PENETRATION TEST OF THE FOOD COMPUTER NETWORK
|
|
- Francine Morton
- 8 years ago
- Views:
Transcription
1 Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE FOOD AND DRUG ADMINISTRATION'S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office fpublic Affairs at Public.A(fairs@ig. hhs.gv. Thmas M. Salmn Assistant Inspectr General fr Audit Services Octber 2014 A
2 Office finspectr General The missin fthe Office flnspectr General (OIG), as mandated by Public Law , as amended, is t prtect the integrity f the Department fhealth and Human Services (HHS) prgrams, as well as the health and welfare fbeneficiaries served by thse prgrams. This statutry missin is carried ut thrugh a natinwide netwrk f audits, investigatins, and inspectins cnducted by the fllwing perating cmpnents: Office faudit Services The Office f Audit Services (OAS) prvides auditing services fr HHS, either by cnducting audits with its wn audit resurces r by verseeing audit wrk dne by thers. Audits examine the perfrmance fhhs prgrams and/r its grantees and cntractrs in carrying ut their respective respnsibilities and are intended t prvide independent assessments fhhs prgrams and peratins. These assessments help reduce waste, abuse, and mismanagement and prmte ecnmy and efficiency thrughut HHS. Office fevaluatin andinspectins The Office f Evaluatin and Inspectins (OEI) cnducts natinal evaluatins t prvide HHS, Cngress, and the public with timely, useful, and reliable infrmatin n significant issues. These evaluatins fcus n preventing fraud, waste, r abuse and prmting ecnmy, efficiency, and effectiveness f departmental prgrams. T prmte impact, OEI reprts als present practical recmmendatins fr imprving prgram peratins. Office finvestigatins The Office f Investigatins (OI) cnducts criminal, civil, and administrative investigatins f fraud and miscnduct related t HHS prgrams, peratins, and beneficiaries. With investigatrs wrking in all 50 States and the District f Clumbia, OI utilizes its resurces by actively crdinating with the Department f Justice and ther Federal, State, and lcal law enfrcement authrities. The investigative effrts foi ften lead t criminal cnvictins, administrative sanctins, and/r civil mnetary penalties. Office fcunsel t the Inspectr General The Office f Cunsel t the Inspectr General (OCIG) prvides general legal services t OIG, rendering advice and pinins n HHS prgrams and peratins and prviding all legal supprt fr OIG's internal peratins. OCIG represents OIG in all civil and administrative fraud and abuse cases invlving HHS prgrams, including False Claims Act, prgram exclusin, and civil mnetary penalty cases. In cnnectin with these cases, OCIG als negtiates and mnitrs crprate integrity agreements. OCIG renders advisry pinins, issues cmpliance prgram guidance, publishes fraud alerts, and prvides ther guidance t the health care industry cncerning the anti-kickback statute and ther OIG enfrcement authrities.
3 The Fd and Drug Administratin needed t address cyber vulnerabilities n its cmputer netwrk that culd ptentially have led t a data breach. INTRODUCTION This reprt prvides an verview f the results f ur penetratin test f the Fd and Drug Administratin s (FDA) cmputer netwrk. It des nt include specific details f the vulnerabilities that we identified because f the sensitive nature f the infrmatin. We prvided mre detailed infrmatin and recmmendatins t FDA s that it culd address the issues we identified. WHY WE DID THIS REVIEW Cmputer hackers are increasingly cmprmising Gvernment systems, publishing sensitive data, and using stlen data t cmmit fraud. Threats t Federal agency Web applicatins are cntinually changing because f advances made by hackers, the release f new technlgy, and the deplyment f increasingly cmplex systems. Web sites that are nt prperly secured are vulnerable t unauthrized users wh culd cmprmise the cnfidentiality f sensitive infrmatin r negatively affect the peratins f Federal agencies. The bjective f this review was t determine whether the FDA s netwrk and external Web applicatins were vulnerable t cmprmise thrugh cyber attacks. BACKGROUND Penetratin tests identify methds f gaining access t a system by using tls and techniques that attackers use. The bjective f penetratin testing is t uncver ptential vulnerabilities in infrmatin technlgy (IT) prducts and infrmatin systems resulting frm implementatin errrs, cnfiguratin faults, r ther peratinal deplyment weaknesses r deficiencies. This audit is ne f a series f Office f Inspectr General (OIG) audits using penetratin testing n netwrks run by the U.S. Department f Health and Human Services (HHS) and its perating divisins. FDA is respnsible fr prtecting public health by assuring the safety, efficacy, and security f human and veterinary drugs, bilgical prducts, medical devices, ur natin s fd supply, csmetics, and prducts that emit radiatin. FDA is als respnsible fr advancing the public health by helping t speed innvatins that make medicines mre effective, safe, and affrdable and fr regulating the manufacturing, marketing, and distributin f tbacc prducts t prtect public health and reduce tbacc use by minrs. FDA s Office f Infrmatin Management manages the IT infrastructure and ensures that FDA has a rbust IT fundatin that enables interperability acrss FDA ffices and allws develpment f enterprisewide systems that are necessary t meet FDA s missin efficiently and effectively. FDA s IT budget fr fiscal year 2014 was $486 millin, which was apprximately 11 percent f the ttal FDA budget f $4.4 billin in fiscal year 2014, a significant investment. Penetratin Test f the FDA s Cmputer Netwrk (A ) 1
