State of Oregon. State of Oregon 1

Size: px
Start display at page:

Download "State of Oregon. State of Oregon 1"

Transcription

1 State of Oregon State of Oregon 1

2 Table of Contents 1. Introduction Information Asset Management Communication Operations Workstation Management Log management Information Systems Acquisition, Development and Maintenance Encryption Information Systems Development Life Cycle State of Oregon 2

3 1. Introduction Department of Administrative Services (DAS) has established Statewide Information Security Standards for information systems security. To facilitate agency compliance with the information security standards, DAS hosted a security workshop for agency participation in the development of technical roadmaps. Scope The security workshop roadmap discussions were on selected information security standards. The information security standards which were discussed and roadmaps developed with active agency participation include: Standard Audit of Access Control Standard 2.1 Protection of information assets standards Standard 3.3 Workstation Management and Desktop Security Standard 3.9 Log Management Standard 4.4 Encryption Standard 4.6 Patch Management Standard 4.8 Information System Life Cycle Considering the dependencies among the different standards, Standard 1.5 Audit of Access Control and 3.9 Log Management tracks have been combined into one roadmap Standard Patch Management and 3.3 Workstation Management and Desktop Security have been combined into one roadmap Following roadmaps have been developed based on discussions with the agency participants, interdependencies and work steps required for compliance with individual standards. Recommendations: As agencies experience reduced funding and resources it may be appropriate to evaluate using some enterprise DAS services workstation management, log management, encryption, patch management, etc. DAS facilitates agency discussions on sharing compliance strategies. DAS facilitates agency discussions on enterprise master contracts for security tools encryption, log management, etc. State of Oregon 1

4 2. Information Asset Management 2.1 Management Roadmap 7 weeks 10 weeks on agency On going Develop Project Plan for implementation of information Security Standard 2.1 Develop Design/Architecture Documentation Rollout Plan for Implementation Phased Rollout Audit and Assessment 2.2 Prerequisites Information Asset Classification Agencies need to be compliant with Statewide Information Asset Classification (IAC) policy (effective 7/30/2007), purpose is to ensure State of Oregon information assets are identified, properly classified, and protected throughout their lifecycles. - Plan for identifying, classifying and protecting information assets needs to be in place - All information should have been identified, classified and ownership defined. A log management process and solution needs to be in place to achieve compliance with Standard Protection of Information Assets deployment. Established Encryption Management capability, including key management needs to be in place. Assumes project management structures are in place. State of Oregon 2

5 2.3 Technical Roadmap Information Asset Management 2.1 Protection of Information Assets Ongoing Deploy Design Planning Review current policies for compliance with IAC Conduct a risk assessment to identify and assess risk to all information systems Develop a prioritization based on system risk 2 Weeks 3 Weeks 2 Weeks Perform a gap analysis of current access provisioning, access management and logging systems on information systems based on ISO and Develop architectural designs Develop Rollout plan, phased based on risk profile of information systems 7 Weeks 3 weeks Develop audit and assessment plan Implement or configure access control on all systems Achieve Compliance with and Develop process for disposal of information systems in compliance with Policy# Achieve Compliance with and Develop continuous monitoring and alerting capability 2 Weeks Dependant on Agency compliance with Standards 4.4 Encryptions and 3.9. Log Management Standards State of Oregon 3

6 2.4 Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Key Activities Develop the project charter for the Protection of Information Assets, which define the mission, vision and scope and obtain approval Review current agency policies for compliance with Information Asset Classification statewide policy (effective 7/30/2007). Conduct risk assessment to identify and assess risk to all information systems. - Assessment of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization Duration of Time 3 weeks Design Deploy Develop a prioritization based on system risk identified. - Prioritize the list of information assets as critical, essential and normal. Prioritization criteria should include characteristics like criticality, impact, costs of a failure, publicity, legal and ethical issues, etc. It will be important to establish a common understanding of the criteria. - Priority should be based on the information systems and information assets constrained in them. Priority should first be on level 3 and level 4 information assets first - Consult with DAS for assistance on logging, and monitoring controls required Perform a gap analysis of current access provisioning, access management and logging systems on information systems based on ISO and Develop architectural designs - Gap analysis is a process where the current state vs. the desired state for a process, system is prepared. The differences between the current state and the desired state are called gaps. These gaps then become the basis for prioritization, planning and basis for action to move to the desired state. Develop Rollout plan, phased based on risk profile of information systems and gaps analysis - The Rollout Plan is all about tactical execution. Including Names, dates, milestones, control gates, etc. - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Implement or configure access control on all systems - Depending on the information asset stored /processed and its classification, access controls need to be in place to prevent unauthorized changes and unauthorized viewing. 7 weeks 3 weeks State of Oregon 4

