Specific observations and recommendations that were discussed with campus management are presented in detail below.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Specific observations and recommendations that were discussed with campus management are presented in detail below."

Transcription

1

2 CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report March 18, 2015

3 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to ascertain the effectiveness of existing policies and procedures related to the administration of information security and to determine the adequacy of controls over the related processes; to evaluate adherence to the Integrated California State University Administrative Manual (ICSUAM) information security policy, or where appropriate to an industry-accepted standard; and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. CONCLUSION Based upon the results of the work performed within the scope of the audit, the operational and administrative controls for information security activities as of December 5, 2014, taken as a whole, were not sufficient to meet the objectives of this audit. In general, the audit revealed that the campus information security function did not have adequate oversight of and participation from the various decentralized information technology support units on campus. Some issues were identified with security of the centrally administered campus network. Other issues identified in this audit were related to the decentralized computing environments, which were not consistently following the same information security standards as the campus information technology services department. In addition, we found that some observations identified in our 2013 Sensitive Data audit were still in the process of being remediated. Specifically, we found that some information security projects, such as the periodic inventory and assessment of sensitive data and the periodic review of all systems and applications with protected data, had been initiated but not completely implemented as of the time of our review. The issues identified suggest that attention is needed in the decentralized operations to ensure that the campus information security program operates in conformance with existing policy and to a level necessary to meet management expectations. Although many issues listed below represent opportunities to improve the process and methodologies used to administer the information security program at California State University, San Bernardino (CSUSB), effective implementation will require a campuswide commitment. Specific observations and recommendations that were discussed with campus management are presented in detail below. Audit Office of Audit and Advisory Services Page 1

4 S, S, AND RESPONSES 1. INFORMATION SECURITY OVERSIGHT The campus information security office did not have a process to track and report decentralized computing departments compliance with campus information security policies and procedures. This is a repeat finding from the 2013 Sensitive Data audit. We noted that the campus is in the process of implementing an annual risk assessment for all departments on campus, which will require each department to identify sensitive data maintained in paper and electronic format, submit details on controls in place to protect the data, and certify that the department is in compliance with CSU and CSUSB information security policies and procedures, such as performing an annual review over user access privileges for all systems and applications with protected data. The information will be reviewed by the information security office to ensure all sensitive data is accounted for and appropriately secured. Inadequate monitoring and enforcement of campuswide policies and standards limits the campus ability to direct a comprehensive information security program and increases the campus exposure to security breaches and inappropriate use of computing resources. We recommend that the campus complete the implementation process to track and report decentralized computing departments compliance with campus information security policies and procedures. We concur. Our action plan is to complete the implementation process to track and report decentralized computing departments compliance with campus information security policies and procedures. The anticipated completion date is September 11, INFORMATION SECURITY GOVERNANCE The information security office did not have administrative access to the systems in the decentralized segments of the network and could not provide campuswide network vulnerability analysis. Audit Office of Audit and Advisory Services Page 2

5 Our technical analysis of the network traffic and devices revealed that: Many of the decentralized systems on campus, to which the information security office did not have administrative access, contained numerous vulnerabilities that had not been detected. Baseline security standards for the administration of decentralized servers and desktops had not been formally developed and implemented, and the information security office s recommended practices for implementing secure servers were not being implemented. The inability to identify and monitor all campus IT resources and the lack of baseline server security standards increases the risk of misconfigured systems and may leave the campus vulnerable to both internal and external attacks that could slow or bring down the network. We recommend that the campus: a. Reconfigure all computer devices into a single network directory hierarchy to provide effective equipment management, oversight, compliance, and monitoring of campus computing equipment. b. Develop baseline security standards for security of servers and desktop systems and ensure automated adherence to the baseline standard through domain group policies. We concur. Our action plan is to: a. Reconfigure all computer devices into a single network directory hierarchy to provide effective equipment management, oversight, compliance, and monitoring of campus computing equipment. b. Develop baseline security standards for security of servers and desktop systems and ensure automated adherence to the baseline standard through domain group policies. The anticipated completion date is September 11, INVENTORY OF PROTECTED DATA The campus had not conducted a security assessment to locate and assess security of all protected data maintained in paper format. This is a repeat finding from the 2013 Sensitive Data audit. Audit Office of Audit and Advisory Services Page 3