4 On Octber 15, 2013 (befre ur fieldwrk), a wide-scale cyber security breach invlving an FDA system ccurred that expsed sensitive infrmatin in 14,000 user accunts. HOW WE CONDUCTED THIS REVIEW We assessed the FDA netwrk s expsure t cyber attacks by perfrming a penetratin test f its netwrk and infrmatin systems. We cnducted the penetratin test frm Octber 21, 2013, thrugh Nvember 10, 2013, with the knwledge and permissin f FDA fficials. We requested that FDA s incident respnse staff nt be ntified f ur testing t assess the effectiveness f FDA s intrusin detectin and respnse cntrls. The Appendix cntains the details f ur audit scpe and methdlgy. FINDINGS Overall, FDA needed t address cyber vulnerabilities n its cmputer netwrk. Althugh we did nt btain unauthrized access t the FDA netwrk, we identified the fllwing issues: Web page input validatin was inadequate, external systems did nt enfrce accunt lckut prcedures, security assessments were nt perfrmed n all external servers, errr messages revealed sensitive system infrmatin, and demnstratin prgrams revealed sensitive infrmatin. These culd have led t: (1) the unauthrized disclsure r mdificatin f FDA data r (2) FDA missin-critical systems being made unavailable. INADEQUATE WEB PAGE INPUT VALIDATION Federal infrmatin systems shuld check the validity f infrmatin inputs t ensure that they are acceptable in terms f frmat and cntent. 1 Input validatin helps t ensure the accuracy f user-supplied data and t prevent input attacks, such as reflected crss-site scripting. 2 We identified FDA Web pages that did nt perfrm adequate input validatin n data entered by the user. Explitatin f this vulnerability culd result in malicius input being sent frm an attacker t FDA Web pages t hijack a user s Web brwser applicatin, install malicius prgrams, r redirect users t malicius Web pages. EXTERNAL SYSTEMS DID NOT ENFORCE ACCOUNT LOCKOUT Federal infrmatin systems are required t enfrce a defined limit f cnsecutive invalid lgn attempts by a user and autmatically lck the accunt fr a predetermined time perid r until the accunt is released by an administratr. 3 1 Natinal Institute f Standards and Technlgy (NIST) Special Publicatin (SP) Revisin 4, Security and Privacy Cntrls fr Federal Infrmatin Systems and Organizatins, Cntrl SI Reflected crss-site scripting ccurs when a dynamically generated Web page takes untrusted data and returns them t be rendered within the victim s brwser withut prper validatin and sanitizatin. 3 NIST SP Revisin 4, Cntrl AC-7. Penetratin Test f the FDA s Cmputer Netwrk (A ) 2
5 We identified FDA external systems that did nt enfrce accunt lckut after repeated failed lg-in attempts. An attacker culd repeatedly attempt, either manually r using autmated mechanisms, t gain access t an external system by entering a crrect lgin name and passwrd. If an attacker manages t authenticate t a system as an administrative user, he r she wuld gain cntrl f the system and its cntent. ASSESSMENTS WERE NOT PERFORMED ON ALL EXTERNAL SERVERS The HHS Office f the Chief Infrmatin Officer s Plicy fr Infrmatin Systems Security and Privacy Handbk (PISSP Handbk) requires HHS s perating divisins t assess the security cntrls in infrmatin systems annually t determine the extent t which the cntrls are implemented crrectly, perating as intended, and meeting the security requirements fr the system. Additinally, the PISSP Handbk requires that all Department systems, hsted applicatins, and netwrks underg peridic vulnerability scanning n less than annually. Althugh we were allwed t test the majrity f FDA s external Web applicatins, we did nt perfrm penetratin testing n seven external systems. FDA fficials cnsidered these systems t be missin critical and did nt want t accept the risk f having them g ffline. Hence, we culd nt verify whether security vulnerabilities existed within these systems and whether the vulnerabilities culd be explited t gain unauthrized access t FDA systems and data. We asked t review reprts fr any security testing perfrmed by FDA r a third-party rganizatin fr the seven external systems we did nt test; hwever, we determined that FDA had perfrmed a security assessment fr nly ne f thse seven systems. We reviewed the security assessment results, scpe, and methdlgy fr this system and determined that because the system was tested within a preprductin envirnment nly, the security assessr was nt able t validate FDA s claims that cntrls within the preprductin envirnment mirrred the prductin envirnment. 