7 Achieve Compliance with and With the implementation of the access controls for preventing unauthorized access and unauthorized changes for all information systems storing and processing all information levels 1-4, agency will be able to achieve compliance with and : Access control shall be in place to prevent unauthorized changes. Access logging shall be in place to identify what was changed and who changed it in accordance with the Access Control standards in section : Access control shall be in place to prevent unauthorized viewing. Access logging shall be in place to identify unauthorized attempts. - Work towards compliance with Standard 1.5 Audit of Access Controls. Develop processes for disposal of information systems in compliance with Statewide Sustainable Acquisition and Disposal of Electronic Equipment Policy# Ongoing Critical Path - Continuation of the work stream is dependent on Agency compliance with Standards 4.4 Encryptions and 3.9. Log Management Standards. Access logging should be enabled. Achieve Compliance with and Information should be encrypted at rest and in transit in accordance with the Encryption Standards in section Log review process in compliance with Standard 3.9 Log Management Standard needs to be in place. - Logs should be regularly reviewed and analyzed for indications of unauthorized or unusual activity. Suspicious activity shall be investigated, findings reported to appropriate management, and necessary follow-up actions taken Develop audit and assessment plan - Define security requirements, audit, monitor, report, and ensure that Information Security contribute to more effective compliance with current and emerging organizational and regulatory obligations. Monitor effectiveness of investments and reassess - Develop a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization Table 2.4 Information Asset Management Major Work Streams Ongoing State of Oregon 5

8 2.5 Technical Roadmap Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Management 4 hours for meetings ISO 40 hours a week for 7 weeks 40 hours a week for 7 weeks Design IT Analyst 40 hours a week for 10 weeks System Engineer 40 hours a week for 10 weeks 40 hours a week for 10 weeks Deploy IT Analyst System Engineer Ongoing IT Auditor 40 hours for development of the Audit plan. Periodic audits - 40 hours a week for the first 8 weeks of this phase. Ongoing monitoring is based on agency environment and, Table 2.5 Information Asset Management Resource Considerations State of Oregon 6

9 3. Communication Operations 3.3 Workstation Management (combined with Standard 4.6 Patch management) Management Roadmap 8 weeks 3 On going Define Requirements to meet Standards Develop Implementati on Project Plans Define Policies Define Mitigation Controls Define Solutions and Processes to meet Standards Training & Awareness Phased Deployment On-going Monitoring & Vulnerability Assessment Review Implementation Strategy Including Mitigating Controls Prerequisites Following standards and processes need to be in place in order to comply with the Standard 3.3 Workstation and Desktop Security Standard and Standard 4.6 Patch Management Standard - Change/Release Management processes - Standard Encryption - Standard Anti-Virus and Anti-Malware Standard Project management structure to manage technical project planning, decision making, and execution Perform inventory of hardware and software systems to identify in-scope systems for compliance (and approved exceptions) IT Risk & Vulnerability Assessment processes and infrastructure to identify and prioritize risks to workstations, desktops, and servers State of Oregon 7

10 3.3.3 Technical Roadmap Communications & Operations Management 3.3 Workstation Management & Desktop Security Standards & 4.6 Patch Management Standards Ongoing Deploy Design Planning Identify systems which require security and patch management Define Workstation/ Desktop and Patch Management Policies - Criticality level, Acceptable time for deployment, Exception (identification & handling) Identify legacy systems that have security and patch update exceptions Define Mitigation plans for systems with exceptions Identify the OS and Applications of the relevant and exception systems 2 Weeks 4 Weeks 2 Weeks 6 Weeks Develop audit and assessment plan Identify technology requirements: -Manual vs. Automated Patching -Logging & Monitoring -Resource requirements Integrate with Change and Incident Management Update mitigation controls for legacy systems Pilot Implementation Training & Awareness On-Going monitoring of systems to be managed and patched. Create exception reports Update processes based on lessons learned 2 Weeks 8 Weeks 4 Weeks 8 Weeks 4 Weeks Phased deployment: -Test workstation/desktop images and Patches -Notify users of outage window -Post deployment review Monitor key sites & public information source for new threats State of Oregon 8

