Security Compliance Assessment Checklist

Size: px
Start display at page:

Download "Security Compliance Assessment Checklist"

Transcription

1 Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2

2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards The purpose is to assist project teams in ensuring compliance, and to report on compliance to ministry security officers and ITO management. A score is not assigned based on the results, but rather a report on compliance is provided as an output from this checklist. Usage All questions are to be answered as yes, no, or not applicable. Any questions resulting in a no are to include details as to why compliance was not achieved. Completion The completed checklist is to be completed by the assigned Security Architect.. 1

3 Table of Contents Intro... 1 Usage... 1 Completion ORGANIZING INFORMATION SECURITY Internal Organization External Parties ASSET MANAGEMENT Responsibility for Assets Information Classification HUMAN RESOURCES SECURITY Prior to Employment During Employment Termination or Change of Employment PHYSICAL AND ENVIRONMENTAL SECURITY Secured Areas Equipment Security COMMUNICATIONS AND OPERATIONS MANAGEMENT Operational Procedures and Responsibilities Third Party Service Delivery Management System Planning and Acceptance Protection against Malicious and Mobile Code Back-up Network Security Management Media Handling Exchange of Information Electronic Commerce Services Monitoring ACCESS CONTROL Access Control Policy User Access Management User responsibilities Network Access Control Operating System Access Control Application and Information Access Control Mobile computing and teleworking INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management INFORMATION SECURITY INCIDENT MANAGEMENT

4 13.1 Reporting Information Security Events and Weaknesses BUSINESS CONTINUITY MANAGEMENT Information Security Aspects of Business Continuity Management Compliance Compliance with Legal Requirements Compliance with Security Policies and Standards, and Technical Compliance Information System Audit Considerations

5 6 ORGANIZING INFORMATION SECURITY 6.1 Internal Organization The Government of Saskatchewan has established a framework to initiate and control the implementation of information security within the organization. The Government of Saskatchewan has approved the information security policies, assigned security roles and will coordinate and review the implementation of security across the organization. A source of specialist information and security advice has been established and made available within the organization. Contacts with external security specialists and groups, including relevant authorities, has been developed to keep up with industrial trends, monitor standards and assessment methods, and provide suitable liaison points when handling information security incidents. A multi-disciplinary approach to information security has been encouraged Is the solution being hosted at an approved information processing facility? Have confidentiality clauses been included in vendor contracts? 6.2 External Parties The security of the Government of Saskatchewan information and information processing facilities will not be reduced by the introduction of external party products or services. Any access to the Government of Saskatchewan information processing facilities and processing and communication of information by external parties will be controlled. Where there is a business need for working with external parties that may require access to the organization s information and information processing facilities, or in obtaining or providing a product and service from or to an external party, a risk assessment will be carried out to determine security implications and control requirements. Controls will be agreed to and defined in a written agreement with the third party Was a risk assessment carries out prior to providing contractor access to government assets or data? Does a written agreement exist to provide vendor or contractor access to government assets or data? 4

6 7 ASSET MANAGEMENT 7.1 Responsibility for Assets The Government of Saskatchewan ensures all assets are accounted for and have a nominated owner. Owners are identified for all assets and the responsibility for the maintenance of appropriate controls is assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets Have the following been defined for the project: All information necessary to recover from a disaster The ownership of the asset (owner is responsible for asset classification and review) The classification of the information The business value of the asset (or group of related assets) For physical assets, which employee has signed out the asset for use (via an asset sign-out agreement) if leaving an approved government facility 7.2 Information Classification Information is classified to indicate the need, priorities and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme is used to define an appropriate set of protection levels and communicate the need for special handling measures Has the data within the solution been classified? Do agreements with external parties or organizations that include information sharing include clauses governing the classification of shared information and mapping external classifications to Government of Saskatchewan classifications? 5