4 Therefre, there is a risk that vulnerabilities may exist within the prductin versin f the system. ERROR MESSAGES REVEALED SENSITIVE SYSTEM INFORMATION Applicatins frequently generate errr messages and display them t users. Many times these errr messages are quite useful t attackers because the messages reveal applicatin cde r infrmatin that helps attackers explit vulnerabilities. NIST requires Federal infrmatin systems t generate errr messages that prvide infrmatin necessary fr crrective actin withut revealing infrmatin that culd be explited by adversaries. 5 We identified FDA Web sites in which detailed errr messages revealed sensitive system infrmatin. An attacker culd use infrmatin btained frm detailed errr messages, such as 4 A review f FDA s cnfiguratin management cntrls fr develpment, test, and peratinal envirnments was utside the scpe f this audit. 5 NIST SP Revisin 4, Cntrl SI-11. Penetratin Test f the FDA s Cmputer Netwrk (A ) 3
6 sftware versin infrmatin, t launch specific attacks against FDA systems. Detailed errr messages can help attackers pinpint vulnerabilities t fcus their attacks. DEMONSTRATION PROGRAMS REVEALED SENSITIVE INFORMATION Federal infrmatin systems shuld be cnfigured t prvide essential capabilities and t determine what functins and services, sme f which are prvided by default, shuld be disabled r even eliminated. 6 Oftentimes, sftware may leave demnstratin prgrams r sample scripts available as part f a default installatin. We identified demnstratin prgrams that culd be run n FDA systems. The prgrams revealed sensitive internal system envirnment settings. Disclsure f such infrmatin culd help an attacker t launch specific attacks against the FDA systems. RECOMMENDATIONS We made seven recmmendatins t FDA t address the security vulnerabilities that we identified. In general, we recmmended that FDA fix the Web vulnerabilities identified, implement mre effective prcedures t prtect its cmputer systems frm cyber attacks, and peridically assess the security f all f its Internet-facing systems. This reprt summarizes ur recmmendatins because f the sensitive nature f the infrmatin. We prvided mre detailed recmmendatins t FDA. AUDITEE COMMENTS AND OFFICE OF INSPECTOR GENERAL RESPONSE In written cmments t ur draft reprt, FDA indicated that ur findings have been addressed by the system wner(s) and remediatin actins have been apprpriately applied. We have nt verified these actins because they tk place after ur audit perid. Implementatin f ur recmmendatins shuld further strengthen the infrmatin security f FDA s netwrk and external Web applicatins. The timely implementatin f ur recmmendatins is imprtant, and we plan t fllw up with FDA n these audit results and its remediatin actins. 6 NIST SP Revisin 4, Cntrl CM-7. Penetratin Test f the FDA s Cmputer Netwrk (A ) 4
7 APPENDIX: AUDIT SCOPE AND METHODOLOGY SCOPE We fcused ur audit n the FDA netwrk and Web sites in peratin during the perid Octber 21, 2013, thrugh Nvember 10, We did nt review FDA s verall internal cntrl structure. METHODOLOGY We prepared a Rules f Engagement dcument that utlined the general rules, lgistics, and expectatins fr the penetratin test, and FDA and OIG management signed it. We perfrmed the fllwing prcedures: cnducted infrmatin-gathering techniques t discver the fllwing fr FDA: netwrk address ranges, hst names, 9 hsts expsed t the Internet, applicatins running n expsed hsts, perating system and applicatin versin infrmatin, current patch levels f the hsts and applicatins residing n hsts, structure f the applicatins and supprting servers, and dmain name server recrds; cnducted vulnerability analysis techniques t discver pssible methds f attack; attempted t explit vulnerabilities identified in the vulnerability analysis t gain rt- r administratr-level access t the targeted systems r ther trusted-user accunt access; reviewed reprts n security assessments perfrmed by FDA r third-party rganizatins f FDA Internet-facing systems that we were nt authrized t assess during ur penetratin test; and discussed ur findings with FDA management. 9 A hst is any device cnnected t a cmputer netwrk. Penetratin Test f the FDA s Cmputer Netwrk (A ) 5
8 We cnducted this perfrmance audit in accrdance with generally accepted gvernment auditing standards. Thse standards require that we plan and perfrm the audit t btain sufficient, apprpriate evidence t prvide a reasnable basis fr ur findings and cnclusins based n ur audit bjectives. We believe that the evidence btained prvides a reasnable basis fr ur findings and cnclusins based n ur audit bjectives. Penetratin Test f the FDA s Cmputer Netwrk (A ) 6
PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK
Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs
More informationVersion: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013
Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch
More informationGUIDANCE FOR BUSINESS ASSOCIATES
GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.
More informationUNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Statement of Thomas F. O Brien. Vice President & Chief Information Officer
UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Revised Critical Infrastructure Prtectin Reliability Standards Dcket N. RM15-14-000 Statement f Thmas F. O Brien Vice President & Chief Infrmatin
More informationPOLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014
State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)
More informationFRAUD AND ABUSE SAFEGUARDS
Department f Health and Human Services OFFICE OF INSPECTOR GENERAL FRAUD AND ABUSE SAFEGUARDS IN SEPARATE STATE CHILDREN S HEALTH INSURANCE PROGRAMS Daniel R. Levinsn Inspectr General March 2007 OEI-06-04-00380
More informationCOPIES-F.Y.I., INC. Policies and Procedures Data Security Policy
COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus
More informationVersion Date Comments / Changes 1.0 January 2015 Initial Policy Released
Page 1 f 6 Vice President, Infrmatics and Transfrmatin Supprt APPROVED (S) REVISED / REVIEWED SUMMARY Versin Date Cmments / Changes 1.0 Initial Plicy Released INTENT / PURPOSE The Infrmatin and Data Gvernance
More informationPersonal Data Security Breach Management Policy
Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner
More informationHIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337
HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders
More informationAudit Committee Charter
Audit Cmmittee Charter Membership The Audit Cmmittee (the "Cmmittee") f the Bard f Directrs (the "Bard") f Philip Mrris Internatinal Inc. (the "Cmpany") shall cnsist f at least three directrs all f whm
More informationVCU Payment Card Policy
VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this
More informationUniversity of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments
University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department
More informationName. Description. Rationale
Cmplliiance Cmpnentt Descriptin Ratinale Benefits List the Dmain List the Discipline List the Technlgy Area List Prduct Cmpnent Dcument the Cmpliance Cmpnent Type Cmpnent Sub-type DEEFFI INITION Hst-Based
More informationInternal Audit Charter and operating standards
Internal Audit Charter and perating standards 2 1 verview This dcument sets ut the basis fr internal audit: (i) the Internal Audit charter, which establishes the framewrk fr Internal Audit; and (ii) hw
More informationMSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER
MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER This Audit Cmmittee Charter has been amended as f July 17, 2015. The Audit Cmmittee shall review and reassess this Charter annually and recmmend
More informationTHE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM
THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant
More informationTrustED Briefing Series:
TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers
More informationKey Steps for Organizations in Responding to Privacy Breaches
Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins
More informationMANITOBA SECURITIES COMMISSION STRATEGIC PLAN 2013-2016
MANITOBA SECURITIES COMMISSION STRATEGIC PLAN 2013-2016 The Manitba Securities Cmmissin (the Cmmissin) is a divisin f the Manitba Financial Services Agency (MFSA). The ther divisin is the Financial Institutins
More informationSECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
Audit Manual Sectin J SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Ref. Plicy and Practice Requirements IIA Standards and Other references J 1 Plicy: The Head f Internal Audit shall develp and maintain
More informationFirst Global Data Corp.
First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First
More informationCMS Eligibility Requirements Checklist for MSSP ACO Participation
ATTACHMENT 1 CMS Eligibility Requirements Checklist fr MSSP ACO Participatin 1. General Eligibility Requirements ACO participants wrk tgether t manage and crdinate care fr Medicare fee-fr-service beneficiaries.
More informationSecurity Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview
Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the
More informationAudit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd
Audit Cmmittee Charter St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Versin 2.0, 22 February 2016 Apprver Bard f Directrs St Andrew
More informationBLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS
BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS SERIES: 1 General Rules RULE: 17.1 Recrd Retentin Scpe: The purpse f this rule is t establish the systematic review, retentin and destructin
More informationService Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S
Service Level Agreement (SLA) Hsted Prducts Netp Business Slutins A/S Cntents 1 Service Level Agreement... 3 2 Supprt Services... 3 3 Incident Management... 3 3.1 Requesting service r submitting incidents...
