Cloud Computing November 09. Information Assurance Framework

Size: px
Start display at page:

Download "Cloud Computing November 09. Information Assurance Framework"

Transcription

1 Clud Cmputing Nvember 09 Infrmatin Assurance Framewrk

2 ABOUT ENISA The Eurpean Netwrk and Infrmatin Security Agency (ENISA) is an EU agency created t advance the functining f the internal market. ENISA is a centre f excellence fr the Eurpean Member States and Eurpean institutins in netwrk and infrmatin security, giving advice and recmmendatins and acting as a switchbard fr infrmatin n gd practices. Mrever, the agency facilitates cntacts between Eurpean institutins, the Member States, and private business and industry actrs. CONTACT DETAILS: This reprt has been edited by: and Internet: Legal ntice Ntice must be taken that this publicatin represents the views and interpretatins f the editrs, unless stated therwise. This publicatin shuld nt be cnstrued t be an actin f ENISA r the ENISA bdies unless adpted pursuant t ENISA Regulatin (EC) N 460/2004. This publicatin des nt necessarily represent the state-f the-art in clud cmputing and it may be updated frm time t time. Third-party surces are quted as apprpriate. ENISA is nt respnsible fr the cntent f the external surces including external websites referenced in this publicatin. This publicatin is intended fr educatinal and infrmatin purpses nly. Neither ENISA nr any persn acting n its behalf is respnsible fr the use that might be made f the infrmatin cntained in this publicatin. Reprductin is authrised prvided the surce is acknwledged. Eurpean Netwrk and Infrmatin Security Agency (ENISA), 2009

3 Clud Cmputing 3 INFORMATION ASSURANCE FRAMEWORK CONTENTS Abut ENISA... 2 Cntact details:... 2 Target Audience... 5 Methdlgy Infrmatin Assurance Framewrk Managing risk Divisin f liabilities Divisin f respnsibilities Sftware as a Service Platfrm as a Service Infrastructure as a Service Applicatin Security in Infrastructure as a service Nte f cautin Nte t gvernments Infrmatin assurance requirements Persnnel security Supply-chain assurance Operatinal security Sftware assurance Patch management... 14

4 4 Clud Cmputing Infrmatin Assurance Framewrk Netwrk architecture cntrls Hst architecture PaaS Applicatin security SaaS Applicatin security Resurce prvisining Identity and access management Authrisatin Identity prvisining Management f persnal data Key management Encryptin Authenticatin Credential cmprmise r theft Identity and access management systems ffered t the clud custmer Asset management Data and Services Prtability Business Cntinuity Management Incident management and respnse Physical security Envirnmental cntrls Legal requirements... 24

5 Clud Cmputing 5 INFORMATION ASSURANCE FRAMEWORK TARGET AUDIENCE The intended audience f this reprt are: Business leaders, in particular SME s t evaluate and mitigate the risks f adpting clud cmputing technlgies. Clud Prvider t standardize their clud cmputing service cmpliance prcess vis a vis laws and regulatins Eurpean plicymakers t decide n research plicy (t develp technlgies t mitigate risks). Eurpean plicymakers t decide n apprpriate plicy and ecnmic incentives, legislative measures, awareness-raising initiatives etc vis-a-vis clud-cmputing technlgies. METHODOLOGY The key sectins f this dcument are based n the brad classes f cntrls frm the ISO 27001/2 and BS25999 standards. Details within these sectins are derived frm bth the standard, as well as industry best practice requirements. Thrughut, we have selected nly thse cntrls which are relevant t clud prviders and third party utsurcers. The detailed framewrk scheduled fr release in 2010 is intended t include additinal standards such as NIST SP

6 6 Clud Cmputing Infrmatin Assurance Framewrk 1. INFORMATION ASSURANCE FRAMEWORK One f the mst imprtant recmmendatins in the ENISA s Clud Cmputing Risk Assessment reprt (see full versin) is the Infrmatin Assurance Framewrk, a set f assurance criteria designed t: 1. assess the risk f adpting clud services (cmparing the risks f maintaining a classical rganizatin and architecture with risks t migrate in a clud cmputing envirnment) and 2. cmpare different Clud Prvider ffers 3. btain assurance frm the selected clud prviders. The preparatin f effective security questinnaires fr third party service prviders is a significant resurce drain fr clud custmers and ne which is difficult t achieve withut expertise in clud-specific architectures. 4. reduce the assurance burden n clud prviders. A very imprtant risk specific t clud infrastructures is intrduced by the requirement fr NIS assurance. Many clud prviders find that a large number f custmers request audits f their infrastructure and plicies. This can create a critically high burden n security persnnel and it als increases the number f peple with access t the infrastructure, which significantly increases the risk f attack due t misuse f security-critical infrmatin, theft f critical r sensitive data etc. Clud prviders will need t deal with this by establishing clear framewrk fr handling such requests. The Framewrk prvides a set f questins that an rganisatin can ask a clud prvider t assure themselves that they are sufficiently prtecting the infrmatin entrusted t them. These questins are intended t prvide a minimum baseline any rganisatin may therefre have additinal specific requirements nt cvered within the baseline. Equally this dcument des nt prvide a standard respnse frmat fr the clud prvider, s respnses are in a free text frmat. Hwever it is intended t feed int a mre detailed cmprehensive framewrk which will be develped as a fllw-up t this wrk, allwing a cnsistent, cmparable set f respnses. Such respnses will prvide a quantifiable metric as t the Infrmatin Assurance maturity f the prvider. It is intended fr the afrementined metric t be cnsistent against ther prviders that allw a cmparisn fr end user rganisatins.

7 Clud Cmputing 7 INFORMATION ASSURANCE FRAMEWORK 2. MANAGING RISK It is wrth nting that althugh it is pssible t transfer many f the risks t an externally prvisined supplier, the true cst f transferring risk is very rarely realised. Fr example, a security incident that results in the unauthrised disclsure f custmer data may result in financial lss t the prvider, hwever the negative publicity and lss f cnsumer cnfidence, and ptential regulatry penalties (PCI-DSS) wuld be felt by the end custmer. Such a scenari highlights the imprtance f distinguishing risk, with cmmercial risk. In that it is pssible t transfer cmmercial risk, but the true risk always remains with the end custmer. Any respnse t the results f a risk assessment - in particular the amunt and type f investment in mitigatin, shuld be decided n the basis f the risk appetite f the rganisatin and the pprtunities and financial savings which are lst by fllwing any particular risk mitigatin strategy. Clud custmers shuld als carry ut their wn, cntext-specific risk analysis. Sme f available Risk Management / Risks Assessment methdlgies can be fund at: As the business and regulatry envirnment changes and new risks arise, risk assessment shuld be a regular activity rather than a ne ff event. 3. DIVISION OF LIABILITIES The fllwing table shws the expected divisin f liabilities between custmer and prvider. Custmer Prvider Lawfulness f cntent Full liability Intermediary liability with Liability exemptins under the terms f the E-cmmerce Directive and its interpretatin. 1 1 Cf. definitin f infrmatin sciety services as prvided fr in Art. 2 f Directive 98/48/EC as well as Art. 2 f Directive 2000/31/EC, in cnjunctin with exemptins cntained in Articles f Directive 2000/31/EC (e- Cmmerce Directive).