7 8 HUMAN RESOURCES SECURITY 8.1 Prior to Employment To reduce the risk of theft, fraud, or misuse of facilities, ministries ensure that employees, contractors and third party users understand their responsibilities and are suitable for the roles they are assigned. Security responsibilities are identified in job descriptions and in the terms and conditions of employment prior to employment. All candidates for employment, contractors, and third party users are adequately screened, especially for sensitive jobs. Employees, contractors and third party users of information processing facilities sign an agreement on their security roles and responsibilities. (Explanation: The word employment covers all the following situations: employment of people (temporary and otherwise), appointment of job roles, change of job roles, assignment of contracts, and the termination of any of these arrangements) Have specific roles for security been defined for the project? Have background checks been performed for all project staff with access to government data or assets? Have all relevant terms and conditions been included in employment contracts for project staff? 8.2 During Employment Each ministry s Security Officer ensures that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. Management responsibilities are defined to ensure that security is applied throughout an individual s employment within the organization. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities are provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches has been established Have all project staff been provided with a copy of the security policies, standards, and specifications? Have all project staff been provided with relevant security training? 6

8 8.3 Termination or Change of Employment Each ministry s Security Officer ensures that employees, contractors and third party users exit an organization or change employment in an orderly manner. Responsibilities are in place to ensure employees, contractors, or third party users exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed. Change of responsibilities and employments within an organization is managed as the termination of the previous position or employment in line with Objective 8.3 Termination or change of employment, and any new position or employment is managed as described in Objective 8.1 Prior to Employment Have processes been implemented to properly remove project staff access to data and assets? 9 PHYSICAL AND ENVIRONMENTAL SECURITY 9.1 Secured Areas The Government of Saskatchewan has implemented security measures to prevent unauthorized access, damage, and interference to premises and information. Additionally, critical or sensitive information processing facilities are housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They are physically protected from unauthorized access, damage, and interference. The protection provided is commensurate with the identified risks as determined by a formal security assessment Have physical security measures been implemented to deter access to areas containing sensitive information or physical assets? 9.2 Equipment Security Equipment is protected from physical and environmental threats. Protection of equipment, including equipment siting and disposal, (including that used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage. Special controls are required to protect against physical threats, and to safeguard information processing facilities, including the electrical supply and cabling infrastructure a Have mobile devices been physically secured? b Have project staff been provided with the Mobile Device Policy? 7

9 Is all cabling secured and not routed through publically accessible area s? Have project staff been provided with the Government of Saskatchewan Disposal Guidelines? 10 COMMUNICATIONS AND OPERATIONS MANAGEMENT 10.1 Operational Procedures and Responsibilities Responsibilities and appropriate operating procedures for the management and operation of all information processing facilities are established. Segregation of duties is implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse Has access to project operating procedures been restricted to only the required project staff? Does the project follow the approved change management process? Does the project ensure the separation of duties? Does the project ensure the separation of development, testing, and production facilities and data? 8

10 10.2 Third Party Service Delivery Management The Government of Saskatchewan checks the implementation of agreements, monitors compliance with the agreements and manages changes to ensure that the services delivered meet all requirements agreed with the third party Do third party service delivery agreements include: Security arrangements Service definitions Aspects of service management that relate to business continuity A transition plan to internal delivery (where appropriate) Has an owner for third party service delivery management been defined? 10.3 System Planning and Acceptance As availability is understood to be a corner stone of the Information Security (Confidentiality, Integrity, Availability), the Government of Saskatchewan ensures advance planning and preparations are made to ensure the availability of adequate capacity and resources to deliver the required system performance. In addition, projections of future capacity requirements are made to reduce the risk of system overload. The operational requirements of new systems are established, documented and tested prior to their acceptance and use Has a plan been developed to monitor for utilization and make periodic capacity requirement projections? Has appropriate acceptance testing been carried out in accordance with the criteria documented in the operating procedures? 10.4 Protection against Malicious and Mobile Code The Government of Saskatchewan ensures users are aware of the dangers of malicious code. The Government of Saskatchewan, where appropriate, has introduced controls to prevent, detect, and remove malicious code and control mobile code Has the project considered actions to prevent against malicious code. 9