More informationChristchurch Polytechnic Institute of Technology Access Control Security Standard
CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin
More informationA96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015
A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY
More informationInformation Services Hosting Arrangements
Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based
More informationSession 9 : Information Security and Risk
INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin
More informationSystems Support - Extended
1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets
More informationSPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010
OntariMD Inc. Electrnic Medical Recrds SPECIFICATION Hspital Reprt Manager Cnnectivity Requirements DRAFT Date: September 30, 2010 Versin: 1.0 2007-2010 OntariMD Inc. All rights reserved HRM EMR Cnnectivity
More informationVantiv eprotect iframe Technical Assessment Paper Prepared for:
Vantiv eprtect iframe Technical Assessment Paper Prepared fr: Octber 13, 2015 P a g e 2 Cntents EXECUTIVE SUMMARY...3 OVERVIEW... 3 ABOUT VANTIV EPROTECT... 4 OPERATIONAL FLOW... 5 TECHNICAL ASSESSMENT...6
More informationChapter 7 Business Continuity and Risk Management
Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT The PCI Security Standards Cuncil Releases PCI DSS Versin 3.2 May 9, 2016 On April 28, 2016, the PCI Security Standards Cuncil (PCI SSC) released PCI Data Security Standard (PCI
More informationEA-POL-015 Enterprise Architecture - Encryption Policy
Technlgy & Infrmatin Services EA-POL-015 Enterprise ure - Encryptin Plicy Authr: Craig Duglas Date: 17 March 2015 Dcument Security Level: PUBLIC Dcument Versin: 1.0 Dcument Ref: EA-POL-015 Dcument Link:
More informationThe Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future
The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents
More informationRequest for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply
Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t
More informationRUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer
RUTGERS POLICY Sectin: 70.1.1 Sectin Title: Infrmatin Technlgy Plicy Name: Acceptable Use Plicy fr Infrmatin Technlgy Resurces Frmerly Bk: N/A Apprval Authrity: Senir Vice President fr Administratin Respnsible
More informationRisk Management Policy AGL Energy Limited
Risk Management Plicy AGL Energy Limited AUGUST 2014 Table f Cntents 1. Abut this Dcument... 2 2. Plicy Statement... 2 3. Purpse... 2 4. AGL Risk Cntext... 3 5. Scpe... 3 6. Objectives... 3 7. Accuntabilities...
More informationIT Account and Access Procedure
IT Accunt and Access Prcedure Revisin Histry Versin Date Editr Nature f Change 1.0 3/23/06 Kelly Matt Initial Release Table f Cntents 1.0 Overview... 1 2.0 Purpse... 1 3.0 Scpe... 1 4.0 Passwrds... 1 4.1
More informationHIPAA HITECH ACT Compliance, Review and Training Services
Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical
More informationHillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network
2361/Page 1 f 6 Hillsbrugh Bard f Educatin Acceptable Use Plicy fr Using the Hillsbrugh Twnship Public Schls Netwrk It is the gal f the HTPS (Hillsbrugh Twnship Public Schls) Netwrk t prmte educatinal
More informationRSA Authentication Manager 5.2 and 6.1 Security Best Practices Guide. Version5
RSA Authenticatin Manager 5.2 and 6.1 Security Best Practices Guide Versin5 Cntact Infrmatin G t the RSA crprate web site fr reginal Custmer Supprt telephne and fax numbers: www.rsa.cm. Trademarks RSA,
More informationMaaS360 Cloud Extender
MaaS360 Clud Extender Installatin Guide Cpyright 2012 Fiberlink Cmmunicatins Crpratin. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument
More informationEnterprise Security Management CIS 259
Enterprise Security Management CIS 259 Prerequisites CIS 175 Descriptin This curse is designed t cver the managerial aspects f cmputer security and risk management fr enterprises. The student will attain
More informationexpertise hp services valupack consulting description security review service for Linux
expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS
More informationInstallation Guide Marshal Reporting Console
Installatin Guide Installatin Guide Marshal Reprting Cnsle Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 2 Sftware Prerequisites 3 Installatin Prcedures 3 Appendix: Enabling
More informationAppendix A Page 1 of 5 DATABASE TECHNICAL REQUIREMENTS AND PRICING INFORMATION. Welcome Baby and Select Home Visitation Programs Database
Appendix A Page 1 f 5 The items in the list f database technical requirements belw was develped thrugh several meetings between First 5 LA Research and Evaluatin, Infrmatin Technlgy, and Prgram Develpment
More informationResearch Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013