8 8 Clud Cmputing Infrmatin Assurance Framewrk Security incidents (including data leakage, use f accunt t launch an attack) Eurpean Data Prtectin Law status Respnsibility fr due diligence fr what is under its cntrl accrding t cntractual cnditins Data cntrller Respnsibility fr due diligence fr what is under its cntrl Data prcessr (external) 4. DIVISION OF RESPONSIBILITIES With respect t security incidents, there needs t be a clear definitin and understanding between the custmer and the prvider f security-relevant rles and respnsibilities. The lines f such a divisin will vary greatly between SaaS fferings and IaaS fferings, with the latter delegating mre respnsibility t the custmer. A typical and ratinal divisin f respnsibility is shwn in the fllwing table. In any case, fr each type f service, the custmer and prvider shuld clearly define which f them is respnsible fr all the items n the list belw. In the case f standard terms f service (ie, n negtiatin pssible), clud custmers shuld verify what lies within their respnsibility SOFTWARE AS A SERVICE Custmer Cmpliance with data prtectin law in respect f custmer data cllected and prcessed Maintenance f identity management system Management f identity management system Management f authenticatin platfrm (including enfrcing passwrd plicy) Prvider Physical supprt infrastructure (facilities, rack space, pwer, cling, cabling, etc) Physical infrastructure security and availability (servers, strage, netwrk bandwidth, etc) OS patch management and hardening prcedures (check als any cnflict between custmer hardening prcedure and prvider security plicy) Security platfrm cnfiguratin (Firewall rules, IDS/IPS tuning, etc) Systems mnitring Security platfrm maintenance (Firewall, Hst IDS/IPS, antivirus, packet filtering) Lg cllectin and security mnitring

9 Clud Cmputing 9 INFORMATION ASSURANCE FRAMEWORK 4.2. PLATFORM AS A SERVICE Custmer Maintenance f identity management system Management f identity management system Management f authenticatin platfrm (including enfrcing passwrd plicy) Prvider Physical supprt infrastructure (facilities, rack space, pwer, cling, cabling, etc) Physical infrastructure security and availability (servers, strage, netwrk bandwidth, etc) OS patch management and hardening prcedures (check als any cnflict between custmer hardening prcedure and prvider security plicy) Security platfrm cnfiguratin (firewall rules, IDS/IPS tuning, etc) Systems mnitring Security platfrm maintenance (firewall, Hst IDS/IPS, antivirus, packet filtering) Lg cllectin and security mnitring 4.3. INFRASTRUCTURE AS A SERVICE Custmer Maintenance f identity management system Management f identity management system Management f authenticatin platfrm (including enfrcing passwrd plicy) Management f guest OS patch and hardening prcedures (check als any cnflict between custmer hardening prcedure and prvider security plicy) Cnfiguratin f guest security platfrm (firewall rules, IDS/IPS tuning, etc) Prvider Physical supprt infrastructure (facilities, rack space, pwer, cling, cabling, etc) Physical infrastructure security and availability (servers, strage, netwrk bandwidth, etc) Hst Systems (hypervisr, virtual firewall, etc)

10 10 Clud Cmputing Infrmatin Assurance Framewrk Guest systems mnitring Security platfrm maintenance (firewall, Hst IDS/IPS, antivirus, packet filtering) Lg cllectin and security mnitring Where clud custmers are respnsible fr the security f their Infrastructures (in IaaS), they shuld cnsider the fllwing: APPLICATION SECURITY IN INFRASTRUCTURE AS A SERVICE IaaS applicatin prviders treat the applicatins within the custmer virtual instance as a black bx and therefre are cmpletely agnstic t the peratins and management f a custmer s applicatins. The entire stack custmer applicatin, run time applicatin platfrm (.Net, Java, Ruby, PHP etc) is run n the custmers server (n prvider infrastructure) and is managed by custmers themselves. Fr this reasn it is vitally imprtant t nte that the custmer must take full respnsibility fr securing their clud deplyed applicatins. Here is a brief checklist/descriptin relating t best practice fr secure applicatin design and management: Clud deplyed applicatins must be designed fr the internet threat mdel (even if they are deplyed as part f VPC - virtual private clud). They must be designed/embedded with standard security cuntermeasures t guard against the cmmn web vulnerabilities (see OWASP guides ). Custmers are respnsible fr keeping their applicatins up t date and must therefre ensure they have a patch strategy (t ensure their applicatins are screened frm malware and hackers scanning fr vulnerabilities t gain unauthrised access t their data within the clud) Custmers shuld nt be tempted t use custm implementatins f Authenticatin, Authrisatin and Accunting (AAA) as these can becme weak if nt prperly implemented. In summary enterprise distributed clud applicatins must run with many cntrls in place t secure hst (and netwrk see previus sectin), user access, applicatin level cntrls (see OWASP guides relating t secure web/nline applicatin design). Als please nte many main stream vendrs such as Micrsft, Oracle, Sun etc publish cmprehensive dcumentatin n hw t secure the cnfiguratin f their prducts.

11 Clud Cmputing 11 INFORMATION ASSURANCE FRAMEWORK 5. NOTE OF CAUTION The series f questins detailed within the prceeding sectin are a selectin f cmmn cntrls. It is nt intended t be an exhaustive list; equally certain questins may nt be applicable t particular implementatins. Subsequently this list shuld be used as a baseline f cmmn cntrls, and further detail shuld be sught where required NOTE TO GOVERNMENTS The fllwing cntrls are aimed primarily at SMEs assessing clud prviders. They may als be useful t gvernments with the fllwing prviss. The characteristics f the clud used shuld be cnsidered carefully in relatin t any gvernment bdy s infrmatin classificatin scheme. The use f public cluds even with favurable respnses frm the fllwing questinnaire is nt recmmended fr anything but the lwest assurance classes f data. Fr higher assurance classes f data, the list f suggested checks in this reprt is valid but shuld be supplemented with additinal checks. This reprt is nt intended t cver such cntrls, but the fllwing are examples f issues which shuld be cvered: Des the prvider ffer transparent infrmatin and full cntrl ver the current physical lcatin f all data? High assurance data is ften restricted by lcatin. Des the prvider supprt the data classificatin scheme used? What guarantees des the prvider ffer that custmer resurces are fully islated (e.g., n sharing f physical machines)? Assuming physical machines are nt shared between custmers, t what degree are strage, memry and ther data traces fully erased befre machines are reallcated. Des the prvider supprt r even mandate physical tken based 2-factr authenticatin fr client access? Des the prvider hld ISO 27001/2 certificatin? What is the scpe f the certificatin? D the prducts used by the prvider have Cmmn Criteria certificatins? At which level? Which prtectin prfile and security target fr the prduct?