6 We found that the campus had performed an inventory and assessment of sensitive data maintained electronically, but the assessment did not include paper documents or data maintained by faculty, staff, and auxiliary employees. Inadequate accountability and protection of sensitive information increases the risk of loss and increases campus exposure to inadvertent disclosure of personal data. We recommend that the campus conduct a campuswide inventory of all protected data maintained in paper and electronic format and conduct a security assessment to ensure the data is adequately protected. We concur. Our action plan is to conduct a campuswide inventory of all protected data maintained in paper and electronic format and conduct a security assessment to ensure the data is adequately protected. The anticipated completion date is September 11, VULNERABILITY MANAGEMENT The campus did not perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network. We found that the campus performed credentialed vulnerability scans of new servers and applications before they are placed in production; however, those scans were only performed for Internet-facing devices. Additionally, there was no process in place to perform periodic vulnerability scans of desktop computers. Our technical analysis identified numerous vulnerabilities on servers, applications, and workstations, and some servers were running obsolete versions of operating systems for which the vendor no longer provided security updates. Inadequate identification and correction of vulnerabilities in a timely manner may lead to a breach of network security and a loss of confidential information. We recommend that the campus: a. Perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network and address identified vulnerabilities in a timely manner. b. Remove or update the servers running obsolete and unsupported operating systems from the network. Audit Office of Audit and Advisory Services Page 4

7 We concur. Our action plan is to: a. Perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network and address identified vulnerabilities in a timely manner. b. Remove or update the servers running obsolete and unsupported operating systems from the network. The anticipated completion date is September 11, DESKTOP SOFTWARE MANAGEMENT The campus did not always remove obsolete versions of software and unauthorized software that did not support university business from desktop computers and did not always update browser software. Inadequate updating of browser software and removal of vulnerable software products and unauthorized software may lead to compromise and potential loss of protected confidential information or inappropriate access to systems. We recommend that the campus implement measures to remove unnecessary software and ensure software used on all computers is authorized. We concur. Our action plan is to implement measures to remove unnecessary software and ensure software used on all computers is authorized. The anticipated completion date is September 11, WEB APPLICATION DEVELOPMENT Application development and change management was not adequate to ensure accountability for authorized deployment of web development projects. Specifically, we found that application development and change management processes were generally informal. We reviewed central information technology and a sample of other divisions on the campus that performed web application development and found that: Audit Office of Audit and Advisory Services Page 5

8 The campus did not have a formal policy to govern system development practices. Management approval was not required before projects were placed into production. Security criteria and testing procedures were not always documented. User acceptance testing was not always documented. Developers had the capability to make changes to production versions without authorization. The campus had a development standard in place; however, the standard did not specifically address security requirements unique to web development. The campus information security office recommended that developers follow security standards set by the Open Web Application Security Project and the Web Application Security Consortium, but these standards had not been incorporated into the web development lifecycle to ensure security standards were built into the web systems. The lack of proper software change management and testing procedures increases the risk of unauthorized changes to software, software failure, and security vulnerabilities that could inappropriately expose sensitive data. We recommend that the campus: a. Develop a formal policy to govern system development practices that details security requirements. b. Require management approval for all web application development before placing projects into production. c. Document security criteria and testing procedures. d. Document user acceptance testing. e. Restrict developers ability to modify production web applications without prior management approval. We concur. Our action plan is to: a. Develop a formal policy to govern system development practices that details security requirements. b. Require management approval for all web application development before placing projects into production. Audit Office of Audit and Advisory Services Page 6

9 c. Document security criteria and testing procedures. d. Document user acceptance testing. e. Restrict developers ability to modify production web applications without prior management approval. The anticipated completion date is September 11, DESKTOP SECURITY MANAGEMENT The campus allowed users to have administrative access to their workstations, which allows disabling of some security controls and installation of unauthorized software. Administrative level privileges that allow users to disable security controls and install unauthorized applications may violate California State University (CSU) policy and/or expose the campus network to other vulnerabilities. We recommend that the campus eliminate administrative access to workstations unless it is specifically approved. We concur. Our action plan is to eliminate administrative access to workstations unless it is specifically approved. The anticipated completion date is September 11, INCIDENT REPORTING The process for reporting lost or stolen computers to the information security office needed improvement. Specifically, we found that the users did not notify the information security office when a computer was lost or stolen, as required by campus procedures, so it could investigate whether sensitive information was present on the computers and whether further action was required. We selected a sample of 15 computers reported as lost or stolen from 2012 to 2014 and found that none of them had been reported to the information security office for investigation. The lack of investigation of potential sensitive data on lost or stolen computers increases the risk that information security breaches could go unreported, resulting in significant financial penalty and damage to the campus reputation. Audit Office of Audit and Advisory Services Page 7