Research Reprt Abstract: Advanced Malware Detectin and Prtectin Trends By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm, Senir Prject Manager September 2013 2013 by The Enterprise Strategy Grup,
More informationFY-2006 Networking and Security Engineering and Operations NASA Task TM: Richard Kurak
FY-2006 Task A-03: Netwrking and Security Engineering and Operatins NASA Task TM: Richard Kurak Task Summary: The Office f Chief Infrmatin Office (OCIO) is respnsible fr prviding ttal cmmunicatins capabilities
More informationManaged Firewall Service Definition. SD007v1.1
Managed Firewall Service Definitin SD007v1.1 Managed Firewall Service Definitin Service Backgrund It is imprtant t nte that the functin f any firewall service is t filter traffic cming int the netwrk (als
More informationUsing Sentry-go Enterprise/ASPX for Sentry-go Quick & Plus! monitors
Using Sentry-g Enterprise/ASPX fr Sentry-g Quick & Plus! mnitrs 3Ds (UK) Limited, February, 2014 http://www.sentry-g.cm Be Practive, Nt Reactive! Intrductin Sentry-g Enterprise Reprting is a self-cntained
More informationAHI. Foreign Pre-Approval Inspections (PAIs) Points to Consider
AHI Freign Pre-Apprval Inspectins (PAIs) Pints t Cnsider The fllwing suggestins are intended t prvide spnsr guidance fr timeliness and predictability f freign PAIs. The FDA Center fr Veterinary Medicine
More informationZimbra Professional Services Portfolio, Purchasing Guide & Price List
In- Tuitin Netwrks Ltd Zimbra Prfessinal Services Prtfli, Purchasing Guide & Price List This dcument prvides an verview f In- Tuitin Netwrks Limited s range f Zimbra Prfessinal Services available n the
More information9 ITS Standards Specification Catalog and Testing Framework
New Yrk State ITS Standards Specificatin Develpment Guide 9 ITS Standards Specificatin Catalg and Testing Framewrk This chapter cvers cncepts related t develpment f an ITS Standards Specificatin Catalg
More informationService Level Agreement Distributed Hosting and Distributed Database Hosting
Office f Infrmatin Technlgy Services Service Level Agreement Distributed Hsting and Distributed Database Hsting Nvember 12, 2013 Service Descriptin Distributed Hsting and Distributed Database Hsting Service
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT Draft Regulatry Cmpliance Management Guideline Released by the Office f the Superintendent f Financial Institutins May 5, 2014 On April 30, 2014, the Office f the Superintendent
More informationATTACHMENT U THIRD PARTY AUDITOR/CONSULTANT QUALIFICATION GUIDELINE
ATTACHMENT U THIRD PARTY AUDITOR/CONSULTANT QUALIFICATION GUIDELINE 1 INTRODUCTION Third party auditr/cnsultant plays an imprtant rle in decmmissining t ensure that all critical decmmissining activities
More informationUNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES
UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES REFERENCES AND RELATED POLICIES A. UC PPSM 2 -Definitin f Terms B. UC PPSM 12 -Nndiscriminatin in Emplyment C. UC PPSM 14 -Affirmative
More informationRemote Working (Policy & Procedure)
Remte Wrking (Plicy & Prcedure) Publicatin Scheme Y/N Department f Origin Plicy Hlder Authrs Can be published n Frce Website Prfessinal Standards Department (PSD) Ch Supt Head f PSD IT Security Officer
More informationMalpractice and Maladministration Policy
TR340 Malpractice and Maladministratin Plicy This plicy aims t: Define malpractice and maladministratin in the cntext f CIM/CAM studying members, Accredited study centres (ASCs), examinatin centres, invigilatrs
More informationITIL Release Control & Validation (RCV) Certification Program - 5 Days
ITIL Release Cntrl & Validatin (RCV) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management
More informationGravesham Borough Council
Classificatin: Part 1 Public Key Decisin: Please specify - N Gravesham Brugh Cuncil Reprt t: Perfrmance and Administratin Cmmittee Date: 12 Nvember 2015 Reprting fficer: Subject: Crprate Perfrmance Manager
More informationProcess for Responding to Privacy Breaches
Prcess fr Respnding t Privacy Breaches 1. Purpse 1.1 This dcument sets ut the steps that ministries must fllw when respnding t a privacy breach. It must be read in cnjunctin with the Infrmatin Incident
More informationSaaS Listing CA Cloud Service Management
SaaS Listing CA Clud Service Management 1. Intrductin This dcument prvides standards and features that apply t the CA Clud Service Management (CSM) SaaS ffering prvided t the Custmer and defines the parameters
More informationPurpose Statement. Objectives
Apprved by Academic Affairs Cuncil, June 24, 2014 Faculty Handbk Part VI: Other Plicies and Prcedures Sectin R. Intellectual Prperty Classified Emplyee Handbk Part VI: Other Plicies and Prcedures Sectin
More informationIntroduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE. 2015 Savision B.V. savision.com All rights reserved.