12 12 Clud Cmputing Infrmatin Assurance Framewrk 6. INFORMATION ASSURANCE REQUIREMENTS 6.1. PERSONNEL SECURITY The majrity f questins relating t persnnel will be similar t thse yu wuld ask yur wn IT persnnel r ther persnnel wh are dealing with yur IT. As with mst assessments, there is a balance between the risks and the cst. What plicies and prcedures d yu have in place when hiring yur IT administratrs r thers with system access? These shuld include: pre-emplyment checks (identity, natinality r status, emplyment histry and references, criminal cnvictins, and vetting (fr senir persnnel in high privilege rles)). Are there different plicies depending n where the data is stred r applicatins are run? Fr example, hiring plicies in ne regin may be different frm thse in anther. Practices need t be cnsistent acrss regins. It may be that sensitive data is stred in ne particular regin with apprpriate persnnel. What security educatin prgram d yu run fr all staff? Is there a prcess f cntinuus evaluatin? Hw ften des this ccur? Further interviews Security access and privilege reviews Plicy and prcedure reviews SUPPLY-CHAIN ASSURANCE The fllwing questins apply where the clud prvider subcntracts sme peratins that are key t the security f the peratin t third parties (eg, a SaaS prvider utsurcing the underling platfrm t a third party prvider, a clud prvider utsurcing the security services t a managed security services prvider, use f an external prvider fr identity management f perating systems, etc). It als includes third parties with physical r remte access t the clud prvider infrastructure. It is assumed that this entire questinnaire may be applied recursively t third (r nth) party clud service prviders. Define thse services that are utsurced r subcntracted in yur service delivery supply chain that are key t the security (including availability) f yur peratins. Detail the prcedures used t assure third parties accessing yur infrastructure (physical and/r lgical). D yu audit yur utsurcers and subcntractrs and hw ften? Are any SLA prvisins guaranteed by utsurcers lwer than the SLAs yu ffer t yur custmers? If nt, d yu have supplier redundancy in place?

13 Clud Cmputing 13 INFORMATION ASSURANCE FRAMEWORK What measures are taken t ensure third party service levels are met and maintained? Can the clud prvider cnfirm that security plicy and cntrls are applied (cntractually) t their third party prviders? 6.3. OPERATIONAL SECURITY It is expected that any cmmercial agreement with external prviders will include service levels fr all netwrk services. Hwever, in additin t the defined agreements, the end custmer shuld still ensure that the prvider emplys apprpriate cntrls t mitigate unauthrised disclsure. Detail yur change cntrl prcedure and plicy. This shuld als include the prcess used t re-assess risks as a result f changes and clarify whether the utputs are available t end custmers. Define the remte access plicy. Des the prvider maintain dcumented perating prcedures fr infrmatin systems? Is there a staged envirnment t reduce risk, e.g., develpment, test and peratinal envirnments, and are they separated? Define the hst and netwrk cntrls emplyed t prtect the systems hsting the applicatins and infrmatin fr the end custmer. These shuld include details f certificatin against external standards (e.g., ISO 27001/2). Specify the cntrls used t prtect against malicius cde. Are secure cnfiguratins deplyed t nly allw the executin f authrised mbile cde and authrised functinality (e.g., nly execute specific cmmands)? Detail plicies and prcedures fr backup. This shuld include prcedures fr the management f remvable media and methds fr securely destrying media n lnger required. (Depending n his business requirements, the custmer may wish t put in place an independent backup strategy. This is particularly relevant where time-critical access t back-up is required.) Audit lgs are used in the event f an incident requiring investigatin; they can als be used fr trubleshting. Fr these purpses, the end custmer will need assurance that such infrmatin is available: Can the prvider detail what infrmatin is recrded within audit lgs? Fr what perid is this data retained? Is it pssible t segment data within audit lgs s they can be made available t the end custmer and/r law enfrcement withut cmprmising ther custmers and still be admissible in curt? What cntrls are emplyed t prtect lgs frm unauthrised access r tampering? What methd is used t check and prtect the integrity f audit lgs?

14 14 Clud Cmputing Infrmatin Assurance Framewrk Hw are audit lgs reviewed? What recrded events result in actin being taken? What time surce is used t synchrnise systems and prvide accurate audit lg time stamping? SOFTWARE ASSURANCE Define cntrls used t prtect the integrity f the perating system and applicatins sftware used. Include any standards that are fllwed, e.g., OWASP, SANS Checklist, SAFECde. Hw d yu validate that new releases are fit-fr-purpse r d nt have risks (backdrs, Trjans, etc)? Are these reviewed befre use? What practices are fllwed t keep the applicatins safe? Is a sftware release penetratin tested t ensure it des nt cntain vulnerabilities? If vulnerabilities are discvered, what is the prcess fr remedying these? PATCH MANAGEMENT Prvide details f the patch management prcedure fllwed. Can yu ensure that the patch management prcess cvers all layers f the clud delivery technlgies i.e., netwrk (infrastructure cmpnents, ruters and switches, etc), server perating systems, virtualisatin sftware, applicatins and security subsystems (firewalls, antivirus gateways, intrusin detectin systems, etc)? NETWORK ARCHITECTURE CONTROLS Define the cntrls used t mitigate DDS (distributed denial f-service) attacks. Defence in depth (deep packet analysis, traffic thrttling, packet black-hling, etc) D yu have defences against internal (riginating frm the clud prviders netwrks) attacks as well as external (riginating frm the Internet r custmer netwrks) attacks? What levels f islatin are used? fr virtual machines, physical machines, netwrk, strage (e.g., strage area netwrks), management netwrks and management supprt systems, etc. Des the architecture supprt cntinued peratin frm the clud when the cmpany is separated frm the service prvider and vice versa (e.g., is there a critical dependency n the custmer LDAP system)? Is the virtual netwrk infrastructure used by clud prviders (in PVLANs and VLAN tagging 802.1q architecture) secured t vendr and/r best practice specific standards (e.g., are MAC spfing, ARP pisning attacks, etc, prevented via a specific security cnfiguratin)?