11 3.3.4 Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Design Deploy Key Activities Understand compliance requirements associated with Workstation Management/Desktop Security and Patch Management and identify in-scope systems Develop the project charter, which defines the mission, vision and scope and obtain approval Consider using DAS (TSC) for desktop support. Identify legacy systems which have security and patch update exceptions - Legacy systems need to be reviewed to identify those systems for which security and patch updates will not be possible based on technology limitations - Legacy systems need to be reviewed, prioritized, and approved based on risk (identify compensation controls) Identify the OS and Applications of the relevant exception systems - This catalog of relevant exception systems and applicable layers will be used to devise policies and mitigation plans Define Workstation/Desktop and Patch Management Policies - Policies should define criticality levels, acceptable deployment timeframes, and the process for identifying and addressing exception items Define Mitigation plans for systems with approved exceptions Identify technology requirements - Assessment of potential tools for consideration so that decisions can be made regarding automated vs manual patching, logging and monitoring, and internal vs external resourcing requirements Integrate with change and incident management processes - Workstation/Desktop and Patch Management needs to be integrated with change and incident management so that appropriate actions can be made based on automated/manual analysis - Integrate with existing tools for tracking, analysis, review, and approval of activities associated with identified exceptions Pilot implementation - Develop Pilot Rollout plan for limited systems to assess the design and implementation of policies, processes, and tools - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Update processes based on lessons learned from pilot - Upon completion of pilot implementation, have agency management perform a lessons learned exercise and incorporate feedback from responsible parties Training for policy, tools, and awareness - Develop and rollout training for requirements, policy, and tools Duration of Time 6 weeks 8 weeks 8 weeks State of Oregon 9

12 Ongoing Phased deployment implementation - Develop Rollout plan, phased based on risk profile of systems - The Rollout Plan is all about tactical execution including Names, dates, milestones, control gates, etc. - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value - Perform post deployment review to update processes based on lessons learned Develop audit and assessment plan - Define requirements, audit, monitor, report, and ensure that Information Security contribute to more effective compliance with current and emerging organizational and regulatory obligations. Update mitigating controls for legacy systems - Perform regular checkpoints to review and update mitigating controls for legacy systems with approved exceptions to standard Continuous monitoring and review of standards - Develop a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the policies, procedures, and practices of the organization - Monitor key sites and public information sources for new threats Table 1.a Protection of Information Assets - Major Work streams Ongoing Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 hours for meetings System Engineer ISO 40 hours a week for 8 weeks 20 hours a week for 8 weeks 10 hours a week for 8 weeks Design IT Analyst 10 hours a week for 3 System Engineer 20 hours a week for 3 20 hours a week for 3 Deploy IT Analyst System Engineer Ongoing IT Auditor Table Resource Considerations State of Oregon 10

13 3.9 Log management (combined with Standard 1.5 Audit of Access Control) Management Roadmap 10 weeks 2 on Agency Evaluation On going Define Requirements to meet Standards Identify logging priority areas and events Define Policies Tools Assessment Define Solutions and Processes to meet Standards and Pilot Implementation Training & Awareness Phased Deployment On-going Monitoring Review Overall Strategy Prerequisites Following standards and processes need to be in place in order to comply with the Standard 3.9 Log Management Standard - Standard Information Systems Development Life Cycle Standards - Change/Release Management processes - Incident Management Standards - Standard Information Backup Standards - Standard Security Zone and Network Security Management Standards - Standard 3.15 Intrusion Detection Standards Project management structure to manage technical project planning, decision making, and execution Perform inventory of hardware and software systems to identify in-scope systems for logging IT Risk and Vulnerability Assessment processes and infrastructure to prioritize areas for logging and retention Technical Roadmap Communications & Operations Management 3.9 Log Management & 1.5 Audit of Access Control Ongoing Deploy Design Planning Understand compliance requirements Conduct a risk assessment to identify and assess priority areas for logging and prioritize based on risk Review agency success stories - processes & tools Review user accounts every 90 days Develop process for review of access logs and review of user accounts for dormant user accounts 2 Weeks 4 Weeks 4 Weeks Define Log Management Policy including security events, layers of interest, retention, log review etc. Training - process, tools, IT Develop audit and assessment plan Tools Assessment - Manual vs. automated, internal vs external resources, ROI, inhouse, OTS, etc. Phased deployment based on risk profiles Continuous monitoring and review of standards (change in business requirements, technology, deprecation, resources, etc.) Develop Architectural Design based on requirements and tools assessment Integrate with Change and Incident Management Achieve compliance with Standard All information systems shall support logging of access including logins to the information system, and granted and denied access to resources Pilot Implementation State of Oregon 11 Update processes based on lessons learned 2 Weeks 4 Weeks 4 Weeks 4 Weeks 2 Weeks 4 Weeks 4 Weeks

