1 THE UNITED REPUBLIC OF TANZANIA MINISTRY OF FINANCE ICT SECURITY GUIDELINES DECEMBER, 2012 PERMANENT SECRETARY, MINISTRY OF FINANCE, P.O BOX 9111, DAR ES SALAAM.
2 FOREWORD The Information and Communication Technology (ICT) development and its wide utilization across the world have made ICT to be used as strategic tool to achieve social economic development goals globally. Increasing capacity of ICT has further been empowered by the growth of a global network of computer networks i.e. the Internet. It has impacted the way business is conducted, facilitated learning and knowledge sharing, generated global information flows, empowered citizens and communities in ways that have redefined governance, and has created significant wealth and economic growth and hence resulting in a global information society. By recognizing the impact of ICT in achieving ministerial objectives, the Ministry of Finance (MoF) has deployed several ICT systems for effective and efficient service delivery. Some of these systems can only be accessed internally while others outside the Ministry. The Ministry further understands that ICT systems are vulnerable to attacks and there are security threats which need mechanisms to protect organizational ICT resources against the threats and attacks. In addition, improper handling (collection, storage, processing and transmission) of organizational data would infringe rules and regulations governing data confidentiality, integrity and availability. Moreover, the Ministry had formulated the Ministerial ICT Steering Committee in the year 2010 to oversee proper utilization of ICT resources in the Ministry as well as monitor all ICT activities while ensuring that they are conducted according to the best practices. Thus, this Guide provides mechanisms for securing information systems assets (personnel, data, hardware, software and communication channels). In addition, it provides guidance on how to handle third party access to organizational resources without compromising organizational security. Further, MoF ICT Security guidelines are intended to harmonize the idea put forward in the two drafted ICT policy documents namely the MoF IT Policy Draft developed in 2006 by Financial Information Systems Management Page i
3 Department as well as the Integrated Financial Management Systems Network Security Policy Version 1 developed by the Accountant General s Department. The Guidelines put forward best practice when using the Ministry of Finance computing resources. These Guidelines are in line with the National ICT Policy 2003, National Security Act 1970, Government Circular Number 1 of 2011 of Chief Secretary, and other relevant Government circulars that aim at creating a secured environment that would enhance service delivery while protecting organizational resources. It should be clear that, in a scenario where an employee or non-employee fails to comply with these Guidelines; Disciplinary measures will be taken against him/her as per Public Service Acts, Regulations, Circulars and other Government Directives. PERMANENT SECRETARY TREASURY/MINISTRY OF FINANCE Page ii
4 TABLE OF CONTENTS DEFINITION OF TERMS... ix 1. INTRODUCTION Background Purpose Scope Disclaimer PHYSICAL AND ENVIRONMENTAL SECURITY Measures against Fire Measures against Floods Air Conditioning Power Outage Measures against Theft ACCESS CONTROL Physical Access Control Logical Access Control Managing User Profiles Managing Network Access Controls Controlling Administrative Access or Special Access Passwords Management Controlling Remote User Access Clear Screen Logon and Logoff from Computer Page iii
5 4. DATA AND INFORMATION SECURITY Data Collection, Entry and Processing Data Storage Data Access Transfer and Exchanges of Information Security of Media in Transit Data Retention and Disposal Using Live Data for Testing NETWORK, INTERNET AND SECURITY Network Security Wireless Network Security Management Controls Network Design and Technical Controls Client Controls Internet Security Security Protection against Cyber Attacks Protection against Computer Viruses and Malicious Code Responding to Virus Incidents Protecting Against Internal Attacks (Insider Threats) SOFTWARE SECURITY MANAGEMENT Software Acquisition Software Deployment Software Customization Page iv
6 6.4 Software Usage Systems Integration and Interoperability Software Change Management Implementing New or Upgraded Software Applying Patches/Service Packs Responding to Vendor Recommended Upgrades to Software Capacity Planning and Testing Parallel Running Emergence Request Change BUSINESS CONTINUITY MANAGEMENT Risk Management Risk Identification Risk Assessment Risk Evaluation Risk Treatment Risk Monitoring and Review Incident Management Disaster Recovery Planning Back-up and Restoration Procedures MANAGEMENT OF THIRD PARTIES Third Party Verification Outsourcing Cloud Computing Services Equipment Leasing Page v
7 8.5 Maintenance and Support Services Internet Service Provider Third Party Contract Management TRAINING, AWARENESS AND SUPPORT Technical User End User Temporary Employees and Trainees Security Awareness Program User Support HARDWARE RETENTION AND DISPOSAL PERSONNEL SECURITY Segregation of Duties Personnel Management Employee Engagement Employee Workplace Practices User Account Termination MONITORING AND EVALUATION REFERENCES Page vi