11 10.5 Back-up The Government of Saskatchewan has procedures established for taking back-up copies of data and rehearsing their timely restoration Has a plan been developed to backup the solution that meets the requirements of the business continuity plan? 10.6 Network Security Management The Government of Saskatchewan ensures the protection of information in networks and the protection of the supporting infrastructure. To ensure the secure management of networks, which may span organizational boundaries, ITO provides careful consideration to dataflow, legal implications, monitoring, and protection. The Government of Saskatchewan provides additional controls required to protect sensitive information passing over public networks a Has a project implemented logical network zones that organize nodes based on function, data services offered, and ownership of information? b Is access restricted based upon defined rules that restrict connections to only the ports and services required to perform the business function? c Are all devices connected to the ITO network authorized according to defined procedures? 10.7 Media Handling The Government of Saskatchewan prevents unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities, caused by inappropriate media handling or failure. Media is controlled and physically protected. Appropriate operating procedures are established to protect documents, computer media (e.g. tapes, disks), input/output data, and system documentation for unauthorized disclosure, modification, removal, and destruction a Does the project use any removable media such as backup tapes or USB thumb drives? 10

12 b If removable media is used, does it meet the following requirements: If no longer required, the contents of any re-usable media that are to be removed from the organization must be made unrecoverable Where necessary (as defined by the information classification of the data contained on the media) and practical, authorization must be required for media removed from the organization and a record of such removals must be kept in order to maintain an audit trail All media must be stored in a safe, secure environment, in accordance with manufacturers specifications Information stored on media that needs to be available longer than the media lifetime (in accordance with the manufacturers specifications) should be also stored elsewhere to avoid information loss due to media deterioration Removable media drives should only be enabled if there is a business reason for doing so Removable media drives should not be relied upon for primary storage, it should be used for backup or transport purposes only Sensitive or confidential documents are not to be stored on removable media unless encrypted Has media that is no longer required been disposed of in accordance with the SPM Disposal Policy? 11

13 10.8 Exchange of Information The Government of Saskatchewan maintains the security of information and software exchanged within an organization and with any external entity. Exchanges of information and software between organizations are based on a formal exchange policy, carried out in line with exchange agreements, and are compliant with any relevant legislation (see also the Compliance chapter). The Government of Saskatchewan has established procedures and standards to protect information and physical media containing information in transit Have all electronic exchanges of information been implemented in compliance with Government of Saskatchewan Information Exchange specifications outlined below: Procedures to protect exchanged information from interception, copying, modification, misrouting, and destruction Use of cryptographic techniques, for example to protect the confidentiality, integrity and authenticity of information as per objective 12.3 of [ISO27002] Cryptographic controls Controls and restrictions associated with the forwarding of communications facilities (for example, automatic forwarding of electronic mail to external mail addresses) Have procedures been implemented to ensure that physical media containing sensitive information is protected against unauthorized access, misuse, or corruption while in transit outside of ITO-secured physical boundaries that include: Encryption requirements for electronic data protection Authorized couriers or approved reliable transport methods Confirmation of identification for couriers Where necessary, hand-delivery of packages Sufficiently protective packaging to prevent physical damage Sufficiently protective packaging to detect tampering or, where necessary, physically prevent unauthorized disclosure (locked containers, etc) In exceptional cases, splitting the consignment into more than one delivery and dispatch by different means 12

14 Have procedures been implemented to ensures that information exchanged with external parties via electronic messaging is appropriately protected and includes: Protecting messages from unauthorized access, modification, or denial of service Ensuring correct addressing and transport of the message Obtaining approval prior to using external public services such as instant messaging or file sharing Stronger levels of authentication controlling access from publicly accessible networks 10.9 Electronic Commerce Services The ministry ensures the security of electronic commerce services, and their secure use. The security implications associated with using electronic commerce services, including the on-line transactions, and the requirements for controls, should be considered. The integrity and availability of information electronically published through publicly available systems should also be considered Has the project team considered the following security requirements for electronic commerce and addresses some of these through the application of security controls: The level of confidence in the identity of each party required Authorization processes for price setting and the issuing and signing of key trading documents Fully informing commerce partners of their authorizations and agreed terms of commerce in a documented agreement The level of protection required to maintain the confidentiality and integrity of any order transactions, payment information, delivery address details, confirmation of receipts, and any other sensitive data or information Degree of verification appropriate to check payment information Guard against fraud with the appropriate settlement form of payment Avoidance of loss or duplication of transaction information Fraudulent transaction liability Legal, regulatory, and insurance requirements Resilience to attack of the host(s) The security implications of any network interconnection 13

