST

AN INFORMATION GOVERNANCE BEST SMALL BUSINESS ID THEFT AND FRAUD AN INFORMATION GOVERNANCE BEST PRACTICES GUIDE FOR SMALL BUSINESS IT IS NOT A MATTER OF IF BUT WHEN AN INTRUSION WILL BE ATTEMPTED ON YOUR BUSINESS COMPUTER SYSTEM IN

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

BEST PRACTICES IN WEB CONFERENCING SECURITY. A Spire Research Report April 2003. By Pete Lindstrom, Research Director. Sponsored By: www.cisco.

BEST PRACTICES IN WEB CONFERENCING SECURITY. A Spire Research Report April 2003. By Pete Lindstrom, Research Director. Sponsored By: www.cisco. BEST PRACTICES IN WEB CONFERENCING SECURITY A Spire Research Report April 2003 By Pete Lindstrom, Research Director Sponsored By: www.cisco.com BEST PRACTICES IN WEB CONFERENCING SECURITY A Spire Research

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Closing Wireless Loopholes for PCI Compliance and Security

Closing Wireless Loopholes for PCI Compliance and Security Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

83-10-40 Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff

83-10-40 Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff 83-10-40 Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff Firewalls are an effective method of reducing the possibility of network intrusion by attackers. The key to successful

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

More information

The Roles of Software Testing & QA in Security Testing

The Roles of Software Testing & QA in Security Testing The Roles of Software Testing & QA in Security Testing Hung Q. Nguyen LogiGear, President and CEO Bob Johnson Independent, Security Consultant ASQ-SSQA Presentation, May 14, 2002 Objective To jump start

More information

Evaluation Report. Office of Inspector General

Evaluation Report. Office of Inspector General Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

More information

Network Security Forensics

Network Security Forensics Network Security Forensics As hacking and security threats grow in complexity and organizations face stringent requirements to document access to private data on the network, organizations require a new

More information

Pass-the-Hash. Solution Brief

Pass-the-Hash. Solution Brief Solution Brief What is Pass-the-Hash? The tools and techniques that hackers use to infiltrate an organization are constantly evolving. Credential theft is a consistent concern as compromised credentials

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Five PCI Security Deficiencies of Retail Merchants and Restaurants

Five PCI Security Deficiencies of Retail Merchants and Restaurants Whitepaper January 2010 Five PCI Security Deficiencies of Retail Merchants and Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations by Brad Cyprus, SSCP - Senior Security Architect,

More information

Avaya TM G700 Media Gateway Security. White Paper

Avaya TM G700 Media Gateway Security. White Paper Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional

More information

Avaya G700 Media Gateway Security - Issue 1.0

Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection

More information

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security

More information

Insider Threats in the Real World Eavesdropping and Unauthorized Access

Insider Threats in the Real World Eavesdropping and Unauthorized Access Insider Threats in the Real World Eavesdropping and Unauthorized Access A Visual Data Security Whitepaper Prepared by: OptioLabs Camden Yards 323 West Camden Street, Suite 801 Baltimore, Maryland 21201

More information

DOL New Hire Training: Computer Security and Privacy

DOL New Hire Training: Computer Security and Privacy DOL New Hire Training: Computer Security and Privacy Table of Contents Introduction Lesson One: Computer Security Basics Lesson Two: Protecting Personally Identifiable Information (PII) Lesson Three: Appropriate

More information

Austin Peay State University

Austin Peay State University 1 Austin Peay State University Identity Theft Operating Standards (APSUITOS) I. PROGRAM ADOPTION Austin Peay State University establishes Identity Theft Operating Standards pursuant to the Federal Trade

More information

82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff

82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff 82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff Social engineering is the term that hackers use to describe attempts to obtain information about computer systems through

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Top five strategies for combating modern threats Is anti-virus dead?