8 ACRONYMS AND ABBREVIATIONS AMP Aid Management Platform BCP Business Continuity Plan CCTV Closed Circuit Television System CD Compact Disk CS-DRMS Commonwealth Secretariat - Debt Recording and Management System DAHRM Director of Administration and Human Resource Management DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone DNS Domain Name System/Domain Name Service DoS Denial-of-Service DRS Disaster Recovery Site DVD Digital Versatile/Video Disc GoT Government of Tanzania ICT Information and Communication Technology IDS Intrusion Detection Systems IFMS Integrated Financial Management System IP Internet Protocol IPX Internet Protocol Exchange IPS Intrusion Prevention Systems ISP Internet Service Provider LGAs Local Government Authorities MAC Media Access Control MDAs Ministries, Independent Departments and Agencies MoF Ministry of Finance NIDS Network Intrusion Detection Systems NIPS Network Intrusion Protection Systems PC Personal Computer PCMCIA Personal Computer Memory Card International Association Page vii
9 PDA Personal Digital Assistant PO-PSM President s Office - Public Service Management VPN Virtual Private Network SBAS Strategic Budget Allocation System SLA Service level Agreement SSID Service Set Identifier RFC Request for Comments TCRA Tanzania Communications Regulatory Authority TLS/SSL Transport Layer Security/Secure Socket Layer UPS Uninterruptible Power Supply User ID User Identification HR Human Resource Page viii
10 DEFINITION OF TERMS Cloud computing - is a technology that uses the internet and central remote servers to maintain data and applications. Computer viruses - is a relatively small software program that is attached to another larger program for the purpose of gaining access to information or to corrupt information within a computer system. Cryptography - The art of protecting information by transforming it (encrypting it) into an unreadable format called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text. Cyber attack - is a term for any illegal activity that uses a computer as its primary means of commission. Data availability - refers to how available data is when stored in some form, usually in reference to remote storage of data through a network or external storage media. Data confidentiality - means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Data integrity - is a term used to refer to the accuracy and reliability of data. Encryption- is the conversion of data into a form, that cannot be easily understood by unauthorized people unless to the intended recipient with a proper coding key. End user- is the person that a software program or hardware device is designed for. ICT unit is defined in this document as the unit that coordinates and manages ICT services in the Ministry. Page ix
11 Malicious code - refers to a broad category of software threats that can cause damages or undesirable effect to computers or networks. MoF disclaimer - A statement intended to specify or delimit the scope of rights and obligations that may be exercised and enforced by parties in a legally recognized relationship. Phishing attack - The act of sending to a user falsely claims to be an established legitimate enterprise in an attempt to steal users private information that will be used for theft. Spam - is unsolicited commercial advertisements distributed online. Electronic junk mail or junk newsgroup postings. Temporary employee is an employee who works for only a limited period of time. Insider threat is a malicious hacker who is the current or former employee, contractor, business partner of the institution obtains access to the computer systems or networks and then conducts activities intended to cause harm to the institution. System abuse can be defined as using the rules and procedures meant to protect a system in order, instead, to manipulate the system for a desired outcome. Access Protocol A protocol used between an external subscriber and a switch within a network. Page x
12 1. INTRODUCTION 1.1. Background Due to the benefits brought by ICT to the modern functioning of the Government, Ministry of Finance has been using ICT to deliver services to the public since 1965 ranging from revenue collection and external resources management. Other activities which follow the same suite are planning, budget formulation and preparation of payroll and pension management to name the few. The Ministry has invested in the development of shared ICT infrastructure consisting of structured wired and wireless technologies to most of its buildings located at the head office and remote offices including other organizations. Also, the Ministry has invested on various software technologies such as IFMS (Epicor), Payroll system, CS-DRMS, AMP and SBAS. Others include software for office application, communication and collaboration. The Ministry s commitment to use ICT to improve service delivery to the public faces many security challenges brought by the technology advancement. To address information security issues, the