15 Has the project team ensured electronic commerce services include the following technical security considerations for on-line transactions: Electronic signatures User credential verification Confidentiality Privacy Encryption Secured protocols Information storage medium Physical and logical security of stored transaction information When using a trusted authority, integrate and embed security throughout the entire process Adopt controls commensurate with the level of the risk Legal and regulatory compliance Has a plan been developed to test the publicly accessible system for weaknesses and failures prior to the information being made available? Monitoring The Government of Saskatchewan has implemented processes to detect unauthorized information processing activities. Systems are monitored and information security events are recorded. Operator logs and fault logging are used to ensure information system problems are identified. The Government of Saskatchewan complies with all relevant legal and policy requirements applicable to its monitoring and logging activities. System monitoring is used to check the effectiveness of controls adopted and to verify conformity to an access policy model a Has the project team ensured audit logs recording user activities, exceptions, and information security events are produced for all supported information systems? b Has a procedure been implemented to ensure audit logs are retained for a period of time specified by the [SaskArch], and the audit logging process is reviewed annually? 14

16 c Do audit logs include, where relevant: User IDs Dates, times, and details of key events Terminal identity or location Records of successful and rejected system access attempts Records of successful and rejected data and other resource access attempts Changes to system configuration Use of elevated privileges Use of system utilities and applications Files accessed and the kind of access Network addresses and protocols Alarms raised by the access control system Activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems d Audit logs may contain confidential information that would be of value to potential intruders. Have audit logs been inventoried and classified, and has a formal approval process been developed before information in logs is made publically available? Have privacy measures been implemented to protect log file integrity and confidentiality? Have procedure for monitoring system use been developed and the following criteria been evaluated: Authorized access, including details such as: user ID, date and time of key events, types of events, files accessed, programs or utilities used Privileged operations, such as: o Use of privileged accounts (for example: supervisor, root, administrator) o System start-up and shut-down o I/O device attachment and detachment Unauthorized access attempts, such as: o Failed or rejected user actions o Failed or rejected actions involving data and other resources o Access specification violations and notifications for network gateways and firewalls o Alerts from intrusion detection systems 15

17 System alerts or failures, especially on the monitoring system itself, such as: o Console alerts or messages o System log exceptions o Network management system alarms o Alarms raised by the access control system o Changes to, or attempts to change, system security settings and controls Have procedures been developed to ensure that logging facilities and log information are protected against tampering and unauthorized access? Does the project ensure system administrator and system operator activities are logged congruent with the classification of the computing asset and data residing on the computing asset and the log will at a minimum include: A timestamp showing when an event occurred Information about the event or error Which account and which administrator was involved Which applications were involved Details of what was accessed during a session Details of what was denied during a session Has the project ensured, where enabled by the underlying technology, all information processing systems with the same security domain are synchronized with an agreed accurate time source? 16

18 11 ACCESS CONTROL 11.1 Access Control Policy Ministries control access to information and business processes are controlled on the basis of business and security requirements. The Government of Saskatchewan controls access to information processing facilities and equipment. Access control rules take into account policies for information dissemination and authorization a Has the project team been provided with the GOS Access Control specification? b Has the project been implemented in compliance with the GOS Access Control Specification? 11.2 User Access Management Ministries, in cooperation with the ITO, have processes to ensure authorized user access and prevent unauthorized access to information systems. Ministries, in cooperation with the ITO, have formal procedures in place to control the allocation of access rights to information systems and services. The procedures cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls Has the project developed procedures for, or referenced existing procedures for, the registration and de-registration of access privileges for all information systems and services that include: Approval process Unique identity Minimal privileges necessary to meet business requirements are issued Authorization and level of access must be driven by a business purpose Users should receive a written statement describing their access privileges Registration and de-registration actions must be recorded 17

19 Has the project been implemented in compliance with the GOS Password Specification? Has a procedure been developed to periodically, and upon change in employment status of a user, review the access rights? 11.3 User responsibilities The Government of Saskatchewan has implemented procedures to prevent unauthorized user access, and compromise or theft of information and information processing facilities. The co-operation of authorized users is essential for effective security as such users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment. A clear desk and clear screen policy has been implemented to reduce the risk of unauthorized access or damage to papers, media, and information processing facilities a Does the project ensure that end-users are required to follow the password specification by using technologies that enforce strong passwords? b Has the project provided the Service Desk with documented methods to assist GOS staff with password problems in a secure fashion? Has the project provided procedures and (where necessary) supporting physical security equipment to ensure that mobile devices and equipment have appropriate protection? Has the project team and any third party service providers been advised of the active and approved document that defines a clear desk and clear screen policy? 18