Top five strategies for combating modern threats Is anti-virus dead? Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING

CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING Ira S. Winkler National Computer Security Association 10 South Courthouse Avenue Carlisle, Pennsylvania 17013 winkler@ncsa.com (717) 258-1816

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

2012 Data Breach Investigations Report

2012 Data Breach Investigations Report 2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

86-10-15 The Self-Hack Audit Stephen James Payoff

86-10-15 The Self-Hack Audit Stephen James Payoff 86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

Course Title: Penetration Testing: Network & Perimeter Testing

Course Title: Penetration Testing: Network & Perimeter Testing Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics

More information

Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology

Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology The greatest threat: the Human Being Why is the Human Being the greatest threat?: The Human Being is an integrated

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Trust No One Encrypt Everything!

Trust No One Encrypt Everything! Trust No One Encrypt Everything! Business Primer March 2014 This white paper explores cloud users requirements for data access and sharing, especially in relation to trends in BYOD and personal cloud storage

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Guide to Preventing Social Engineering Fraud

Guide to Preventing Social Engineering Fraud Guide to Preventing Social Engineering Fraud GUIDE TO PREVENTING SOCIAL ENGINEERING FRAUD CONTENTS Social Engineering Fraud Fundamentals and Fraud Strategies... 4 The Psychology of Social Engineering (And

More information

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

Learning Objectives. attacks. 2. Describe the common security practices of businesses of

Learning Objectives. attacks. 2. Describe the common security practices of businesses of E-Commerce Security Learning Objectives 1. Document the trends in computer and network security attacks. 2. Describe the common security practices of businesses of all sizes. 3. Understand the basic elements

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration

More information

IIABSC 2015 - Spring Conference

IIABSC 2015 - Spring Conference IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber

More information

SPICE EduGuide EG0015 Security of Administrative Accounts

SPICE EduGuide EG0015 Security of Administrative Accounts This SPICE EduGuide applies to HSC information systems, specifically Administrative login accounts; (aka Admin accounts) and the faculty, staff and students who use them. Admin accounts are logon IDs and

More information

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's: Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services

More information

Put into test the security of an environment and qualify its resistance to a certain level of attack.

Put into test the security of an environment and qualify its resistance to a certain level of attack. Penetration Testing: Comprehensively Assessing Risk What is a penetration test? Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques.

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

AberdeenGroup. The Importance of Database Vulnerability Assessments. Business Value Research Series. September 2005

AberdeenGroup. The Importance of Database Vulnerability Assessments. Business Value Research Series. September 2005 e AberdeenGroup The Importance of Database Vulnerability Assessments Business Value Research Series September 2005 Executive Summary Why a Vulnerability Assessment is Important A mid all the gains of the

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Defensible Strategy To. Cyber Incident Response

Defensible Strategy To. Cyber Incident Response Cyber Incident Response Defensible Strategy To Cyber Incident Response Cyber Incident Response Plans Every company should develop a written plan (cyber incident response plan) that identifies cyber attack

More information

Payment Card Industry (PCI) Compliance. Management Guidelines

Payment Card Industry (PCI) Compliance. Management Guidelines Page 1 thehelpdeskllc.com 855-336-7435 Payment Card Industry (PCI) Compliance Management Guidelines About PCI Compliance Payment Card Industry (PCI) compliance is a requirement for all businesses that

More information

How-To Guide: Cyber Security. Content Provided by

How-To Guide: Cyber Security. Content Provided by How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Establishing a Data-Centric Approach to Encryption

Establishing a Data-Centric Approach to Encryption Establishing a Data-Centric Approach to Encryption Marcia Kaufman, COO and Principal Analyst Sponsored by Voltage Security Voltage Security: Many data breaches occur at companies that already have a data

More information

Information Technology Services Guidelines

Information Technology Services Guidelines Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...

More information

BSHSI Security Awareness Training

BSHSI Security Awareness Training BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement

More information

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Business Process: Documented By: PCI Data Security Breach Stephanie Breen Creation Date: 1/19/06 Updated 11/5/13

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information