14 3.9.4 Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Design Key Activities Understand compliance requirements associated with Log Management (Statewide Information Security Standards Log Management) Develop the project charter for Log Management, which define the mission, vision and scope and obtain approval Conduct a risk assessment to identify and assess priority areas for logging and develop a prioritization based on risk - Assessment of risk, including the magnitude of harm that could result from identified events and/or anomalies. - Prioritize the list of information assets as critical, essential and normal. Prioritization criteria should include characteristics like criticality, impact, costs of a failure, publicity, legal and ethical issues, etc. It will be important to establish a common understanding of the criteria. Develop process for review of access logs and dormant accounts every 90 days ( in compliance with Standard 1.5.3) - Process should take into account the compliance requirements of 1.5. Audit of Access Control Standards and the risk assessment and prioritization exercise for the agency - Where possible and not dependent on the log management systems to be in place, enable access logging on information systems containing level 4 data. Logging should be on all view, add, modify and delete of information and all failed login attempts to these actions. Access logs should be reviewed daily for violations. Review agency success stories - Examples of lessons learned and successful implementation of tools to comply with Log Management requirements by other Agencies Define Log Management Policy - Policy should be based on requirements of Log Management Standard and apply to areas identified and prioritized by Risk Assessment and Prioritization - Policy should identify security events of note, layers of interest (network, server, database, etc), retention, and mechanisms to restrict access to logs Tools assessment - Document product requirements and selection criteria - Assessment of potential tools for consideration so that decisions can be made regarding automated vs manual options and internal vs external resourcing requirements - Identify candidate vendors and request proposals - Evaluate responses to determine whether to move forward with product selection and proof of concept - Initiate negotiations with selected vendor and establish scope for proof of concept Develop architectural design - Architectural design should be based on requirements and the decisions made during tools assessment Duration of Time State of Oregon 12

15 Deploy Integrate with change and incident management processes - Log management needs to be integrated with change and incident management so that appropriate actions can be made based on log management analysis - Integrate with existing tools for tracking, analysis, review, and approval of activities associated with identified events Pilot implementation - Develop Pilot Rollout plan for limited areas to assess the design and implementation of policies, processes, and tools - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Update processes based on lessons learned from pilot - Upon completion of pilot implementation, have agency management perform a lessons learned exercise and incorporate feedback from responsible parties Training for policy and tools - Develop and rollout training for log management requirements, policy, and tools Phased deployment implementation - Develop Rollout plan, phased based on risk profile of information systems - The Rollout Plan is all about tactical execution including Names, dates, milestones, control gates, etc. - Detailed Work Breakdown Structure with dates and GANTT charts showing dependencies and progress are of tremendous value Update processes based on lessons learned from phased deployment - Upon completion of pilot implementation, have agency management perform a lessons learned exercise and incorporate feedback from responsible parties Review user accounts every 90 days - Based on process developed and applicable to the types of accounts identified 3 months Ongoing Ongoing Develop audit and assessment plan - Define requirements, audit, monitor, report, and ensure that Information Security contribute to more effective compliance with current and emerging organizational and regulatory obligations. Continuous monitoring and review of standards - Develop a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization - Perform regular checkpoints regarding requirements, technology options and deprecation, and resources Table 1.a Protection of Information Assets - Major Work streams 2 months Ongoing State of Oregon 13