20 11.4 Network Access Control The Government of Saskatchewan prevents unauthorized access to networked services. The Government of Saskatchewan ensures access to networks and related network services do not compromise the security of the network by ensuring appropriate interfaces are in place between the organization s network and networks operated by other organizations, public networks, and that authentication mechanisms are applied for users and equipment with control of user access to information services enforced Does the project implement technological controls to ensure only authorized services are provided with access to the network, following the principle of least privilege, and that those services have been specifically authorized to use by the privilege management section of [AccessPol] and/or the firewall change management process? Does the project ensure that authentication technology solutions are highly secure to provide reliable confidence in authentication credentials which, at a minimum, will: Use multi-factor authentication methods for remote users Utilize secure encryption methods for data passed in the authentication process a Has the project identified, by risk assessment, networks required for segregation and their associated information assets and services, especially wireless networks? b Does the project ensure that Network access controls between domains are implemented, appropriate to the level of risk, value of the information assets, and performance requirements within the domain? 19

21 11.5 Operating System Access Control The Government of Saskatchewan prevents unauthorized access to operating systems.security facilities are used to restrict operating systems access to authorized users. The facilities are capable of the following: Authenticating authorized users, in accordance with a defined access control policy; Recording successful and failed system authentication attempts; Recording the use of special system privileges; Issuing alarms when system security policies are breached; Providing appropriate means for authentication; Where appropriate, restricting the connection time of users Does the project use the provided password management system or implement a password management system able to enforce specific password standards. The password management system, at a minimum, enforces: Unique IDs for users The ability of users to choose their own password The use of high-quality passwords (determined by length, complexity of character set used, and resistance to dictionary attacks) Periodic changing of passwords, including the prevention of password re-use for a period of time The storage and transmission of passwords in a protected form (including display when typing) and separated from application system data Does the project, where made possible by the technology in use, implemented the use of automatic log-out or screen locking for sessions that exceed a reasonable period of inactivity? ( Technologies that do not permit session time-outs should be used only where no feasible alternative exists) a Has the project, where made possible by the technology in use, implemented the use of connection time limitations (such as time-of-day and session duration) for sensitive applications in high-risk locations? b Has the project formally considered re-authentication at timed intervals for sensitive applications in high-risk locations? 20

22 11.6 Application and Information Access Control The Government of Saskatchewan prevents unauthorized access to information held in application systems. Security facilities are used to restrict access to authorized users. Application systems: Control user access to information and application system functions. Provide protection from unauthorized access by any utility, operating system software, and malicious software that is capable of overriding or bypassing system or application controls; Do not compromise other systems with which information resources are shared Does the project ensure that methods to bypass access control restrictions are removed or disabled from applications? Has the project provide considered, on a per asset basis, physically or logically isolating information processing assets that are identified as sensitive? Has the project, for environments that must be shared, performed a risk assessment and implemented appropriate controls to reduce risk to shared environments? 11.7 Mobile computing and teleworking The Government of Saskatchewan ensures information security when using mobile computing and teleworking facilities. The protection required is commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment are considered and appropriate protection applied. In the case of teleworking ITO applies protection to the teleworking site and ensures that suitable arrangements are in place for this way of working Has the project developed procedures, authorization processes, and operational documents to support teleworking activities that at a minimum consider: The use of non-ito equipment such as home networking equipment or computers, including support considerations and insurance Any legislation or other regulations preventing ITO from performing intrusive security assessments on non-ito equipment Software licensing Business use requirements to determine teleworking access, and revocation of teleworking access when no longer required 21