Rev 7.5.0 Intrductin 2 LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE 2015 Savisin B.V. savisin.cm All rights reserved. This manual, as well as the sftware described in it, is furnished under license and
More informationVulnerability Management:
Vulnerability Management: Creating a Prcess fr Results Kyle Snavely Veris Grup, LLC Summary Organizatins increasingly rely n vulnerability scanning t identify risks and fllw up with remediatin f thse risks.
More informationHow To Write An Ehsms Training, Awareness And Competency Procedure
Envirnmental, Health & Safety Management System (EHSMS) Dcument Number: 00122 Issue Date: 05/07/2014 Training, Awareness and Cmpetency Prcedure Revisin Number: 7 Prepared By: Stalcup, Bryce Apprved By:
More informationCyber Security: Simulation Platform
Service Overview The Symantec Cyber Security: Simulatin Platfrm is a Web hsted Service with immersive and hands-n access t cyber exercises fr ffensive (red team) events, inspired by real-life security
More information2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No.
HIPAA Technical Risk Security Assessment 1. Will yu be issuing additinal directins fr the frmatting f the final prpsal due Nvember 21 st? There is nt specific frmatting requirements, just submit the prpsal
More informationIT CHANGE MANAGEMENT POLICY
IT CHANGE MANAGEMENT POLICY Effective Date May 19, 2016 Crss-Reference 1. IT Operatins and Maintenance Plicy 2. IT Security Incident Management Plicy Respnsibility Apprver Review Schedule 1. Plicy Statement
More informationCreating an Ethical Culture and Protecting Your Bottom Line:
Creating an Ethical Culture and Prtecting Yur Bttm Line: Best Practices fr Crprate Cdes f Cnduct Nte: The infrmatin belw and all infrmatin n this website is nt meant t be taken as legal advice. Please
More informationInstallation Guide Marshal Reporting Console
INSTALLATION GUIDE Marshal Reprting Cnsle Installatin Guide Marshal Reprting Cnsle March, 2009 Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 3 Sftware Prerequisites 3 Installatin
More informationArmy DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012
Army DCIPS Emplyee Self-Reprt f Accmplishments Overview Revised July 2012 Table f Cntents Self-Reprt f Accmplishments Overview... 3 Understanding the Emplyee Self-Reprt f Accmplishments... 3 Thinking Abut
More informationIT Help Desk Service Level Expectations Revised: 01/09/2012
IT Help Desk Service Level Expectatins Revised: 01/09/2012 Overview The IT Help Desk team cnsists f six (6) full time emplyees and fifteen (15) part time student emplyees. This team prvides supprt fr 25,000+
More informationMigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200
MigratinWiz HIPAA Cmpliant Migratin Fcus n data migratin, nt regulatin. BitTitan Glbal Headquarters: 3933 Lake Washingtn Blvd NE Suite 200 Table f Cntents Kirkland, WA 98033 www.bittitan.cm sales@bittitan.cm
More informationCloud Services Frequently Asked Questions FAQ
Clud Services Frequently Asked Questins FAQ Revisin 1.0 6/05/2015 List f Questins Intrductin What is the Caradigm Intelligence Platfrm (CIP) clud? What experience des Caradigm have hsting prducts like
More informationFAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT
FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT If using US Pstal Service, please return t: Califrnia Student Aid Cmmissin Prgram Administratin & Services Divisin ATTN: Institutinal Supprt P.O. Bx 419028
More informationUnified Communications
Office f Infrmatin Technlgy Services Service Level Agreement Unified Cmmunicatins Nvember 7, 2013 v2.2 Service Descriptin Unified Cmmunicatins Service Descriptin ITS Unified Cmmunicatins ffers a number
More informationAccident Investigation
Accident Investigatin APPLICABLE STANDARD: 1960.29 EMPLOYEES AFFECTED: All emplyees WHAT IS IT? Accident investigatin is the prcess f determining the rt causes f accidents, n-the-jb injuries, prperty damage,
More informationSTANDARDISATION IN E-ARCHIVING
STANDARDISATION IN E-ARCHIVING R E Q U I R E M E N T S A N D C O N T R O L S F O R D I G I T I S AT I O N A N D E - A R C H I V I N G S E R V I C E P R O V I D E R S Alain Wahl 1 Requirements and cntrls
More informationSymantec User Authentication Service Level Agreement
Symantec User Authenticatin Service Level Agreement Overview and Scpe This Symantec User Authenticatin service level agreement ( SLA ) applies t Symantec User Authenticatin prducts/services, such as Managed
More informationCSC IT practix Recommendations
CSC IT practix Recmmendatins CSC Healthcare 28th January 2014 Versin 3 www.csc.cm/glbalhealthcare Cntents 1 Imprtant infrmatin 3 2 IT Specificatins 4 2.1 Wrkstatins... 4 2.2 Minimum Server with 1-5 wrkstatins
More informationSolution. Industry. Challenges. Client Case Study. Legacy Systems too Costly to Maintain. Supply Chain Advantage. Delivered.