16 3.9.5 Technical Roadmap Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 1-hour meetings ISO 10 hours for 10 weeks 20 hours for 10 weeks Design IT Analyst 40 hours each month for 2 System Engineer 40 hours each month for 2 40 hours each month for 2 Deploy IT Analyst System Engineer Ongoing IT Auditor, Table Resource Considerations State of Oregon 14

17 4. Information Systems Acquisition, Development and Maintenance 4.4 Encryption Management Roadmap 13 weeks 28 weeks upon agency On going Define Requirements to meet Encryption Standards Develop Encryption Mgmt Implementati on Project Plan Define Encryption Management Policy Define Solutions and Processes to meet Encryption Management Standards Training & Awareness Phased Deployment On-going Monitoring & Vulnerability Assessment Review Encr Strategy including Mitigation Controls Prerequisites Information Asset Classification Agencies need to be compliant with Statewide Information Asset Classification (IAC) policy (effective 7/30/2007), purpose is to ensure State of Oregon information assets are identified, properly classified, and protected throughout their lifecycles. - Plan for identifying, classifying and protecting information assets needs to be in place - All information should have been identified, classified and ownership defined. Data maps identifying data at rest and data-flow exist for Level 3 and Level 4 data types Agency has established risk assessment processes based on applicable threats to the confidentiality, integrity and availability of data structure needs to be in place Agency has access to a Key Management Infrastructure Technical Roadmap Information Systems Acquisition, Development and Management 4.4 Encryption Ongoing Deploy Design Planning Identify the regulatory and compliance requirements for data protection Develop encryption policy at agency level Provide training to administrators and end users Perform periodic Risk Assessment for existing emerging threats Perform discovery of all information systems assets 4.4.6: Define key management requirements Perform a phased implementation of the encryption tool Perform Periodic data discovery, usage & flow analysis Perform a discovery of sensitive data within agency information assets 4.4.7: Document key management procedures Perform test to validate implementation at each phase Monitor legislative & regulatory requirements Perform Risk Assessment for data usage scenarios 2 Weeks 3 Weeks 2 Weeks 4 Weeks 4.4.1, 4.4.2, 4.4.3, 4.4.5, 4.4.5: Define Technology requirements: Tools, Technology Vendors & SP s Post implementation review & lessons learned Monitor violation of encryption integrate with incident management Develop a implementation Project Plan for Encryption Define pilot requirements Metrics reporting: -Data Loss Incidents -Intentional vs. Accidental -Classification Level of Data Breach Implement & test the pilot Define Monitoring Requirements Develop a Training Plan and Encryption Rollout Plan 2 Weeks 2 Weeks 3 Weeks 8 Weeks 2 Week 2 Weeks 3 Weeks 6 Weeks 2 Weeks State of Oregon 15

18 4.4.4 Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Key Activities Identify the regulatory and compliance requirements for data protection Identify the data types and patterns which are subject to the data protection requirements Duration of Time Design Perform a discovery of all information system assets: - Identify all information systems within the agency operating environments such as development, quality assurance and production. - Map the system to the respective information technology services and applications supported - Identify system owners and support groups Perform a discovery of sensitive data within the agency information assets: - Data at rest discovery of all key systems which can potentially host confidential data - Data in motion discovery of the network environment to map out the data flows containing confidential data Perform a Risk Assessment of data usage scenarios: - Identify data usage scenarios most likely to occur within the agency - Identify likelihood of data loss and potential impact based on the information type Develop a Implementation Project Plan for Encryption Define encryption policy at agency level Define key management requirements Define processes required for encryption management: - Key management or escrow processes when using a key-based data encryption system - Replacement process for compromised key Define Technology Requirements which considers: - Encryption protocol and strength - Supported level of deployment of encryption - Support for external storage media - Wireless standards support Define Pilot Requirements based on: - Agency encryption requirements - Vendor solution Implement and Test Pilot - Implement pilot based on requirements - Validate pilot meets requirements - Perform post pilot assessment - Document lessons learned 3 weeks 3 weeks 8 weeks State of Oregon 16