23 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE 12.1 Security requirements of information systems The Government of Saskatchewan ensures that security is an integral part of information systems. Information systems include operating systems, infrastructure, business applications, off-the-shelf, products, services, and ITO developed applications. The design and implementation of the information system supporting the business process can be crucial for security. Security requirements are identified and agreed prior to the development and/or implementation of information systems. All security requirements are identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system a Has the project formally assessed the risk and considered additional controls where security requirements cannot be satisfied? b Was a formal testing and acquisition process followed and security requirements identified, prior to purchasing technology products, to include in the contract with the supplier? (Security resources must be consulted throughout the process of any acquisition which may affect the security posture of the organization) 12.2 Correct processing in applications The Government of Saskatchewan prevents errors, loss, unauthorized modification or misuse of information in applications. Appropriate controls are designed into applications, including ITO developed applications to ensure correct processing. These controls include the validation of input data, internal processing, and output data. The Government of Saskatchewan implements additional controls as required, based on security requirements and risk assessments, for systems that process, or have an impact on, sensitive, valuable, or critical information a Has the project ensured data input validation has be applied to: Business transactions Standing data Parameter tables 22

24 b Has the project formally consider the following data input validation checks: Out-of-range values Invalid characters or data type in data fields Missing or incomplete data Exceeding upper and lower data volume limits Unauthorized or inconsistent control data Error messages are appropriate for the type of error encountered c Has the project, when developing, modifying, or acquiring applications, assessed the business impact of corrupt data when incorporating internal processing controls to minimize the loss of data integrity? d Has the project formally consider these specific areas to minimize processing failures: Use add, modify, and delete functions to change data Procedures to ensure programs run at the correct time, prevent programs running in the wrong order, and running after failure of prior processing Use of appropriate programs to recover from failures Protection against buffer overrun/overflow attacks Reconciliation of data file balances after transaction updates Validation of system-generated input data Integrity checks on uploaded/downloaded data and software Totals of records and files Logging processing activities Has the project, when developing, modifying or acquiring applications, conducts assessments of security risks to determine if protecting message integrity in applications is required and whether cryptographic techniques (message authentication) or other method should be utilized? (Message authentication is concerned with protecting the integrity of the message, validating the identity of the originator, and non-repudiation) 23

25 Has the project, when developing or modifying applications, included the following application data output validation: Define the responsibilities of all personnel involved in the data output process Plausibility checks Reconciliation control counts Provide information to determine the accuracy, completeness, precision, and classification of the information Procedures for responding to output validation test failures or errors Log data output validation activities 12.3 Cryptographic controls The Government of Saskatchewan protects the confidentiality, authenticity, and integrity of sensitive information by cryptographic means. A policy has been developed on the use of cryptographic controls. Cryptographic key management of has been formally considered to support the use of cryptographic techniques a Has the project utilized encryption and has the key management system been based on an agreed set of standards, procedures, and secure methods for: Generating keys for different cryptographic systems and different applications Generating and obtaining public key certificates obtaining, revoking, withdrawing, expiration, destroying, and archiving keys Rules for key changes and updates Distribution, activation, storing (including physical protection of equipment used to generate, store and archive keys), Compromised key Recovering lost or corrupted keys Logging key management activities keys will have an activation and expiration date b Has the project used a certification authority to ensure the authenticity of public keys that addresses liability, reliability of services, and response times in the contract? 24

26 c Has the project utilized one of the two approved types of cryptographic techniques: Secret key techniques Public key techniques 12.4 Security of system files The Government of Saskatchewan ensures the security of system files by controlling access to system files and program source code. IT projects and support activities are conducted in a secure manner. Care is taken to avoid exposure of sensitive data in test environments a Has the project followed these guidelines to control the installation of software on operational systems: Management will authorize a release manager to coordinate the install and update of software, applications, and program libraries Production systems will not contain development code or compilers User acceptance testing will be extensively and successfully tested on a separate system prior to production implementation A rollback strategy will be in place and previous versions of application software will be retained Old versions of software will be archived including configuration details and system documentation Program library updates will be logged b Has the project ensured vendor software will be maintained at the supported level, and vendor access will be authorized and monitored? c Has the project ensured security software patches have been applied as recommended by the vendor? d Has the project ensured operating systems will only be upgraded when there is a requirement to do so? 25

