Specific observations and recommendations that were discussed with campus management are presented in detail below.
|
|
- Eustacia Shepherd
- 8 years ago
- Views:
Transcription
1
2 CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report March 18, 2015
3 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to ascertain the effectiveness of existing policies and procedures related to the administration of information security and to determine the adequacy of controls over the related processes; to evaluate adherence to the Integrated California State University Administrative Manual (ICSUAM) information security policy, or where appropriate to an industry-accepted standard; and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. CONCLUSION Based upon the results of the work performed within the scope of the audit, the operational and administrative controls for information security activities as of December 5, 2014, taken as a whole, were not sufficient to meet the objectives of this audit. In general, the audit revealed that the campus information security function did not have adequate oversight of and participation from the various decentralized information technology support units on campus. Some issues were identified with security of the centrally administered campus network. Other issues identified in this audit were related to the decentralized computing environments, which were not consistently following the same information security standards as the campus information technology services department. In addition, we found that some observations identified in our 2013 Sensitive Data audit were still in the process of being remediated. Specifically, we found that some information security projects, such as the periodic inventory and assessment of sensitive data and the periodic review of all systems and applications with protected data, had been initiated but not completely implemented as of the time of our review. The issues identified suggest that attention is needed in the decentralized operations to ensure that the campus information security program operates in conformance with existing policy and to a level necessary to meet management expectations. Although many issues listed below represent opportunities to improve the process and methodologies used to administer the information security program at California State University, San Bernardino (CSUSB), effective implementation will require a campuswide commitment. Specific observations and recommendations that were discussed with campus management are presented in detail below. Audit Office of Audit and Advisory Services Page 1
4 S, S, AND RESPONSES 1. INFORMATION SECURITY OVERSIGHT The campus information security office did not have a process to track and report decentralized computing departments compliance with campus information security policies and procedures. This is a repeat finding from the 2013 Sensitive Data audit. We noted that the campus is in the process of implementing an annual risk assessment for all departments on campus, which will require each department to identify sensitive data maintained in paper and electronic format, submit details on controls in place to protect the data, and certify that the department is in compliance with CSU and CSUSB information security policies and procedures, such as performing an annual review over user access privileges for all systems and applications with protected data. The information will be reviewed by the information security office to ensure all sensitive data is accounted for and appropriately secured. Inadequate monitoring and enforcement of campuswide policies and standards limits the campus ability to direct a comprehensive information security program and increases the campus exposure to security breaches and inappropriate use of computing resources. We recommend that the campus complete the implementation process to track and report decentralized computing departments compliance with campus information security policies and procedures. We concur. Our action plan is to complete the implementation process to track and report decentralized computing departments compliance with campus information security policies and procedures. The anticipated completion date is September 11, INFORMATION SECURITY GOVERNANCE The information security office did not have administrative access to the systems in the decentralized segments of the network and could not provide campuswide network vulnerability analysis. Audit Office of Audit and Advisory Services Page 2
5 Our technical analysis of the network traffic and devices revealed that: Many of the decentralized systems on campus, to which the information security office did not have administrative access, contained numerous vulnerabilities that had not been detected. Baseline security standards for the administration of decentralized servers and desktops had not been formally developed and implemented, and the information security office s recommended practices for implementing secure servers were not being implemented. The inability to identify and monitor all campus IT resources and the lack of baseline server security standards increases the risk of misconfigured systems and may leave the campus vulnerable to both internal and external attacks that could slow or bring down the network. We recommend that the campus: a. Reconfigure all computer devices into a single network directory hierarchy to provide effective equipment management, oversight, compliance, and monitoring of campus computing equipment. b. Develop baseline security standards for security of servers and desktop systems and ensure automated adherence to the baseline standard through domain group policies. We concur. Our action plan is to: a. Reconfigure all computer devices into a single network directory hierarchy to provide effective equipment management, oversight, compliance, and monitoring of campus computing equipment. b. Develop baseline security standards for security of servers and desktop systems and ensure automated adherence to the baseline standard through domain group policies. The anticipated completion date is September 11, INVENTORY OF PROTECTED DATA The campus had not conducted a security assessment to locate and assess security of all protected data maintained in paper format. This is a repeat finding from the 2013 Sensitive Data audit. Audit Office of Audit and Advisory Services Page 3