19 Deploy Define Monitoring Requirements - Monitoring process and frequency - Monitoring tools - Monitoring parameters relating to encryption management - Alerting and reporting requirements Develop Training Plan and Encryption Rollout Plan - Develop or acquire training and material which is targeted towards the different management, operations, and support and employee roles to be used to enhance the general awareness in use of encryption. - Develop an encryption roll out plan Provide Training to administrators and end users Perform a phased implementation of the encryption tool 3 weeks 6 weeks Ongoing Perform test to validate implementation at each phase Post Implementation Review and Lessons Learned - Update implementation procedures based on lessons learned Perform a periodic Risk Assessment for existing and emerging threats - Monitor Legislative and Regulatory Requirements for inclusion to Risk Assessment Perform periodic data discovery usage and flow analysis On-going Metrics Reporting for the following metrics. - Data Loss Incident - Intentional vs. Accidental - Classification Level of Data Breach Revise metrics as needed Monitor encryption violation and integrate with incident management On-going On-going Table Encryption Major Work Streams State of Oregon 17

20 4.4.5 Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 one hour meetings ISO 10 hours for 13 weeks 20 hours for 13 weeks Design IT Analyst 20 hours for 28 weeks Systems Engineer 20 hours for 28 weeks 40 hours for 28 weeks Deploy Systems Engineer Ongoing IT Analyst Table Encryption Resource Considerations State of Oregon 18

21 4.8 Information Systems Development Life Cycle Management Roadmap 8 Weeks 32 Weeks upon agency On going Define Requirements to meet Standard Develop Project Plan Define Solutions and Processes to meet SDLC Standard Training & Awareness Phased Deployment Post Implementa tion Lessons Learned Periodic Review Prerequisites Inventory of hardware and software systems needs to be in place User access list based on role and responsibilities needs to be in place including: - Process for granting user access (regular and privileged accounts) - Process for determining appropriate level of access based on job function, which also includes segregation of duties - Process for tracking segregation of duties exceptions Change Management Process needs to be in place including: - Change procedures - Change Advisory Board Documentation requirements for support purposes needs to be in place SDLC process and project management structure needs to be in place State of Oregon 19

22 4.8.3 Technical Roadmap Information Systems Acquisition, Development and Management 4.8 Information Systems Development Life Cycle Standards Ongoing Deploy Design Planning Identify all systems in Dev, QA & Prod Assess existing access based on roles and responsibilities against security standard Provide Training & Awareness on: -Access Control -Change Management -Documentation Standards - Encryption Requirements Assess existing change management procedures against security standard Assess existing documentation processes against security standard 2 Weeks 4 Weeks 2 Weeks 3 Weeks Develop periodic assessment plan to review the foundational elements of the SDLC program Define or Update access control processes for granting, modification and termination of access based on job requirements Define or Update existing Change Management Processes to meet the standards requirements Define or Update procurement and development processes to include encryption requirements to meet standard Define or Update documentation requirements to meet security standards Develop Training Content 2 Weeks 2 Weeks 2 Weeks 2 Weeks 6 Weeks Define periodic audit activities to monitor the on-going effectiveness of SDLC program 4.8.3: Implement: Documentation Standards 4.8.1: Implement: Access Control 4.8.2: Implement: Change Management Control 4.8.4: Implement: Review of Encryption Requirements Develop a rollout plan 4 Weeks Post implementation review & lessons learned Technical Roadmap Major Work Streams The following table articulates the major activities per work stream. Furthermore, it provides an estimation of overall time to complete a task and the phase (illustrated in the roadmap) the activities should be performed. Phases Planning Key Activities Define the information systems development lifecycle planning and operational requirements needed to implement the standard. Develop an implementation project plan based to implement the information systems development lifecycle processes and controls. Perform a discovery of all information system assets: - Identify all information systems within the agency operating environments such as development, quality assurance and production. - Map the system to the respective information technology services and applications supported - Identify system owners and support groups Duration of Time State of Oregon 20