15 Clud Cmputing 15 INFORMATION ASSURANCE FRAMEWORK HOST ARCHITECTURE Des the prvider ensure virtual images are hardened by default? Is the hardened virtual image prtected frm unauthrized access? Can the prvider cnfirm that the virtualised image des nt cntain the authenticatin credentials? Is the hst firewall run with nly the minimum prts necessary t supprt the services within the virtual instance? Can a hst-based intrusin preventin service (IPS) be run in the virtual instance? PAAS APPLICATION SECURITY Generally speaking, PaaS service prviders are respnsible fr the security f the platfrm sftware stack, and the recmmendatins thrughut this dcument are a gd fundatin fr ensuring a PaaS prvider has cnsidered security principles when designing and managing their PaaS platfrm. It is ften difficult t btain detailed infrmatin frm PaaS prviders n exactly hw they secure their platfrms hwever the fllwing questins, alng with ther sectins within this dcument, shuld be f assistance in assessing their fferings. Request infrmatin n hw multi-tenanted applicatins are islated frm each ther a high level descriptin f cntainment and islatin measures is required. What assurance can the PaaS prvider give that access t yur data is restricted t yur enterprise users and t the applicatins yu wn? The platfrm architecture shuld be classic sandbx des the prvider ensure that the PaaS platfrm sandbx is mnitred fr new bugs and vulnerabilities? PaaS prviders shuld be able t ffer a set f security features (re-useable amngst their clients) d these include user authenticatin, single sign n, authrisatin (privilege management), and SSL/TLS (made available via an API)? SAAS APPLICATION SECURITY The SaaS mdel dictates that the prvider manages the entire suite f applicatins delivered t endusers. Therefre SaaS prviders are mainly respnsible fr securing these applicatins. Custmers are nrmally respnsible fr peratinal security prcesses (user and access management). Hwever the fllwing questins, alng with ther sectins within this dcument, shuld assist in assessing their fferings: What administratin cntrls are prvided and can these be used t assign read and write privileges t ther users?

16 16 Clud Cmputing Infrmatin Assurance Framewrk Is the SaaS access cntrl fine grained and can it be custmised t yur rganisatins plicy? RESOURCE PROVISIONING In the event f resurce verlad (prcessing, memry, strage, netwrk)? What infrmatin is given abut the relative pririty assigned t my request in the event f a failure in prvisining? Is there a lead time n service levels and changes in requirements? Hw much can yu scale up? Des the prvider ffer guarantees n maximum available resurces within a minimum perid? Hw fast can yu scale up? Des the prvider ffer guarantees n the availability f supplementary resurces within a minimum perid? What prcesses are in place fr handling large-scale trends in resurce usage (eg, seasnal effects)? 6.4. IDENTITY AND ACCESS MANAGEMENT The fllwing cntrls apply t the clud prvider s identity and access management systems (thse under their cntrl) AUTHORISATION D any accunts have system-wide privileges fr the entire clud system and, if s, fr what peratins (read/write/delete)? Hw are the accunts with the highest level f privilege authenticated and managed? Hw are the mst critical decisins (e.g., simultaneus de-prvisining f large resurce blcks) authrised (single r dual, and by which rles within the rganisatin)? Are any high-privilege rles allcated t the same persn? Des this allcatin break the segregatin f duties r least privilege rules? D yu use rle-based access cntrl (RBAC)? Is the principle f least privilege fllwed? What changes, if any, are made t administratr privileges and rles t allw fr extrardinary access in the event f an emergency? Is there an administratr rle fr the custmer? Fr example, des the custmer administratr have a rle in adding new users (but withut allwing him t change the underlying strage!)?

17 Clud Cmputing 17 INFORMATION ASSURANCE FRAMEWORK IDENTITY PROVISIONING What checks are made n the identity f user accunts at registratin? Are any standards fllwed? Fr example, the e-gvernment Interperability Framewrk? Are there different levels f identity checks based n the resurces required? What prcesses are in place fr de-prvisining credentials? Are credentials prvisined and de-prvisined simultaneusly thrughut the clud system, r are there any risks in de-prvisining them acrss multiple gegraphically distributed lcatins? MANAGEMENT OF PERSONAL DATA What data strage and prtectin cntrls apply t the user directry (eg, AD, LDAP) and access t it? Is user directry data exprtable in an interperable frmat? Is need-t-knw the basis fr access t custmer data within the clud prvider? KEY MANAGEMENT Fr keys under the cntrl f the clud prvider: Are security cntrls in place fr reading and writing thse keys? Fr example, strng passwrd plicies, keys stred in a separate system, hardware security mdules (HSM) fr rt certificate keys, smart card based authenticatin, direct shielded access t strage, shrt key lifetime, etc. Are security cntrls in place fr using thse keys t sign and encrypt data? Are prcedures in place in the event f a key cmprmise? Fr example, key revcatin lists. Is key revcatin able t deal with simultaneity issues fr multiple sites? Are custmer system images prtected r encrypted? ENCRYPTION Encryptin can be used in multiple places where is it used? data in transit data at rest data in prcessr r memry? Usernames and passwrds? Is there a well-defined plicy fr what shuld be encrypted and what shuld nt be encrypted?

18 18 Clud Cmputing Infrmatin Assurance Framewrk Wh hlds the access keys? Hw are the keys prtected? AUTHENTICATION What frms f authenticatin are used fr peratins requiring high assurance? This may include lgin t management interfaces, key creatin, access t multiple-user accunts, firewall cnfiguratin, remte access, etc. Is tw-factr authenticatin used t manage critical cmpnents within the infrastructure, such as firewalls, etc? CREDENTIAL COMPROMISE OR THEFT D yu prvide anmaly detectin (the ability t spt unusual and ptentially malicius IP traffic and user r supprt team behaviur)? Fr example, analysis f failed and successful lgins, unusual time f day, and multiple lgins, etc. What prvisins exist in the event f the theft f a custmer s credentials (detectin, revcatin, evidence fr actins)? IDENTITY AND ACCESS MANAGEMENT SYSTEMS OFFERED TO THE CLOUD CUSTOMER The fllwing questins apply t the identity and access management systems which are ffered by the clud prvider fr use and cntrl by the clud custmer IDENTITY MANAGEMENT FRAMEWORKS Des the system allw fr a federated IDM infrastructure which is interperable bth fr high assurance (OTP systems, where required) and lw assurance (eg. username and passwrd)? Is the clud prvider interperable with third party identity prviders? Is there the ability t incrprate single sign-n? ACCESS CONTROL Des the client credential system allw fr the separatin f rles and respnsibilities and fr multiple dmains (r a single key fr multiple dmains, rles and respnsibilities)? Hw d yu manage access t custmer system images and ensure that the authenticatin and cryptgraphic keys are nt cntained within in them?