10 We recommend that the campus enforce existing procedures to ensure the information security office is notified when computers are lost or stolen. We concur. Our action plan is to enforce existing procedures to ensure the information security office is notified when computers are lost or stolen. This objective is complete. 9. REVIEW OF SECURITY EVENT LOGS The campus did not have formal procedures for reviewing security event logs of operating systems, servers, and applications. We noted that the analysis of audit and security event logs were generally informal, undocumented, and performed on an ad-hoc basis, unless formal periodic reviews were required by outside regulation such as the Health Insurance Portability and Accountability Act. Inadequate review of security logs increases the risk that malicious activity could go undetected or viruses or other malicious code could be embedded within the campus network and its resources, which could lead to confidential information being breached and not reported. We recommend that the campus develop formal procedures for reviewing security event logs of operating systems, servers and applications. We concur. Our action plan is to develop formal procedures for reviewing security event logs of operating systems, servers, and applications. The anticipated completion date is September 11, USER ACCESS PRIVILEGES The process for requesting access to PeopleSoft required improvement. We found that the desired security roles were not consistently documented on the online information access request form. Additionally, requests for access often requested mirroring another individual s access, rather than detailing the specific roles required by that individual. Audit Office of Audit and Advisory Services Page 8

11 The ISO stated that the campus is in the process of remediating this issue with the implementation of an Enterprise Workflow Management system that will streamline the process for people needing access to PeopleSoft modules. Inadequate administration of user accounts increases the risk of inappropriate access. We recommend that the campus ensure that desired security roles are consistently documented on the online information access request forms. We concur. Our action plan is to ensure that desired security roles are consistently documented on the online information access request forms. The anticipated completion date is September 11, Audit Office of Audit and Advisory Services Page 9

12 GENERAL INFORMATION BACKGROUND The CSU Information Security Policy, dated April 19, 2010, states that the Board of Trustees of the CSU is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure confidentiality of information that the CSU must protect from unauthorized access; integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection. It further states that the CSU Information Security Policy shall apply to the following: All campuses. Central and departmentally managed campus information assets. All users employed by campuses or any other person with access to campus information assets. All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic). Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. Auxiliaries, external businesses, and organizations that use campus information assets must also operate those assets in conformity with the CSU Information Security Policy. The CSU Information Security Policy directs the campus president to appoint an information security officer (ISO) and assign responsibility and authority for administering the information security function. Information security at CSU campuses covers a broad range of sensitive data that requires protection to be in compliance with numerous state and federal regulations. Campuses collect social security numbers for employee personnel and for student financial aid tax reporting, which is regulated by federal and state law. Other forms of data include student grades and academic records that must be protected under federal privacy laws. In addition, CSU campuses that have student health centers, psychological counseling centers, and pharmacies may also have medical and prescription records that must be protected under federal health privacy laws. Campus retail operations for bookstores, convenience stores, restaurants and dining, and student activities involve collection and processing of credit card information that is regulated by the banking industry. Audit Office of Audit and Advisory Services Page 10

13 SCOPE At the CSUSB campus, information security is administered by the ISO, who reports to the chief information officer/vice president of information technology services. CSUSB also has an information technology governance committee and information security and emerging technologies committee in place that provide oversight and guidance to the campus on information security issues. Additionally, there are several decentralized IT groups that do not report directly to the campus IT department. As a result, the campus has created IT working groups with other campus departments to help guide compliance with established CSU and CSUSB information security policies, standards, and procedures. Our audit and evaluation included the audit tests we considered necessary in determining whether operational, and administrative controls are in place and operative. The audit focused on procedures in effect from August 11, 2014, through September 12, Specifically, we reviewed and tested: The activities and measures undertaken to protect the confidentiality, integrity, and access and availability of information. Processes for identifying confidential, private, or sensitive information; authorizing access; securing information; detecting security breaches; and evaluating security incident reporting and response. Measures to limit collection of information, control access to data and assure that individuals with access to data do not utilize the data for unauthorized purposes. Encryption of data in storage and transmission. Physical and logical security measures for all data repositories. We also retained outside contractors to perform a technical security assessment that included running diagnostic software designed to identify improper configuration of selected systems, servers, and network devices. The purpose of the technical security assessment was to determine the effectiveness of technology and security controls governing the confidentiality, integrity, and availability of selected campus assets. Specifically, this configuration testing included assessment of the following technologies: selected operating systems, border firewall settings, network traffic analysis, vulnerability scanning, and website vulnerability assessment. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our testing and methodology was designed to provide a managerial level review of key information security practices, which included detailed testing of a limited number of network and computing devices. Our review did not examine all aspects of information security, and our Audit Office of Audit and Advisory Services Page 11