6 We found that the campus had performed an inventory and assessment of sensitive data maintained electronically, but the assessment did not include paper documents or data maintained by faculty, staff, and auxiliary employees. Inadequate accountability and protection of sensitive information increases the risk of loss and increases campus exposure to inadvertent disclosure of personal data. We recommend that the campus conduct a campuswide inventory of all protected data maintained in paper and electronic format and conduct a security assessment to ensure the data is adequately protected. We concur. Our action plan is to conduct a campuswide inventory of all protected data maintained in paper and electronic format and conduct a security assessment to ensure the data is adequately protected. The anticipated completion date is September 11, VULNERABILITY MANAGEMENT The campus did not perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network. We found that the campus performed credentialed vulnerability scans of new servers and applications before they are placed in production; however, those scans were only performed for Internet-facing devices. Additionally, there was no process in place to perform periodic vulnerability scans of desktop computers. Our technical analysis identified numerous vulnerabilities on servers, applications, and workstations, and some servers were running obsolete versions of operating systems for which the vendor no longer provided security updates. Inadequate identification and correction of vulnerabilities in a timely manner may lead to a breach of network security and a loss of confidential information. We recommend that the campus: a. Perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network and address identified vulnerabilities in a timely manner. b. Remove or update the servers running obsolete and unsupported operating systems from the network. Audit Office of Audit and Advisory Services Page 4
7 We concur. Our action plan is to: a. Perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network and address identified vulnerabilities in a timely manner. b. Remove or update the servers running obsolete and unsupported operating systems from the network. The anticipated completion date is September 11, DESKTOP SOFTWARE MANAGEMENT The campus did not always remove obsolete versions of software and unauthorized software that did not support university business from desktop computers and did not always update browser software. Inadequate updating of browser software and removal of vulnerable software products and unauthorized software may lead to compromise and potential loss of protected confidential information or inappropriate access to systems. We recommend that the campus implement measures to remove unnecessary software and ensure software used on all computers is authorized. We concur. Our action plan is to implement measures to remove unnecessary software and ensure software used on all computers is authorized. The anticipated completion date is September 11, WEB APPLICATION DEVELOPMENT Application development and change management was not adequate to ensure accountability for authorized deployment of web development projects. Specifically, we found that application development and change management processes were generally informal. We reviewed central information technology and a sample of other divisions on the campus that performed web application development and found that: Audit Office of Audit and Advisory Services Page 5
8 The campus did not have a formal policy to govern system development practices. Management approval was not required before projects were placed into production. Security criteria and testing procedures were not always documented. User acceptance testing was not always documented. Developers had the capability to make changes to production versions without authorization. The campus had a development standard in place; however, the standard did not specifically address security requirements unique to web development. The campus information security office recommended that developers follow security standards set by the Open Web Application Security Project and the Web Application Security Consortium, but these standards had not been incorporated into the web development lifecycle to ensure security standards were built into the web systems. The lack of proper software change management and testing procedures increases the risk of unauthorized changes to software, software failure, and security vulnerabilities that could inappropriately expose sensitive data. We recommend that the campus: a. Develop a formal policy to govern system development practices that details security requirements. b. Require management approval for all web application development before placing projects into production. c. Document security criteria and testing procedures. d. Document user acceptance testing. e. Restrict developers ability to modify production web applications without prior management approval. We concur. Our action plan is to: a. Develop a formal policy to govern system development practices that details security requirements. b. Require management approval for all web application development before placing projects into production. Audit Office of Audit and Advisory Services Page 6