19 Clud Cmputing 19 INFORMATION ASSURANCE FRAMEWORK AUTHENTICATION Hw des the clud prvider identify itself t the custmer (ie, is there mutual authenticatin)? when the custmer sends API cmmands? when the custmer lgs int the management interface? D yu supprt a federated mechanism fr authenticatin? 6.5. ASSET MANAGEMENT It is imprtant t ensure the prvider maintains a current list f hardware and sftware (applicatins) assets under the clud prviders cntrl. This enables checks that all systems have apprpriate cntrls emplyed, and that systems cannt be used as a backdr int the infrastructure. Des the prvider have an autmated means t inventry all assets, which facilitates their apprpriate management? Is there a list f assets that the custmer has used ver a specific perid f time? The fllwing questins are t be used where the end custmer is deplying data that wuld require additinal prtectin (i.e.. deemed as sensitive). Are assets classified in terms f sensitivity and criticality? If s, des the prvider emply apprpriate segregatin between systems with different classificatins and fr a single custmer wh has systems with different security classificatins? 6.6. DATA AND SERVICES PORTABILITY This set f questins shuld be cnsidered in rder t understand the risks related t vendr lck-in. Are there dcumented prcedures and APIs fr exprting data frm the clud? Des the vendr prvide interperable exprt frmats fr all data stred within the clud? In the case f SaaS, are the API interfaces used standardised? Are there any prvisins fr exprting user-created applicatins in a standard frmat? Are there prcesses fr testing that data can be exprted t anther clud prvider shuld the client wish t change prvider, fr example? Can the client perfrm their wn data extractin t verify that the frmat is universal and is capable f being migrated t anther clud prvider?

20 20 Clud Cmputing Infrmatin Assurance Framewrk 6.7. BUSINESS CONTINUITY MANAGEMENT Prviding cntinuity is imprtant t an rganisatin. Althugh it is pssible t set service level agreements detailing the minimum amunt f time systems are available, there remain a number f additinal cnsideratins. Des the prvider maintain a dcumented methd that details the impact f a disruptin? What are the RPO (recvery pint bjective) and RTO (recvery time bjective) fr services? Detail accrding t the criticality f the service. Are infrmatin security activities apprpriately addressed in the restratin prcess? What are the lines f cmmunicatin t end custmers in the event f a disruptin? Are the rles and respnsibilities f teams clearly identified when dealing with a disruptin? Has the prvider categrised the pririty fr recvery, and what wuld be ur relative pririty (the end custmer) t be restred? Nte: this may be a categry (HIGH/MED/LOW). What dependencies relevant t the restratin prcess exist? Include suppliers and utsurce partners. In the event f the primary site being made unavailable, what is the minimum separatin fr the lcatin f the secndary site? INCIDENT MANAGEMENT AND RESPONSE Incident management and respnse is a part f business cntinuity management. The gal f this prcess is t cntain the impact f unexpected and ptentially disrupting events t an acceptable level fr an rganizatin. T evaluate the capacity f an rganizatin t minimize the prbability f ccurrence r reduce the negative impact f an infrmatin security incident, the fllwing questins shuld be asked t a clud prvider: Des the prvider have a frmal prcess in place fr detecting, identifying, analyzing and respnding t incidents? Is this prcess rehearsed t check that incident handling prcesses are effective? Des the prvider als ensure, during the rehearsal, that everyne within the clud prvider s supprt rganisatin is aware f the prcesses and f their rles during incident handling (bth during the incident and pst analysis)? Hw are the detectin capabilities structured? Hw can the clud custmer reprt anmalies and security events t the prvider? What facilities des the prvider allw fr custmer-selected third party RTSM services t intervene in their systems (where apprpriate) r t c-rdinate incident respnse capabilities with the clud prvider?

GUIDANCE FOR BUSINESS ASSOCIATES

GUIDANCE FOR BUSINESS ASSOCIATES GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.

More information

Personal Data Security Breach Management Policy

Personal Data Security Breach Management Policy Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner

More information

HIPAA HITECH ACT Compliance, Review and Training Services

HIPAA HITECH ACT Compliance, Review and Training Services Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical

More information

Data Protection Act Data security breach management

Data Protection Act Data security breach management Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing

More information

TrustED Briefing Series:

TrustED Briefing Series: TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers

More information

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1 Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues

More information

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the

More information

Data Protection Policy & Procedure

Data Protection Policy & Procedure Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015

More information

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014 State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)

More information

Chapter 7 Business Continuity and Risk Management

Chapter 7 Business Continuity and Risk Management Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity

More information

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337 HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders

More information

Information Services Hosting Arrangements

Information Services Hosting Arrangements Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based

More information

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus

More information

Key Steps for Organizations in Responding to Privacy Breaches

Key Steps for Organizations in Responding to Privacy Breaches Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins

More information

State of Wisconsin. File Server Service Service Offering Definition

State of Wisconsin. File Server Service Service Offering Definition State f Wiscnsin File Server Service Service Offering Definitin Dcument Revisin Histry Date Versin Creatr Ntes 2/16/2008 1.0 JD Urfer First pass 2/16/2008 2.0 Tm Runge Editing changes 2/19/2009 2.1 Tm

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch

More information

Systems Support - Extended

Systems Support - Extended 1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets

More information

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department

More information

In-House Counsel Day Priorities for 2012. Cloud Computing the benefits, potential risks and security for the future

In-House Counsel Day Priorities for 2012. Cloud Computing the benefits, potential risks and security for the future In-Huse Cunsel Day Pririties fr 2012 Clud Cmputing the benefits, ptential risks and security fr the future Presented by David Richardsn Thursday 1 March 2012 WIN: What in-huse lawyers need Knwledge, supprt

More information

In addition to assisting with the disaster planning process, it is hoped this document will also::

In addition to assisting with the disaster planning process, it is hoped this document will also:: First Step f a Disaster Recver Analysis: Knwing What Yu Have and Hw t Get t it Ntes abut using this dcument: This free tl is ffered as a guide and starting pint. It is des nt cver all pssible business

More information

SaaS Listing CA Cloud Service Management

SaaS Listing CA Cloud Service Management SaaS Listing CA Clud Service Management 1. Intrductin This dcument prvides standards and features that apply t the CA Clud Service Management (CSM) SaaS ffering prvided t the Custmer and defines the parameters

More information

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Christchurch Polytechnic Institute of Technology Access Control Security Standard CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin

More information

Process for Responding to Privacy Breaches

Process for Responding to Privacy Breaches Prcess fr Respnding t Privacy Breaches 1. Purpse 1.1 This dcument sets ut the steps that ministries must fllw when respnding t a privacy breach. It must be read in cnjunctin with the Infrmatin Incident

More information

VCU Payment Card Policy

VCU Payment Card Policy VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this

More information

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant

More information

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t

More information

Session 9 : Information Security and Risk

Session 9 : Information Security and Risk INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin

More information

Presentation: The Demise of SAS 70 - What s Next?