Ministry of Finance has developed two documents, the first versions of IT Policy and IFMS Network Security Policy. Furthermore, MoF has been implementing Circulars and Regulations issued by the Government of Tanzania on proper use of ICT facilities and confidentiality of data, including Circular No. 5 and No. 6 of 2009 issued by the Permanent Secretary, President s Office Public Service Management (PO-PSM). As ICT systems continue to be deployed, it is imperative that necessary policies, guidelines and operational procedures be put in place to ensure their proper usage, management, administration and security. In addition, the increasingly rapid evolution and growth in the complexity of new systems and networks, coupled with the sophistication of changing threats and the Page 1
13 presence of intrinsic vulnerabilities, present demanding challenges for maintaining the security of ICT systems and networks. In response to these challenges, formulation of Information Security Guidelines is essential to ensure adequate levels of security to facilitate proper use of ICT facilities, as well as compliance with pertinent circulars and regulations governing the use of ICT facilities Purpose The main purpose of these Guidelines is to provide framework for selecting, implementing, and managing ICT security services by guiding the organization on how to manage ICT assets. Moreover, the Guide intends to protect both the data stored and processed within MoF computer systems together with the services provided by these systems for the purpose of protecting information confidentiality, integrity and availability. In addition, the Guide aims at creating a unified environment of handling ICT security issues for all MoF staff and people who access MoF s information systems resources. It also guides on issues to consider while developing agreements that define the service levels for service providers. Furthermore, the Guide provides information for decision makers and other relevant parties on security issues for the purpose of obtaining comprehensive ICT security services. Therefore, this document is meant to translate National ICT Policy 2003, Public Service Act 2002 and existing circulars into implementation in the form of guidelines which are easy to follow on the day to day operations. Page 2
14 1.3. Scope This Guide applies to all MoF employees, including all officers, support staff, temporary staff, partner agency staff, contractors and all users from MDA s/lga s using MoF computer services (e.g IFMS). All staffs are required to adhere to these Guidelines to ensure that desired level of ICT security is achieved and maintained. This document addresses security considerations in the following major areas: i. Physical and environmental working areas. ii. ICT resource access control iii. Data and information security iv. Network and its services (e.g. ) v. Software deployment and use vi. Business continuity management vii. Third party management viii. Training, awareness and support ix. Hardware retention and disposal x. Personnel security xi. Monitoring and evaluation The Guide will be reviewed from time to time and when the need arises in order to address new technological challenges and new business practices Disclaimer This document is expected to provide guidance on the proper use of ICT facilities in MoF, it is not by any way exhaustive and the proper use of ICT facilities is not limited to what is documented here in. 2. PHYSICAL AND ENVIRONMENTAL SECURITY Physical and Environmental security aims at protecting MoF s ICT facilities i.e. Hardware, software, data and communication infrastructure from Page 3
15 unauthorized access, hazards, intentional or unintentional damage, as well as theft. Breach of physical and environmental security may lead to loss of confidentiality, integrity, and availability of information systems assets. To prevent such loss, measures such as adequate air conditioning, fire detection and suppression systems, reliable power supplies, controlling physical access and suitable emergency preparedness should be in place. The envisaged measures are as follows: 2.1 Measures against Fire i. Rooms that host servers should be non-smoking zones, fireproof, fitted with smoke detectors and have automatic or portable fire extinguisher systems. ii. Smoke detectors and fire extinguishers should be regularly tested to ensure that they are in good order and all tests have to be documented. iii. Materials which can easily catch fire should be disposed of and those documents which are still in use should be stored in a secure place. iv. Activities such as rewiring, welding or cutting, undertaken as part of structural changes to the premises, should be monitored by ICT staff, so long as there is proof of safety of new wiring required. v. Clear fire instructions should be available and in the event of fire, these instructions should be followed. vi. Regular fire practices (fire drills) should be conducted frequently. The head of administration and human resource department in collaboration with the ICT unit will ensure the implementation of the above measures. 2.2 Measures against Floods i. Servers should be well mounted on racks and other equipment should be kept off the ground, placed on tables or desks. ii. Clear flood instructions should be available and in the event of flood, Page 4