23 Design Deploy Perform an assessment of the following areas and identify gaps based on system development lifecycle standard. The gaps will form the basis of the activities which need to be performed in order to implement the standard: - Assess the access privileges of users, developers and administrators on each in-scope system based on industry best practices for their job roles and responsibilities, such that access is granted and is commensurate based on job requirements, access is reviewed and modified periodically, any segregation of duties conflicts are reviewed, approved and monitored - Assess change management procedures based on SDLC standards requirements and industry best practices so that changes are tested and approved prior to being implemented - Assess documentation required to initiate and manage projects, documents needed to operate and support systems meet the requirements of the SDLC standards Define or update the following processes in order to meet the SDLC standard: - Access control processes for granting, modification and termination of access based on job requirements - Change management processes for initiation, development and implementation of change - Systems development and procurement requirements to meet encryption requirements - Documentation needed to meet project initiation, project management, operations and support requirements Develop Training Content - Develop or acquire training and material which is targeted towards the different management, operations, and support and employee roles to be used to enhance the general awareness in access control, change management, systems procurement and documentation. Develop a roll out plan Provide training and awareness to management, operations, support and users as needed in the following areas: - Access Control: - Change Management: - Documentation Standards: - Systems Development/Procurement based on encryption needs: Achieve Compliance with With the implementation of documentation standards new or updated information system shall include adequate system documentation for agency to achieve compliance with Embed documentation requirements into the work processes - Require each work process to be reviewed and signed off after ensuring that documentation requirements have been met Achieve Compliance with With the implementation of access controls, access to operating system, source code, and operational or production software/program directories, locations, and configuration files shall be managed to enable the agency to achieve compliance with Identify all system and application owners - Send out the user/administrator access list to the system and application owners for review and verification - Obtain the access list from system/application owners and modify access privileges of users - Perform the above activities periodically 8 weeks 6 weeks State of Oregon 21

24 Ongoing Achieve Compliance with With the implementation of change control management process developing and modifying information systems require authorization to initiate or make changes, test and accept changes to production will enable agency to achieve compliance with Require the initiation of new development or change requests to be tracked and approved by management - Document the requirements and have them approved by the requestor within the agency - Require the requestor to test the new development or change request and signoff prior to management approval - Require management approval before moving new development or change into production environment - Document workflow and formalize the process Achieve Compliance with With the implementation of procurement requirements which require encryption capability for Level 3 and Level 4 systems agency will be able to achieve compliance with Define new procurement process which requires system classification and associated requirements such as encryption to be documented and approved as part of the procurement initiation - Define a Pilot process where the system/application to be procured is tested to meet the encryption requirements, and approved for procurement if all requirements are met - Define a post implementation review process of the system at which all the requirements are again reviewed to make sure that the system is configured correctly and meets the objectives. Post Implementation Review and Lessons Learned Develop periodic assessment plan to review the foundational elements of the SDLC program - Periodically assesses the appropriateness of SDLC organization roles i.e. roles are assigned to people who are experienced and have the right level of authority. - Perform a periodic assessment to review that SDLC processes and documentation requirements address risk and compliance needs. - SDLC processes and documentation may be updated based on the recommendations from the assessment. Define periodic audit activities to monitor the on-going effectiveness of SDLC program - Perform a periodic audit of access control for systems in-scope for SDLC. Review process for granting, modifying and termination of access. Also review the Segregation of Duties and the process for filing exceptions - Perform a periodic audit of the change management processes around the initiation, testing, implementing and post implementation review of change - Periodically audit the SDLC project management, operational and support documentation against the required standards Table SDLC Major Work Streams Ongoing Ongoing State of Oregon 22

25 4.8.5 Resource Considerations The following table articulates estimated resource considerations for this function. Phases Type of Resource Hour Estimates Planning Agency Senior Management 4 1-hour meetings ISO 10 hours a week for 11 weeks 20 hours a week for 11 weeks Design IT Analyst 40 hours a week for 18 weeks 20 hours a week for 18 weeks Deploy IT Analyst Ongoing IT Auditor Table SDLC Resource Considerations State of Oregon 23

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

SOA ISO Statement of Applicability

SOA ISO Statement of Applicability SOA ISO 27001 2005 Statement of Applicability A.5 Security A.5.1 Information Security A.5.1.1 A.5.1.2 Information security policy document Review of the information security policy A.6 Organisation of

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Security Controls in Service Management

Security Controls in Service Management Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Security

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Sarbanes-Oxley Compliance for Cloud Applications

Sarbanes-Oxley Compliance for Cloud Applications Sarbanes-Oxley Compliance for Cloud Applications What Is Sarbanes-Oxley? Sarbanes-Oxley Act (SOX) aims to protect investors and the general public from accounting errors and fraudulent practices. For this