Presentation: The Demise of SAS 70 - What s Next? Presentatin: The Demise f SAS 70 - What s Next? September 15, 2011 1 Presenters: Jeffrey Ziplw - Partner BlumShapir Jennifer Gerasimv Senir Manager Delitte. SAS 70 Backgrund and Overview Purpse f a SAS

More information

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Plus500CY Ltd. Statement on Privacy and Cookie Policy Plus500CY Ltd. Statement n Privacy and Ckie Plicy Statement n Privacy and Ckie Plicy This website is perated by Plus500CY Ltd. ("we, us r ur"). It is ur plicy t respect the cnfidentiality f infrmatin and

More information

Vendor Management. Federal Deposit Insurance Corporation Division of Risk Management Supervision Atlanta Regional Office.

Vendor Management. Federal Deposit Insurance Corporation Division of Risk Management Supervision Atlanta Regional Office. Vendr Management Federal Depsit Insurance Crpratin Divisin f Risk Management Supervisin Atlanta Reginal Office June 18, 2014 1 Agenda Intrductin Vendr Management Overview Regulatry Expectatins Bard and

More information

Employees - recruitment, records and monitoring

Employees - recruitment, records and monitoring Emplyees - recruitment, recrds and mnitring This guidance has been prduced t help rganisatins cmply with the Data Prtectin Act (DPA) when recruiting and emplying wrkers. It is relevant t public sectr emplyers,

More information

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy. Privacy Plicy The Central Equity Grup understands hw highly peple value the prtectin f their privacy. Fr that reasn, the Central Equity Grup takes particular care in dealing with any persnal and sensitive

More information

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs

More information

BYOD and Cloud Computing

BYOD and Cloud Computing BYOD and Clud Cmputing AIIM First Canadian Chapter May 22, 2014 Susan Nickle, Lndn Health Sciences Centre Chuck Rthman, Wrtzmans Sheila Taylr, Erg Infrmatin Management Cnsulting Clud cmputing Agenda What

More information

Name. Description. Rationale

Name. Description. Rationale Cmplliiance Cmpnentt Descriptin Ratinale Benefits List the Dmain List the Discipline List the Technlgy Area List Prduct Cmpnent Dcument the Cmpliance Cmpnent Type Cmpnent Sub-type DEEFFI INITION Hst-Based

More information

Cloud Services Frequently Asked Questions FAQ

Cloud Services Frequently Asked Questions FAQ Clud Services Frequently Asked Questins FAQ Revisin 1.0 6/05/2015 List f Questins Intrductin What is the Caradigm Intelligence Platfrm (CIP) clud? What experience des Caradigm have hsting prducts like

More information

Process of Setting up a New Merchant Account

Process of Setting up a New Merchant Account Prcess f Setting up a New Merchant Accunt Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am

More information

DisplayNote Technologies Limited Data Protection Policy July 2014

DisplayNote Technologies Limited Data Protection Policy July 2014 DisplayNte Technlgies Limited Data Prtectin Plicy July 2014 1. Intrductin This dcument sets ut the bligatins f DisplayNte Technlgies Limited ( the Cmpany ) with regard t data prtectin and the rights f

More information

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS SERIES: 1 General Rules RULE: 17.1 Recrd Retentin Scpe: The purpse f this rule is t establish the systematic review, retentin and destructin

More information

DISASTER RECOVERY PLAN TEMPLATE

DISASTER RECOVERY PLAN TEMPLATE www.disasterrecveryplantemplate.rg The bjective f a disaster recvery plan is t ensure that yu can respnd t a disaster r ther emergency that affects infrmatin systems and minimize the effect n the peratin

More information

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012 Research Reprt Abstract: The Emerging Intersectin Between Big Data and Security Analytics By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm Nvember 2012 2012 by The Enterprise Strategy Grup, Inc.

More information

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy WHAT YOU NEED TO KNOW ABOUT Prtecting yur Privacy YOUR PRIVACY IS OUR PRIORITY Credit unins have a histry f respecting the privacy f ur members and custmers. Yur Bard f Directrs has adpted the Credit Unin

More information

Unified Infrastructure/Organization Computer System/Software Use Policy

Unified Infrastructure/Organization Computer System/Software Use Policy Unified Infrastructure/Organizatin Cmputer System/Sftware Use Plicy 1. Statement f Respnsibility All emplyees are charged with the security and integrity f the cmputer system. Emplyees are asked t help

More information

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents

More information

LINCOLNSHIRE POLICE Policy Document

LINCOLNSHIRE POLICE Policy Document LINCOLNSHIRE POLICE Plicy Dcument 1. POLICY IDENTIFICATION PAGE POLICY TITLE: ICT CHANGE & RELEASE MANAGEMENT POLICY POLICY REFERENCE NO: PD 186 POLICY OWNERSHIP: ACPO Cmmissining Officer: Prtfli / Business-area

More information

Corporate Standards for data quality and the collation of data for external presentation

Corporate Standards for data quality and the collation of data for external presentation The University f Kent Crprate Standards fr data quality and the cllatin f data fr external presentatin This paper intrduces a set f standards with the aim f safeguarding the University s psitin in published

More information

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY REFERENCE NUMBER: 14/103368 RESPONSIBLE DEPARTMENT: Crprate Services APPLICABLE LEGISLATION: State Recrds Act 1997 Lcal Gvernment Act 1999 Crpratins Act

More information

Securely Managing Cryptographic Keys used within a Cloud Environment

Securely Managing Cryptographic Keys used within a Cloud Environment Securely Managing Cryptgraphic Keys used within a Clud Envirnment Dr. Sarbari Gupta sarbari@electrsft-inc.cm 703-437-9451 ext 12 2012 NIST Cryptgraphic Key Management Wrkshp September 10-11, 2012 Intrductin

More information

General Records Authority 33. Accredited Training

General Records Authority 33. Accredited Training General Recrds Authrity 33 2012/00579704 Accredited Training February 2013 This is an accurate reprductin f the authrised recrds authrity cntent, created fr accessibility purpses CONTENTS INTRODUCTION

More information

First Global Data Corp.