16 iii. these instructions should be followed. All water tanks and plumbing at MoF premises should be inspected regularly to prevent leaks and overflow of water. All inspection reports should be well kept for future reference. The head of administration and human resource department in collaboration with the ICT unit will ensure the implementation of the above measures. 2.3 Air Conditioning i. The Server rooms and computer rooms should be adequately air conditioned to provide conducive environment for the ICT equipment. ii. The air conditioners should be serviced regularly to ensure continuous performance. iii. Air conditioning failure should be reported for immediate remedial measures. The head of the ICT unit will be responsible for the air conditioning measures. 2.4 Power Outage To ensure ICT services availability, alternative power sources such as Uninterruptible Power Supplies (UPS) and generators should be used to provide continuous power supply based on the following requirements: i. UPS should be installed as appropriate to all ICT facilities. ii. Specialized UPS of appropriate capacity should be installed in all server rooms. iii. Non-critical electrical equipment, especially high power consumption equipment such as photocopiers, printers and kettles should not be connected to UPS sockets. iv. A generator of appropriate capacity should be serviceable at all times as backup power supply in the event of power outage. The head of administration and human resource department in collaboration Page 5
17 with the ICT unit will be responsible for ensuring power supply. 2.5 Measures against Theft i. Non-MoF employees should not use MoF ICT resources without prior relevant written authority. ii. Internal movement of ICT equipment owned by MoF should be authorized by the relevant authority in written form. Proper record should be kept for such movements. iii. Moving ICT equipment owned/leased by MoF outside the premises should follow laid down procedures. iv. Appropriate locks on windows and doors should be maintained. Doors should be kept locked when rooms are not in use. Secure system for keys and combinations should be maintained. In the event of security breach, compromised lock should be changed. v. Alternative physical security strategies should be used when appropriate. vi. All legitimate visitors should be logged at the entrance to MoF building and must declare ICT equipment. vii. All staff must declare personal ICT equipment at the entrance. The head of administration and human resource department will ensure the implementation of the above measures. Note: To avoid ICT equipment and information loss, it is prohibited to bring personal ICT equipment within MoF premises unless permission from the authority is granted. Page 6
18 3. ACCESS CONTROL Access control includes measures that need to be taken to control user access to computing areas and their associated systems. This is categorized into two areas namely physical access and logical access. 3.1 Physical Access Control Both Server and Computer rooms should be protected against unauthorized access. The authorization of access to Computer and Server Rooms, and Disaster Recovery Site should base on the following requirements: i. Normal hours of entry for the Computer and Server Rooms will be limited to approved times. ii. Staff/Visitors authorized to enter the Server and Computer rooms should be accompanied by designated officer. Visitors should be logged in the register book. iii. All staff should be trained on how to observe access procedures. iv. Visitors should display visitors pass at all times. v. ID cards and keys should not be shared or exchanged. vi. All staff who have their access rights withdrawn should return the ID cards to Permanent Secretary-Treasury/MoF. 3.2 Logical Access Control Managing User Profiles Access to the Computer systems should be authorized by the relevant authority, or appropriate delegated officer. Access to any particular data file should be based on the user s roles as established by his or her official duties, and should be reflected in the provision of specific authorization codes, passwords or other access-enabling means. i. Users should be issued Unique User IDs that are produced following a Page 7