14 CRITERIA AUDIT TEAM testing approach was designed to provide a view of the security technologies used to protect only key computing resources. In addition, selected emerging technologies were not included in the scope of this review. Our audit was based upon standards as set forth in CSU Board of Trustee policies; Office of the Chancellor policies, letters, and directives; campus procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This review emphasized, but was not limited to, compliance with: ICSUAM 8000, Information Security ICSUAM 7000, Identity Management Government Code International Standards Organization 27001, Information Security Management System Standard Senior Director: Mike Caldera Audit Manager: Greg Dove Senior Auditor: Kim Pham Audit Office of Audit and Advisory Services Page 12

INFORMATION SECURITY California Maritime Academy

INFORMATION SECURITY California Maritime Academy CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:

More information

INFORMATION SECURITY Humboldt State University

INFORMATION SECURITY Humboldt State University CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014 EXECUTIVE SUMMARY OBJECTIVE The objectives of

More information

PAYMENT CARD PROCESSING

PAYMENT CARD PROCESSING CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Long Beach Audit Report 15-43 January 5, 2016 EXECUTIVE SUMMARY OBJECTIVE

More information

PAYMENT CARD PROCESSING

PAYMENT CARD PROCESSING CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Bakersfield Audit Report 15-42 October 13, 2015 EXECUTIVE SUMMARY OBJECTIVE

More information

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report 11-52 January 3, 2012

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report 11-52 January 3, 2012 SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES Audit Report 11-52 January 3, 2012 Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven M. Glazer William

More information

IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY. Audit Report 12-46 December 21, 2012

IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY. Audit Report 12-46 December 21, 2012 IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY Audit Report 12-46 December 21, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Lupe C. Garcia Steven M. Glazer Hugo N. Morales

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHICO. Audit Report 12-35 October 19, 2012

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHICO. Audit Report 12-35 October 19, 2012 DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHICO Audit Report 12-35 October 19, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Lupe C. Garcia Steven M. Glazer Hugo N. Morales Glen O. Toney

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

The California State University Office of Audit and Advisory Services CSU COLLEGE REVIEWS. Systemwide

The California State University Office of Audit and Advisory Services CSU COLLEGE REVIEWS. Systemwide CSU The California State University Office of Audit and Advisory Services COLLEGE REVIEWS Systemwide Audit Report 15-28 September 11, 2015 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to

More information

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 12-36 November 2, 2012

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 12-36 November 2, 2012 DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS Audit Report 12-36 November 2, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Lupe C. Garcia Steven M. Glazer Hugo N. Morales Glen

More information

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-53 October 25, 2010

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-53 October 25, 2010 HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 10-53 October 25, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy: Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

More information

University System of Maryland University of Maryland, College Park Division of Information Technology

University System of Maryland University of Maryland, College Park Division of Information Technology Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND

More information

The California State University Office of Audit and Advisory Services CSU CONSTRUCTION. San José State University. Student Wellness Center

The California State University Office of Audit and Advisory Services CSU CONSTRUCTION. San José State University. Student Wellness Center CSU The California State University Office of Audit and Advisory Services CONSTRUCTION San José State University Student Wellness Center Audit Report 16-09 May 25, 2016 EXECUTIVE SUMMARY OBJECTIVE The

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

The California State University Office of Audit and Advisory Services CSU CLERY ACT. Humboldt State University

The California State University Office of Audit and Advisory Services CSU CLERY ACT. Humboldt State University CSU The California State University Office of Audit and Advisory Services CLERY ACT Humboldt State University Audit Report 15-27 August 5, 2015 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were

More information

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 10-51 October 26, 2010

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 10-51 October 26, 2010 HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS Audit Report 10-51 October 26, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret

More information

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 12-33 September 4, 2012

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 12-33 September 4, 2012 DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 12-33 September 4, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Steven M. Glazer Lupe C. Garcia Hugo N. Morales Glen O.

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-34 October 13, 2010

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-34 October 13, 2010 IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 10-34 October 13, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret

More information

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines California State Polytechnic University, Pomona Desktop Security Standard and Guidelines Version 1.7 February 1, 2008 Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM DESKTOP SECURITY STANDARD...3 ROLES

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Evaluation Report. Office of Inspector General

Evaluation Report. Office of Inspector General Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

More information

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging Log Management Standard Effective Date: 7/28/2015 1.0 INTRODUCTION The California State University, Chico system/application log management standard identifies event logging requirements, log review frequency,

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...