First Global Data Corp. First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First

More information

Vulnerability Management:

Vulnerability Management: Vulnerability Management: Creating a Prcess fr Results Kyle Snavely Veris Grup, LLC Summary Organizatins increasingly rely n vulnerability scanning t identify risks and fllw up with remediatin f thse risks.

More information

State of Wisconsin Division of Enterprise Technology (DET) Distributed Database Hosting Service Offering Definition (SOD)

State of Wisconsin Division of Enterprise Technology (DET) Distributed Database Hosting Service Offering Definition (SOD) State f Wiscnsin Divisin f Enterprise Technlgy (DET) Distributed Database Hsting Service Offering Definitin (SOD) Distributed Database Hsting SOD Page 1 12/9/2010 Dcument Revisin Histry (Majr Pst Publishing

More information

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine Title: Identity Theft Prgram Effective Date: July 2009 NYU Langne Medical Center NYU Hspitals Center NYU Schl f Medicine POLICY It is the plicy f the NYU Langne Medical Center t educate and train staff

More information

Licensing Windows Server 2012 R2 for use with virtualization technologies

Licensing Windows Server 2012 R2 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 R2 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 R2 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents

More information

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY

More information

The actions discussed below in this Appendix assume that the firm has already taken three foundation steps:

The actions discussed below in this Appendix assume that the firm has already taken three foundation steps: MAKING YOUR MARK 6.1 Gd Practice This sectin presents an example f gd practice fr firms executing plans t enter the resurces sectr supply chain fr the first time, r fr thse firms already in the supply

More information

This document provides instructions on how to complete the Cheque Requisition Form.

This document provides instructions on how to complete the Cheque Requisition Form. Office f the Cmptrller Accunts Payable Divisin f Finance and Administratin Standard Operating Prcedure Cheque Requisitin Effective Date: July 19, 2010 Descriptin: This dcument prvides instructins n hw

More information

A. Early Case Assessment

A. Early Case Assessment Electrnic Discvery Reference Mdel Standards fr the identificatin f electrnically stred infrmatin in discvery http://www.edrm.net/resurces/standards/identificatin A. Early Case Assessment Once a triggering

More information

IT Help Desk Service Level Expectations Revised: 01/09/2012

IT Help Desk Service Level Expectations Revised: 01/09/2012 IT Help Desk Service Level Expectatins Revised: 01/09/2012 Overview The IT Help Desk team cnsists f six (6) full time emplyees and fifteen (15) part time student emplyees. This team prvides supprt fr 25,000+

More information

expertise hp services valupack consulting description security review service for Linux

expertise hp services valupack consulting description security review service for Linux expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS

More information

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Zimbra Professional Services Portfolio, Purchasing Guide & Price List In- Tuitin Netwrks Ltd Zimbra Prfessinal Services Prtfli, Purchasing Guide & Price List This dcument prvides an verview f In- Tuitin Netwrks Limited s range f Zimbra Prfessinal Services available n the

More information

RSA SecurID Software Token Security Best Practices Guide. Version 3

RSA SecurID Software Token Security Best Practices Guide. Version 3 RSA SecurID Sftware Tken Security Best Practices Guide Versin 3 Cntact Infrmatin G t the RSA crprate web site fr reginal Custmer Supprt telephne and fax numbers: www.rsa.cm. Trademarks RSA, the RSA Lg

More information

Better Practice Guide Financial Considerations for Government use of Cloud Computing

Better Practice Guide Financial Considerations for Government use of Cloud Computing Better Practice Guide Financial Cnsideratins fr Gvernment use f Clud Cmputing Nvember 2011 Intrductin Many Australian Gvernment agencies are in the prcess f cnsidering the adptin f clud-based slutins.

More information

How Does Cloud Computing Work?

How Does Cloud Computing Work? Hw Des Clud Cmputing Wrk? Carl Mazzanti, CEO, emazzanti Technlgies IT Supprt and Clud Cmputing Services fr Small Business Hbken, NJ and NYC, 201-360- 4400 Owner [Pick the date] Hw des Clud Cmputing Wrk?

More information

Guidelines for Custodians

Guidelines for Custodians Guidelines fr Custdians t assess cmpliance with the Persnal Health Infrmatin Privacy and Access Act (PHIPAA) This dcument is designed t help custdians evaluate readiness fr cmpliance with PHIPAA and t

More information

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite Vlume Licensing brief Licensing the Cre Client Access License (CAL) Suite and Enterprise CAL Suite Table f Cntents This brief applies t all Micrsft Vlume Licensing prgrams. Summary... 1 What s New in This

More information

Business Continuity Management Systems Foundation Training Course

Business Continuity Management Systems Foundation Training Course Certificatin criteria fr Business Cntinuity Management Systems Fundatin Training Curse CONTENTS 1. INTRODUCTION 2. LEARNING OBJECTIVES 3. ENABLING OBJECTIVES KNOWLEDGE & SKILLS 4. TRAINING METHODS 5. COURSE

More information

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6 THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6 C-Track Case Management System (CMS) is a cnfigurable, brwser based case management system fr all levels

More information

MANAGED VULNERABILITY SCANNING

MANAGED VULNERABILITY SCANNING Abut SensePst SensePst is an independent and bjective rganisatin specialising in infrmatin security cnsulting, training, security assessment services and IT Vulnerability Management. SensePst is abut security.

More information

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013 Research Reprt Abstract: Advanced Malware Detectin and Prtectin Trends By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm, Senir Prject Manager September 2013 2013 by The Enterprise Strategy Grup,

More information

FAYETTEVILLE STATE UNIVERSITY

FAYETTEVILLE STATE UNIVERSITY FAYETTEVILLE STATE UNIVERSITY IDENTITY THEFT PREVENTION (RED FLAGS RULE) Authrity: Categry: Issued by the Fayetteville State University Bard f Trustees. University-Wide Applies t: Administratrs Faculty

More information

THIRD PARTY PROCUREMENT PROCEDURES

THIRD PARTY PROCUREMENT PROCEDURES ADDENDUM #1 THIRD PARTY PROCUREMENT PROCEDURES NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS TRANSPORTATION DEPARTMENT JUNE 2011 OVERVIEW These prcedures establish standards and guidelines fr the Nrth Central

More information

Avaya Business Continuity Plan Overview

Avaya Business Continuity Plan Overview Avaya Business Cntinuity Plan Overview 1 Crprate Business Cntinuity Prgram Mdel at Avaya At Avaya the versight f the Business Cntinuity Prgram belngs t the Crprate Business Cntinuity Management Team. This

More information

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012 Research Reprt Abstract: Security Management and Operatins: Changes n the Hrizn By Jn Oltsik, Senir Principal Analyst With Kristine Ka and Jennifer Gahm July 2012 2012, The Enterprise Strategy Grup, Inc.