27 Has the project used production data for user acceptance testing, and where the following requirements met: The data is modified beyond recognition before use The production access control procedures are applied in the user acceptance testing environment Authorization is required every time data is copied from production to a user acceptance testing environment When testing is complete, the data has been erased 12.5 Security in development and support processes The Government of Saskatchewan maintains the security of application system software and information. Project and support environments are strictly controlled.the Government of Saskatchewan managers, responsible for application systems, are responsible for the security of the project or support environment. They must ensure that all proposed system changes are reviewed to ensure that they do not compromise the security of either the system or the operating environment. Ministry application owners will be notified of security issues a Has the project tested new software (including patches, service packs, and other updates) in an environment that is segregated from the development and production environments? (Automated updates will not be used on critical systems) b Has the project, when introducing new systems and major changes to existing systems, ensured that it: Follows a formal process of: o Documentation o Specification o Testing o Quality control o Approval o A formally managed implementation Includes: o A risk assessment o An analysis of the impacts of changes o Specifications of security controls o Ensure that existing security and control procedures are not compromised o Obtaining a formal agreement and approval for any change 26

28 a Has the project implemented a process for technical review of application control and integrity procedures which will test the impact of operating system changes on business critical applications that at minimum, formally considers the following: Notification of operating system changes Business continuity plans must be updated to reflect related changes b Has the project ensured a specific group or individual has been given responsibility for monitoring vulnerabilities and vendors releases of patches and fixes? Has the project formally considered the following when outsourcing software development: Licensing arrangements Code ownership Intellectual property rights Audit and certification of the quality and accuracy of the development Escrow arrangements Quality and security contractual requirements Testing for malicious code 27

29 12.6 Technical vulnerability management The Government of Saskatchewan reduces risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management has been implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations include operating systems, and any other applications in use Has the project established and documented effective management procedures for technical vulnerabilities using the following guidelines: Define and establish the roles and responsibilities for: o Vulnerability monitoring o Vulnerability risk assessment o Patching o Asset tracking o Coordination Information resources that identify and maintain awareness about relevant technical vulnerabilities Define timelines for notification reactions Identify associated risks and the actions to be taken for potential technical vulnerability If possible, follow change management or information security incident response procedures Assess risks associated with patch installation compared to risks associated with the vulnerability Formally consider these controls: o Test, evaluate, then install patch o Turn off services or capabilities o Adapting or adding access controls o Increase monitoring o Raise awareness Log all procedures undertaken Regularly monitor and evaluate the technical vulnerability management process Address high risk systems first 28

30 13 INFORMATION SECURITY INCIDENT MANAGEMENT 13.1 Reporting Information Security Events and Weaknesses The Government of Saskatchewan ensures information security events and weaknesses associated with information security are communicated in a manner allowing timely corrective action to be taken. Formal event reporting and escalation procedures are in place. All employees, contractors and third party users are made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets. They are required to report any information security events and weaknesses as quickly as possible to the ITO Service Desk Has the project communicated to employees, contractors and third party users of information systems and services that they are required to report any suspicious events to the service desk? Has the project notified employees, contractors and third party users not to attempt to validate suspected weaknesses without specific management approval? 14 BUSINESS CONTINUITY MANAGEMENT 14.1 Information Security Aspects of Business Continuity Management Business continuity management includes controls to, in addition to the general risks assessment process, identify and reduce risks in order to limit the consequences of damaging incidents, and ensure that information required for business processes is readily available. The Government of Saskatchewan counteracts interruptions to business activities to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process is implemented to minimize the impact on the organization and recover from the loss of information assets (which may be the result of, but not limited to, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls. This process identifies the critical business processes and information security management requirements of business continuity along with other continuity requirements relating to areas such as operations, staffing, materials, transport and facilities. The consequences of disasters, security failures, loss of service, and service availability are subject to a business impact analysis. Business continuity plans are developed and implemented to ensure timely resumption of essential operations. Information security is an integral part of the overall business continuity process, and other management processes within the organization Has the project provided documentation to identify and provide for the continued availability of: Critical systems, applications, assets, employees, documents, and project information Other services and assets when warranted and identified by a threat and risk analysis 29