Supply Chain Advantage. Delivered. Client Case Study MEBC Supprts the Federal Aviatin Administratin Manage Prject Risk during Majr ERP Implementatin thrugh Independent Verificatin and Validatin (IV&V)
More informationFollowing steps are required for hosting of Web Site/ Web Application on NIC Cloud
Natinal Infrmatics Centre Web Hsting Internal Dcument Fllwing steps are required fr hsting f Web Site/ Web Applicatin n NIC Clud 1. URL registratin t be dne by the user. 2. Submit yur request n "Get NIC
More informationHIPAA 5010 Implementation FAQs for Health Care Professionals
HIPAA 5010 Implementatin FAQs fr Health Care Prfessinals Updated September 27, 2012 Key Messages In January 2009, the Department f Health and Human Services published the final rule cntaining the requirements
More informationUBC Incident Response Plan V1.5
UBC Incident Respnse Plan V1.5 Cntents 1. Ratinale... 2 2. Objective... 2 3. Applicatin... 2 4. Reprting a Cmputer Security Incident... 2 5. Managing the Security Incident... 2 5.1. All Incidents... 2
More informationPayment Card Industry (PCI) Qualified Integrators and Resellers
Payment Card Industry (PCI) Qualified Integratrs and Resellers Prgram Guide Versin 3.0 September 2015 Dcument Changes Date Versin Descriptin August 2012 1.0 Initial release f the PCI Qualified Integratrs
More informationPrivacy and Security Training Policy (PS.Pol.051)
Privacy and Security Training Plicy (PS.Pl.051) Purpse T define the plicies and prcedures fr prviding privacy and security training in respect f the CnnectingGTA Slutin. Definitins Electrnic Service Prvider
More informationSupport Services. v1.19 / 2015-07-02
Supprt Services v1.19 / 2015-07-02 Intrductin - Table f Cntents 1 Intrductin... 3 2 Definitins... 4 3 Supprt Prgram Feature Overview... 5 4 SLA fr the Supprt Services... 6 4.1 Standard Supprt... 6 4.2
More informationMANAGED VULNERABILITY SCANNING
Abut SensePst SensePst is an independent and bjective rganisatin specialising in infrmatin security cnsulting, training, security assessment services and IT Vulnerability Management. SensePst is abut security.
More informationSupersedes: DPS Policy 10.09 - Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5
Plicy: 13.01 SUBJECT: INTERNET USAGE Supersedes: DPS Plicy 10.09 - Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 f 5 1.0 POLICY PURPOSE Detrit Public Schls (DPS) Internet
More informationHP ValuPack Consulting Description Security Vulnerability Solution ValuPack
HP ValuPack Cnsulting Descriptin Security Vulnerability Slutin ValuPack HP ValuPacks are standardized cnsulting services, prvided by HP Cntact Center Service Prfessinals, with pre-defined custm deliverables
More informationRATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority
RATIONALE With the intrductin f the Excellent Care fr All Act, hspital bards must nw have a quality cmmittee that reprts t the bard. The template prvides sample terms f references fr rganizatins t adapt
More informationCustomer Support & Software Enhancements Policy
Custmer Supprt & Sftware Enhancements Plicy Welcme t Manhattan Assciates Custmer Supprt Organizatin (CSO). Staying current n Custmer Supprt & Sftware Enhancements and n a supprted versin f the licensed
More informationIf the CAP is acceptable, the serious deficiency determination for the provider is temporarily deferred.
Pat McCrry Gvernr Sent Via Email TO: FROM: Nrth Carlina Department f Health and Human Services Divisin f Public Health May 12.2014 Spnsring Organizatins f Day Care Hmes Arnette Cwan, MS, RD, LDN Supervisr,
More information