More information

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop.

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop. Web Develpment Offshre Develpment Outsurcing SEO ACTIVITY MONITOR This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it

More information

Unified Communications

Unified Communications Office f Infrmatin Technlgy Services Service Level Agreement Unified Cmmunicatins Nvember 7, 2013 v2.2 Service Descriptin Unified Cmmunicatins Service Descriptin ITS Unified Cmmunicatins ffers a number

More information

Oracle Cloud Enterprise Hosting and Delivery Policies

Oracle Cloud Enterprise Hosting and Delivery Policies Oracle Clud Enterprise Hsting and Delivery Plicies Statement f Changes Versin 1.5, 6/01/2015 This dcument utlines changes made t the Oracle Clud Enterprise Hsting and Delivery Plicies dated December 1,

More information

Internet Service Definition. SD012v1.1

Internet Service Definition. SD012v1.1 Internet Service Definitin SD012v1.1 Internet Service Definitin Service Overview InTechnlgy Internet Service is a permanent Internet cnnectivity slutin. The service cnnects custmers t the InTechnlgy natinal

More information

System Business Continuity Classification

System Business Continuity Classification Business Cntinuity Prcedures Business Impact Analysis (BIA) System Recvery Prcedures (SRP) System Business Cntinuity Classificatin Cre Infrastructure Criticality Levels Critical High Medium Lw Required

More information

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S Service Level Agreement (SLA) Hsted Prducts Netp Business Slutins A/S Cntents 1 Service Level Agreement... 3 2 Supprt Services... 3 3 Incident Management... 3 3.1 Requesting service r submitting incidents...

More information

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT If using US Pstal Service, please return t: Califrnia Student Aid Cmmissin Prgram Administratin & Services Divisin ATTN: Institutinal Supprt P.O. Bx 419028

More information

OITS Service Level Agreement

OITS Service Level Agreement OITS Service Level Agreement Objective A Service Level Agreement (SLA) describes the IT Service, dcuments Service Level Targets, and specifies the respnsibilities f the IT Service Prvider and the Custmer.

More information

HEAL-Link Federation Higher Education & Research. Exhibit 2. Technical Specifications & Attribute Specifications

HEAL-Link Federation Higher Education & Research. Exhibit 2. Technical Specifications & Attribute Specifications HEAL-Link Federatin Higher Educatin & Research Exhibit 2 Technical Specificatins & Attribute Specificatins Trust Relatinship Trust relatinship amng the federatin, federatin members and federatin partners

More information

Emergency Preparedness Plans. Page 1 of 19

Emergency Preparedness Plans. Page 1 of 19 Emergency Preparedness Plans Page 1 f 19 Page 2 f 19 Requirements SUA Respnsibilities t AA Designate a Disaster Aging Officer DADS Disaster Crdinatr - Glen Basn A&I AAA Sectin s Disaster Team Aimee Mick*,

More information

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System ISO Management Systems Guidance n understanding the benefits f an ISO Management System Welcme & Intrductins 4031 University Drive, 206, Fairfax, VA 22030 3 Grant Square, 243, Hinsdale, IL 60521 www.radiancmpliance.cm

More information

Self- certification Criteria for companies participating in the European Self- Regulatory Programme on OBA. Document version: 1.1

Self- certification Criteria for companies participating in the European Self- Regulatory Programme on OBA. Document version: 1.1 Self- certificatin Criteria fr cmpanies participating in the Eurpean Self- Regulatry Prgramme n OBA Dcument versin: 1.1 Date: 16 Nvember 2012 Table f cntents 1. Intrductin 3 2. Criteria fr self- certificatin

More information

Remote Working (Policy & Procedure)

Remote Working (Policy & Procedure) Remte Wrking (Plicy & Prcedure) Publicatin Scheme Y/N Department f Origin Plicy Hlder Authrs Can be published n Frce Website Prfessinal Standards Department (PSD) Ch Supt Head f PSD IT Security Officer

More information

Licensing Windows Server 2012 for use with virtualization technologies

Licensing Windows Server 2012 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents This

More information

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor ACTIVITY MONITOR Real Time Mnitr Emplyee Activity Mnitr This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it is a library

More information

Texas Woman's University University Policy Manual

Texas Woman's University University Policy Manual Texas Wman's University University Plicy Manual Plicy Name: Plicy Number: 6.06 Date Passed: July 2004 Health Insurance Prtability& Accuntability Act (HIPAA) Date Reviewed: September 2008 Next Review: September

More information

Research Report. Abstract: Data Center Networking Trends. January 2012. By Jon Oltsik With Bob Laliberte and Bill Lundell

Research Report. Abstract: Data Center Networking Trends. January 2012. By Jon Oltsik With Bob Laliberte and Bill Lundell Research Reprt Abstract: Data Center Netwrking Trends By Jn Oltsik With Bb Laliberte and Bill Lundell January 2012 2012 Enterprise Strategy Grup, Inc. All Rights Reserved. Intrductin Research Objective

More information

Sources of Federal Government and Employee Information

Sources of Federal Government and Employee Information Inf Surce Surces f Federal Gvernment and Emplyee Infrmatin Ridley Terminals Inc. TABLE OF CONTENTS General Infrmatin Intrductin t Inf Surce Backgrund Respnsibilities Institutinal Functins, Prgram and Activities

More information

service description Colocation of Equipment Infrastructure as a Service

service description Colocation of Equipment Infrastructure as a Service easy t adpt, easy t use, easy t leave service descriptin Infrastructure as a Service versin 4.0 Cntents Overview... 3 Example use cases... 3 Pricing... 4 Trial service... 4 Infrmatin assurance... 4 Prduct

More information

IT Account and Access Procedure

IT Account and Access Procedure IT Accunt and Access Prcedure Revisin Histry Versin Date Editr Nature f Change 1.0 3/23/06 Kelly Matt Initial Release Table f Cntents 1.0 Overview... 1 2.0 Purpse... 1 3.0 Scpe... 1 4.0 Passwrds... 1 4.1

More information

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released Page 1 f 6 Vice President, Infrmatics and Transfrmatin Supprt APPROVED (S) REVISED / REVIEWED SUMMARY Versin Date Cmments / Changes 1.0 Initial Plicy Released INTENT / PURPOSE The Infrmatin and Data Gvernance

More information