9 c. Document security criteria and testing procedures. d. Document user acceptance testing. e. Restrict developers ability to modify production web applications without prior management approval. The anticipated completion date is September 11, DESKTOP SECURITY MANAGEMENT The campus allowed users to have administrative access to their workstations, which allows disabling of some security controls and installation of unauthorized software. Administrative level privileges that allow users to disable security controls and install unauthorized applications may violate California State University (CSU) policy and/or expose the campus network to other vulnerabilities. We recommend that the campus eliminate administrative access to workstations unless it is specifically approved. We concur. Our action plan is to eliminate administrative access to workstations unless it is specifically approved. The anticipated completion date is September 11, INCIDENT REPORTING The process for reporting lost or stolen computers to the information security office needed improvement. Specifically, we found that the users did not notify the information security office when a computer was lost or stolen, as required by campus procedures, so it could investigate whether sensitive information was present on the computers and whether further action was required. We selected a sample of 15 computers reported as lost or stolen from 2012 to 2014 and found that none of them had been reported to the information security office for investigation. The lack of investigation of potential sensitive data on lost or stolen computers increases the risk that information security breaches could go unreported, resulting in significant financial penalty and damage to the campus reputation. Audit Office of Audit and Advisory Services Page 7
10 We recommend that the campus enforce existing procedures to ensure the information security office is notified when computers are lost or stolen. We concur. Our action plan is to enforce existing procedures to ensure the information security office is notified when computers are lost or stolen. This objective is complete. 9. REVIEW OF SECURITY EVENT LOGS The campus did not have formal procedures for reviewing security event logs of operating systems, servers, and applications. We noted that the analysis of audit and security event logs were generally informal, undocumented, and performed on an ad-hoc basis, unless formal periodic reviews were required by outside regulation such as the Health Insurance Portability and Accountability Act. Inadequate review of security logs increases the risk that malicious activity could go undetected or viruses or other malicious code could be embedded within the campus network and its resources, which could lead to confidential information being breached and not reported. We recommend that the campus develop formal procedures for reviewing security event logs of operating systems, servers and applications. We concur. Our action plan is to develop formal procedures for reviewing security event logs of operating systems, servers, and applications. The anticipated completion date is September 11, USER ACCESS PRIVILEGES The process for requesting access to PeopleSoft required improvement. We found that the desired security roles were not consistently documented on the online information access request form. Additionally, requests for access often requested mirroring another individual s access, rather than detailing the specific roles required by that individual. Audit Office of Audit and Advisory Services Page 8
11 The ISO stated that the campus is in the process of remediating this issue with the implementation of an Enterprise Workflow Management system that will streamline the process for people needing access to PeopleSoft modules. Inadequate administration of user accounts increases the risk of inappropriate access. We recommend that the campus ensure that desired security roles are consistently documented on the online information access request forms. We concur. Our action plan is to ensure that desired security roles are consistently documented on the online information access request forms. The anticipated completion date is September 11, Audit Office of Audit and Advisory Services Page 9
12 GENERAL INFORMATION BACKGROUND The CSU Information Security Policy, dated April 19, 2010, states that the Board of Trustees of the CSU is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure confidentiality of information that the CSU must protect from unauthorized access; integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection. It further states that the CSU Information Security Policy shall apply to the following: All campuses. Central and departmentally managed campus information assets. All users employed by campuses or any other person with access to campus information assets. All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic). Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. Auxiliaries, external businesses, and organizations that use campus information assets must also operate those assets in conformity with the CSU Information Security Policy. The CSU Information Security Policy directs the campus president to appoint an information security officer (ISO) and assign responsibility and authority for administering the information security function. Information security at CSU campuses covers a broad range of sensitive data that requires protection to be in compliance with numerous state and federal regulations. Campuses collect social security numbers for employee personnel and for student financial aid tax reporting, which is regulated by federal and state law. Other forms of data include student grades and academic records that must be protected under federal privacy laws. In addition, CSU campuses that have student health centers, psychological counseling centers, and pharmacies may also have medical and prescription records that must be protected under federal health privacy laws. Campus retail operations for bookstores, convenience stores, restaurants and dining, and student activities involve collection and processing of credit card information that is regulated by the banking industry. Audit Office of Audit and Advisory Services Page 10