19 standard naming convention. ii. Before being granted logical access, users should complete a User Access Permission Application Form that defines access privileges. The user permission application form is attached as appendix A. iii. Users should be granted access and privileges based on their roles. iv. Changes to Access Rights should only be made under authorization of the relevant authority. v. Designated Systems administrator should review and maintain User Access Profiles. vi. Privileges should be allocated to network and/or application software accounts on an 'as needs' basis. i.e. no more access should be offered than is necessary to carry out the user s needs. vii. User account names should not indicate their associated privileges. viii. The default password for an account should be constructed in accordance with systems password policy. ix. Working groups or teams should be assigned their own access profile with specific network resource access. Individual users allocated to such groups should be given an account linked to that access profile Managing Network Access Controls i. Access to resources on the systems network should be restricted unless specifically authorized. ii. Users are expressly forbidden from making unauthorized alterations or extensions to the network. iii. A register of network devices, their access restrictions and the protocols in use should be kept by the Network Administrator. iv. All changes to network configurations should be recorded in the register, along with authorization for the changes. v. Users should be permitted to use only those network addresses issued to them by the relevant authority. vi. Virtual networks should be set up for specific groups of users. These Page 8
20 groups should have Group User Access Profiles, on which the user access profiles of individual team members should be based. vii. Users inside MoF network should not be allowed to use devices which connect to external networks, for example, the use of modem to connect to the internet. viii. Remote MoF users should connect to servers using a secure communication channel such as Virtual Private Network on dedicated communications lines with end-to-end encryption. ix. Network devices and traffic should be monitored regularly. x. Results/Logs from the firewall should be reviewed by ICT security officer to confirm there have been no unexpected attempts to connect. xi. Users should not extend or re-transmit network services and traffic in any way i.e. they should not install a router, switch, hub, or wireless access point to the systems network without being approved. xii. Users should not install network hardware or software that provides network services without being approved. xiii. Computers that require network connectivity should conform to systems standards. xiv. Users with administrative privilege should not download, install or run security programs or utilities that reveal weaknesses in the security of a system. For example, system users should not run password cracking programs, packet sniffers, network mapping tools, or port scanners while connected in any manner to the system network infrastructure. xv. Users are not permitted to alter network hardware in any way Controlling Administrative Access or Special Access Employees with administrative access or special access privileges to the system are subject to additional controls for creation, use, monitoring and removal of their user access profiles based on the following requirements: i. MDAs, LGAs and Regional Sub-Treasuries should submit to a relevant Page 9
21 ii. Authority a list of administrative contacts for their systems that are connected to the MoF systems network. All users of administrative or special access accounts are given account management instructions, documentation, training, and authorization and should meet the Systems Password Policy Passwords Management The selection of passwords, their use and management as a primary means to control access to systems is to strictly adhere to best practice guidelines. In particular, passwords should not be shared with any other person for any reason. i. Passwords should be chosen by the user not by the systems administrator. Where this is not practical, the password should be generated and the user should be forced to change the password at first logon. ii. Users should sign User Access Permission Application Form that a password has been received, that it will be kept secret, and changed frequently. iii. Disclosure of passwords is prohibited. iv. Paper based records of passwords of systems super user should be placed in a sealed envelope, signed by two authorized persons across the seal, and keep it in a locked, fireproof safe. v. Passwords should be changed the moment that a breach of confidentiality is suspected Controlling Remote User Access Remote access control procedures should provide adequate safeguards through robust identification, authentication and encryption techniques based on the following requirements. i. If an authorized user fails to gain access through the secure Page 10
22 ii. communication channel such as VPN, this should be immediately reported to the ICT unit for investigation. Remote User accessing MoF systems should be authenticated by remote access server Clear Screen All users of workstations, PCs and laptops with access to system, or containing related files, should ensure that their screens are clear of data when not in use. Moreover, user computers should be set so that they automatically switch to a standby mode after a period of inactivity. A password should be needed to regain access to the screen Logon and Logoff from Computer To avoid Information security breaches, users should lock or log off their computers while they are not in use. If a user is unable to log on, it might indicate that someone has achieved unauthorized access using that user s name and password. Where the 