More information

933 COMPUTER NETWORK/SERVER SECURITY POLICY

933 COMPUTER NETWORK/SERVER SECURITY POLICY 933 COMPUTER NETWORK/SERVER SECURITY POLICY 933.1 Overview. Indiana State University provides network services to a large number and variety of users faculty, staff, students, and external constituencies.

More information

CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 13-28 June 28, 2013

CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 13-28 June 28, 2013 CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 13-28 June 28, 2013 Henry Mendoza, Chair Lupe C. Garcia, Vice Chair Rebecca D. Eisen Steven M. Glazer William Hauck Hugo N. Morales Members,

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer) I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

More information

Information Assurance Policy for Information Systems

Information Assurance Policy for Information Systems Information Assurance Policy for Information Systems 1. Purpose... 3 2. Goals... 3 3. Applicability... 4 4. Compliance... 4 5. Roles & Responsibilities... 4 5.1. All Departments...4 5.2. FCT Information

More information

Information Security Plan May 24, 2011

Information Security Plan May 24, 2011 Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised

More information

THE INFORMATION TECHNOLOGY INFRASTRUCTURE

THE INFORMATION TECHNOLOGY INFRASTRUCTURE Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE INFORMATION TECHNOLOGY INFRASTRUCTURE AND OPERATIONS OFFICE HAD INADEQUATE INFORMATION SECURITY CONTROLS Inquires about this report

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 11-30 August 12, 2011

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 11-30 August 12, 2011 IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS Audit Report 11-30 August 12, 2011 Members, Committee on Audit Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven

More information

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520 AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division AUDIT OF IT SECURITY Corporate Internal Audit Division Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada September 20, 2012 Corporate

More information

Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government

Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE

More information

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014 U.S. Department of Energy Office of Inspector General Office of Audits and Inspections EVALUATION REPORT The Department of Energy's Unclassified Cybersecurity Program 2014 DOE/IG-0925 October 2014 Department

More information

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2 Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Network Security Policy

Network Security Policy Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS

More information

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Application Development within University. Security Checklist

Application Development within University. Security Checklist Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security

More information

Healthcare Insurance Portability & Accountability Act (HIPAA)

Healthcare Insurance Portability & Accountability Act (HIPAA) O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR

More information

IT Security Standard: Computing Devices

IT Security Standard: Computing Devices IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:

More information

1B1 SECURITY RESPONSIBILITY

1B1 SECURITY RESPONSIBILITY (ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,

More information

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard The Impact of Wireless LAN Technology on to the PCI Data Security Standard 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Wireless LANs and PCI Retailers today use computers

More information

IT DISASTER RECOVERY SAN FRANCISCO STATE UNIVERSITY. Audit Report 11-32 August 25, 2011

IT DISASTER RECOVERY SAN FRANCISCO STATE UNIVERSITY. Audit Report 11-32 August 25, 2011 IT DISASTER RECOVERY SAN FRANCISCO STATE UNIVERSITY Audit Report 11-32 August 25, 2011 Members, Committee on Audit Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven M. Glazer William

More information

METRO REGIONAL GOVERNMENT Records Retention Schedule

METRO REGIONAL GOVERNMENT Records Retention Schedule Program: Administration IS Administration provides strategic planning, direction, and central management oversight of the Information Services that includes the following programs: Desktop Support Services,

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

Cal Poly Information Security Program

Cal Poly Information Security Program Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002 Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment

More information

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

IT Security Policy - Information Security Management System (ISMS)

IT Security Policy - Information Security Management System (ISMS) IT Security Policy - Information Security Management System (ISMS) Responsible Officer Contact Officer Vice-President, Finance & Operations Chief Digital Officer Superseded Documents IT Security Policy,

More information

CITY OF BOULDER *** POLICIES AND PROCEDURES

CITY OF BOULDER *** POLICIES AND PROCEDURES CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of

More information

NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS

NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

DIVISION OF INFORMATION SECURITY (DIS)

DIVISION OF INFORMATION SECURITY (DIS) DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

More information

Vulnerability Management Policy

Vulnerability Management Policy Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

NETWORK INFRASTRUCTURE USE

NETWORK INFRASTRUCTURE USE NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and

More information

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on

More information

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004) Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative

More information

GOVERNANCE AND MANAGEMENT OF CITY WIRELESS TECHNOLOGY NEEDS IMPROVEMENT MARCH 12, 2010

GOVERNANCE AND MANAGEMENT OF CITY WIRELESS TECHNOLOGY NEEDS IMPROVEMENT MARCH 12, 2010 APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY WIRELESS TECHNOLOGY NEEDS IMPROVEMENT MARCH 12, 2010 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS

More information

Data Loss Prevention Program

Data Loss Prevention Program Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information