13 SCOPE At the CSUSB campus, information security is administered by the ISO, who reports to the chief information officer/vice president of information technology services. CSUSB also has an information technology governance committee and information security and emerging technologies committee in place that provide oversight and guidance to the campus on information security issues. Additionally, there are several decentralized IT groups that do not report directly to the campus IT department. As a result, the campus has created IT working groups with other campus departments to help guide compliance with established CSU and CSUSB information security policies, standards, and procedures. Our audit and evaluation included the audit tests we considered necessary in determining whether operational, and administrative controls are in place and operative. The audit focused on procedures in effect from August 11, 2014, through September 12, Specifically, we reviewed and tested: The activities and measures undertaken to protect the confidentiality, integrity, and access and availability of information. Processes for identifying confidential, private, or sensitive information; authorizing access; securing information; detecting security breaches; and evaluating security incident reporting and response. Measures to limit collection of information, control access to data and assure that individuals with access to data do not utilize the data for unauthorized purposes. Encryption of data in storage and transmission. Physical and logical security measures for all data repositories. We also retained outside contractors to perform a technical security assessment that included running diagnostic software designed to identify improper configuration of selected systems, servers, and network devices. The purpose of the technical security assessment was to determine the effectiveness of technology and security controls governing the confidentiality, integrity, and availability of selected campus assets. Specifically, this configuration testing included assessment of the following technologies: selected operating systems, border firewall settings, network traffic analysis, vulnerability scanning, and website vulnerability assessment. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our testing and methodology was designed to provide a managerial level review of key information security practices, which included detailed testing of a limited number of network and computing devices. Our review did not examine all aspects of information security, and our Audit Office of Audit and Advisory Services Page 11
14 CRITERIA AUDIT TEAM testing approach was designed to provide a view of the security technologies used to protect only key computing resources. In addition, selected emerging technologies were not included in the scope of this review. Our audit was based upon standards as set forth in CSU Board of Trustee policies; Office of the Chancellor policies, letters, and directives; campus procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This review emphasized, but was not limited to, compliance with: ICSUAM 8000, Information Security ICSUAM 7000, Identity Management Government Code International Standards Organization 27001, Information Security Management System Standard Senior Director: Mike Caldera Audit Manager: Greg Dove Senior Auditor: Kim Pham Audit Office of Audit and Advisory Services Page 12
INFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationINFORMATION SECURITY Humboldt State University
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014 EXECUTIVE SUMMARY OBJECTIVE The objectives of
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Long Beach Audit Report 15-43 January 5, 2016 EXECUTIVE SUMMARY OBJECTIVE
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Bakersfield Audit Report 15-42 October 13, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationSENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report 11-52 January 3, 2012
SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES Audit Report 11-52 January 3, 2012 Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven M. Glazer William
More informationIDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY. Audit Report 12-46 December 21, 2012
IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY Audit Report 12-46 December 21, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Lupe C. Garcia Steven M. Glazer Hugo N. Morales
More informationThe California State University Office of Audit and Advisory Services CSU COLLEGE REVIEWS. Systemwide
CSU The California State University Office of Audit and Advisory Services COLLEGE REVIEWS Systemwide Audit Report 15-28 September 11, 2015 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to
More informationDATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHICO. Audit Report 12-35 October 19, 2012
DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHICO Audit Report 12-35 October 19, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Lupe C. Garcia Steven M. Glazer Hugo N. Morales Glen O. Toney
More informationData Center Operations and Security Requirements
DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS Audit Report 12-36 November 2, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Lupe C. Garcia Steven M. Glazer Hugo N. Morales Glen
More informationHIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-53 October 25, 2010
HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 10-53 October 25, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationUniversity System of Maryland University of Maryland, College Park Division of Information Technology
Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationThe California State University Office of Audit and Advisory Services CSU CONSTRUCTION. San José State University. Student Wellness Center
CSU The California State University Office of Audit and Advisory Services CONSTRUCTION San José State University Student Wellness Center Audit Report 16-09 May 25, 2016 EXECUTIVE SUMMARY OBJECTIVE The
More informationHIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 10-51 October 26, 2010
HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS Audit Report 10-51 October 26, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret
More informationDATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 12-33 September 4, 2012
DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 12-33 September 4, 2012 Henry Mendoza, Chair William Hauck, Vice Chair Steven M. Glazer Lupe C. Garcia Hugo N. Morales Glen O.