'User Logon Register' or operator/administrator logs show incorrect or unusual entries, it could indicate that data has been accessed and therefore possibly lost or stolen. The following requirements should be adhered to: i. Every user should ensure that their user name and password are kept secret. ii. If users are unable to logon to the system and denied service, they should double-check that the user name and password are correct and ensure that they are not still logged on elsewhere on the system. iii. If users are still unable to log on, they should immediately inform their systems administrator. They should not ask to borrow the user name and password of another user in order to log on. iv. Users should ensure that they log off and shut down, if they expect to be away from their desk or work area for a prolonged period and at the end of the working day before they leave office premises. Page 11
23 v. Designated Systems Administrator should monitor the 'User Logon Register' or operator/administrator logs for unusual entries. vi. Designated Systems Administrator should disable any suspicious logon. vii. Designated Systems Administrator should report inability of users to log on to the designated Information Security Officer. viii. Designated Systems Administrator should double check that users have logged off at the end of the working day. ix. Users should ensure that they log off computer workstation before leaving their desk. ICT unit will be responsible for both physical and logical access control measures. Page 12
24 4. DATA AND INFORMATION SECURITY Data security is a critical responsibility for every institution. Every piece of data can be of value to fraudsters as they can access multiple sources of information and aggregate it. It is therefore, necessary that, MoF data and information is protected from unauthorized access, loss, misuse, destruction and falsification. This section provides guidelines pertaining to data and information handling that includes data collection, storage, processing and transmission as stipulated in the Government Circular number Data Collection, Entry and Processing All processes of data collection, data entry and processing should be done in such a way that the records collected and captured are correct and complete. Data captured should then be validated for accuracy by relevant departments/units Data Storage i. All users of information systems should save their work on the system regularly. ii. When information and data is stored on local disks (e.g. notebook computers), they should be backed up to the server regularly. It is the responsibility of the user to ensure that this takes place on a regular basis Data Access i. Authentication and authorization functions should be used for all users of MoF electronic data and information resources. ii. Procedures to manage access, authentication and authorization should be developed to support and manage these activities. Such processes Page 13
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
MEMORANDUM TO: FROM: RE: Employee Human Resources MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY Please find attached the above referenced policy that is being issued to each
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
AASTMT Acceptable Use Policy Classification Information Security Version 1.0 Status Not Active Prepared Department Computer Networks and Data Center Approved Authority AASTMT Presidency Release Date 19/4/2015
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
Chapter 11 Manage Computing Securely, Safely and Ethically Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define the term, computer security risks, and briefly
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
1.0 Overview Keuka College provides access to modern information technology in support of its mission to promote excellence and achievement across its mission areas of instruction, research, and service.
Technology Help Desk 412 624-HELP  technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. email@example.com, firstname.lastname@example.org
City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011 Purpose and Intent The City of Boston recognizes the importance
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
Cyber Security Awareness User IDs and Passwords Home Computer Protection Protecting your Information Firewalls Malicious Code Protection Mobile Computing Security Wireless Security Patching Possible Symptoms
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology email@example.com Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers
Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail
Description Course Summary This course provides students with the knowledge and skills needed to isolate, document and resolve problems on a Windows 7 desktop or laptop computer. It will also help test
Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any
ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure MANUAL: Hospital Wide SECTION: Information Technology SUBJECT: Acceptable Use of Information Systems Policy IMPLEMENTATION: 01/2011 CONCURRENCE:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...