More information

AUDIT USING CERTIFIED KNOWLEDGE TOM ZIMMERMAN SENIOR DIRECTOR, IT AUDITING CLEVELAND CLINIC

AUDIT USING CERTIFIED KNOWLEDGE TOM ZIMMERMAN SENIOR DIRECTOR, IT AUDITING CLEVELAND CLINIC 1 PREPARING FOR AN IT AUDIT USING CERTIFIED KNOWLEDGE TOM ZIMMERMAN SENIOR DIRECTOR, IT AUDITING CLEVELAND CLINIC AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org Biography

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

Building Security into the Software Life Cycle

Building Security into the Software Life Cycle Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Date: Completed By: Name: Department: Position: Phone: Email Address: Section 1: Security Education and Awareness

More information

DIVISION OF INFORMATION SECURITY (DIS)

DIVISION OF INFORMATION SECURITY (DIS) DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

ITIL v3 Service transition glossary

ITIL v3 Service transition glossary ITIL v3 Service transition glossary Term Assembly Assessment Asset management Asset register Attribute Audit Authority matrix Back out Best practice British Standards Institution (BSI) Build Build environment

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

State of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017

State of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017 State of Montana Montana Board of Crime Control Agency IT Plan Fiscal Year 2012-2017 Prepared July 2012 Brooke Marshall, Executive Director Jerry Kozak, IT Manager Board of Crime Control 5 S Last Chance

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

Information Technology Branch Information Technology Systems Acquisition, Development and Maintenance Technical Standard

Information Technology Branch Information Technology Systems Acquisition, Development and Maintenance Technical Standard Information Technology Branch Information Technology Systems Acquisition, Development and Maintenance Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014

Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014 Auditing the Software Development Lifecycle ISACA Geek Week Mike Van Stone Sekou Kamara August 2014 Agenda Introduction Audit Scope Project Initiation SDLC Processes Stakeholders Common Development Methodologies

More information

Information Security: A Perspective for Higher Education

Information Security: A Perspective for Higher Education Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 3.6 Date: 12/11/2015 1 Copyright 2015, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

By: NABIOLLAH ELYASI. Principal Auditor. Sun City, South Africa

By: NABIOLLAH ELYASI. Principal Auditor. Sun City, South Africa 20 th Meeting of INTOSAI Working Group on IT Audit Country Paper of Supreme Audit Court of Islamic Republic of Iran By: NABIOLLAH ELYASI Principal Auditor Sun City, South Africa 14-17 April 2011 1 DEVELOPING

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Information Assurance Policy for Information Systems

Information Assurance Policy for Information Systems Information Assurance Policy for Information Systems 1. Purpose... 3 2. Goals... 3 3. Applicability... 4 4. Compliance... 4 5. Roles & Responsibilities... 4 5.1. All Departments...4 5.2. FCT Information

More information

Solution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Technical breakout session

Technical breakout session Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Information & Asset Protection with SIEM and DLP

Information & Asset Protection with SIEM and DLP Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the

More information

Software as a Service: Guiding Principles

Software as a Service: Guiding Principles Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially

More information

Template K Implementation Requirements Instructions for RFP Response RFP #

Template K Implementation Requirements Instructions for RFP Response RFP # Template K Implementation Requirements Instructions for RFP Response Table of Contents 1.0 Project Management Approach... 3 1.1 Program and Project Management... 3 1.2 Change Management Plan... 3 1.3 Relationship

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

Information Technology Policy

Information Technology Policy ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows Automated Firewall Change Management Ensure continuous compliance and reduce risk with secure change management workflows JANUARY 2015 Executive Summary Firewall management has become a hot topic among

More information

INFORMATION SECURITY Humboldt State University

INFORMATION SECURITY Humboldt State University CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014 EXECUTIVE SUMMARY OBJECTIVE The objectives of

More information

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc. Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What

More information

VIRTUALIZATION SECURITY

VIRTUALIZATION SECURITY VIRTUALIZATION AND SECURITY Ramesh Bhat Deputy Manager Information Security Mastek Ltd Virtualization and Security Agenda Background What is virtualization Brief introduction to virtualization architecture

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

June 25, 2013. Ministry of Health Security enhancement roadmap

June 25, 2013. Ministry of Health Security enhancement roadmap June 25, 2013 Ministry of Health Security enhancement roadmap Table of contents Enhancement roadmap overview... 1 Introduction... 1 Objectives and scope... 1 Approach... 2 Summary of recommended enhancement

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information