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationIT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-34 October 13, 2010
IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 10-34 October 13, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationThe California State University Office of Audit and Advisory Services CSU CLERY ACT. Humboldt State University
CSU The California State University Office of Audit and Advisory Services CLERY ACT Humboldt State University Audit Report 15-27 August 5, 2015 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationCREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 13-28 June 28, 2013
CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 13-28 June 28, 2013 Henry Mendoza, Chair Lupe C. Garcia, Vice Chair Rebecca D. Eisen Steven M. Glazer William Hauck Hugo N. Morales Members,
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationLog Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging
Log Management Standard Effective Date: 7/28/2015 1.0 INTRODUCTION The California State University, Chico system/application log management standard identifies event logging requirements, log review frequency,
More informationCalifornia State Polytechnic University, Pomona. Desktop Security Standard and Guidelines
California State Polytechnic University, Pomona Desktop Security Standard and Guidelines Version 1.7 February 1, 2008 Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM DESKTOP SECURITY STANDARD...3 ROLES
More information933 COMPUTER NETWORK/SERVER SECURITY POLICY
933 COMPUTER NETWORK/SERVER SECURITY POLICY 933.1 Overview. Indiana State University provides network services to a large number and variety of users faculty, staff, students, and external constituencies.
More informationApproved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee
Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationInformation Security Plan May 24, 2011
Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationC. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationTHE INFORMATION TECHNOLOGY INFRASTRUCTURE
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE INFORMATION TECHNOLOGY INFRASTRUCTURE AND OPERATIONS OFFICE HAD INADEQUATE INFORMATION SECURITY CONTROLS Inquires about this report
More informationIT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report 11-30 August 12, 2011
IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS Audit Report 11-30 August 12, 2011 Members, Committee on Audit Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationIT DISASTER RECOVERY SAN FRANCISCO STATE UNIVERSITY. Audit Report 11-32 August 25, 2011
IT DISASTER RECOVERY SAN FRANCISCO STATE UNIVERSITY Audit Report 11-32 August 25, 2011 Members, Committee on Audit Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven M. Glazer William
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationHealthcare Insurance Portability & Accountability Act (HIPAA)
O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationEVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections EVALUATION REPORT The Department of Energy's Unclassified Cybersecurity Program 2014 DOE/IG-0925 October 2014 Department
More informationNETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationDepartment of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government
Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft
More informationHamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
More informationSTRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction
Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,
More informationNSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division
AUDIT OF IT SECURITY Corporate Internal Audit Division Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada September 20, 2012 Corporate
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationDepartment of Health and Human Services OFFICE OF INSPECTOR GENERAL
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationHow To Improve Nasa'S Security
DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION The Office of Research, Analysis, and Statistics Needs to Address Computer Security Weaknesses September 17, 2008 Reference Number: 2008-20-176 This report
More informationOFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationNetwork Security Policy
Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS
More informationResponsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy
1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines
More informationVulnerability Management Policy
Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationIT Security Standard: Computing Devices
IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:
More informationThe Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard
The Impact of Wireless LAN Technology on to the PCI Data Security Standard 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Wireless LANs and PCI Retailers today use computers
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More information1B1 SECURITY RESPONSIBILITY
(ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,
More informationMedicare & Medicaid Services Efforts to Address Prior Office of Inspector General Findings After the 2008 audit
DEPARTMENT OF HEALTH & HUMAN SERVICES Office of Inspector General Washington, D.C. 20201 May 16, 2011 TO: Georgina Verdugo Director Office for Civil Rights FROM: /Daniel R. Levinson/ Inspector General
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationApplication Development within University. Security Checklist
Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationNew River Community College. Information Technology Policy and Procedure Manual
New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationAudit of Security Controls for DHS Information Technology Systems at San Francisco International Airport
Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport May 7, 2015 DHS OIG HIGHLIGHTS Audit of Security Controls for DHS Information Technology Systems
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More information