31 Has the project provided documentation to support a testing plan for the business continuity that: Ensures that key personnel understand the documented recovery procedures and have the document available to them Educates all members of the recovery teams, and their backups, of their roles in the event of a disaster Provides verification of the recovery strategy Performing annual testing and review Identify any flaws or lack of documentation in all sections of the plan Verify that critical business functions may be recovered while simulating disaster scenarios Update existing plans to encompass new requirements due to business, systems, networks, legal or contractual requirement, or personnel changes Test all components of the plan, including hardware, software, personnel, data, supplier facilities and services, communications, procedures, forms, documentation, alternate site locations Make modifications based on test results If a backup hot site is adopted, a parallel test should be performed. Otherwise a simulation test should be completed 15 Compliance 15.1 Compliance with Legal Requirements The design, operation, use, and management of information systems are subject to statutory, regulatory, and contractual security requirements. The Government of Saskatchewan has procedures in place to avoid breaches of any legal, statutory, regulatory, or contractual obligations, and of any security requirements. Advice on specific legal requirements is sought from the Ministry of Justice, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to or through another country (i.e. trans-border data flow) Has the project received approval from the ministry compliance owner (tasked with defining, documenting, and keeping updated all relevant legal, regulatory, and contractual requirements for each information system identified as critical) that the project meets the following compliance criteria: The organizational approach meets all requirements The specific controls and individual responsibilities meet all requirements 30

32 Has the project classified records and complied with the Records Act (2004) which details the retention period? Has the project communicated the data protection and privacy specification to all personnel processing personal information? Has the project ensured all users are made aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use through the signing of written authorizations? 15.2 Compliance with Security Policies and Standards, and Technical Compliance The Government of Saskatchewan ensures the compliance of systems with organizational security policies and standards that are regularly reviewed. Such reviews are performed against the appropriate security policies and the technical platforms and information systems are audited for compliance with applicable security implementation standards and documented security controls Has the project ensured all information processing facilities have been assessed for compliance with appropriate security policies, standards, and any other security requirements, and ITO Security Services has a record of the assessment? a Has the project ensured penetration tests or vulnerability assessments are planned, documented, and repeatable, and caution is exercised (as such activities can lead to a compromise of the security of the system)? b Has the project ensured information gathered from security testing is analyzed and recommendations are made based on the results? 31

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Brain-CODE. Security Policies. Version 1.4

Brain-CODE. Security Policies. Version 1.4 Brain-CODE Security Policies Version 1.4 May 09, 2014 Brain-CODE Information Security Policy May 09, 2014 Introduction Information stored in Brain-CODE is an asset that OBI has a duty and responsibility

More information

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

INFORMATION SYSTEMS. Revised: August 2013

INFORMATION SYSTEMS. Revised: August 2013 Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

Information security management systems Specification with guidance for use

Information security management systems Specification with guidance for use BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the

More information

Information Security Policy. Ministry of Central Services Information Technology Division Information Security Branch

Information Security Policy. Ministry of Central Services Information Technology Division Information Security Branch Information Security Policy Ministry of Central Services Information Technology Division Information Security Branch Last revised: December 2016 Last reviewed: December 2016 Next review: July 2017 Version

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Information Security Standards

Information Security Standards Information Security Standards March 2015 Information & Technology Services Information Security Standards Table of Contents 1.0 Common Policy Elements... 7 1.1 Introduction and Scope... 7 1.2 Authority...

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Data Security Systems Internal Control Questionnaire

Data Security Systems Internal Control Questionnaire Data Security Systems Internal Control Questionnaire I. GENERAL DATA SECURITY SYSTEM A. Does security system management: 1. Determine how access levels are granted? 2. Define when access is granted unless

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11 Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Information Security Policy version 2.0

Information Security Policy version 2.0 http://kfu.edu.sa KING FAISAL UNIVERSITY Information Security Policy version 2.0 Prepared & Presented by: M. Shahul Hameed, MBA, M.Sc.IT, C\MA, CIA, PMP, CGEIT, CISA, CISM, ITSM(ITIL), ISO27001LA, Head

More information

Information Assurance Policy for Information Systems

Information Assurance Policy for Information Systems Information Assurance Policy for Information Systems 1. Purpose... 3 2. Goals... 3 3. Applicability... 4 4. Compliance... 4 5. Roles & Responsibilities... 4 5.1. All Departments...4 5.2. FCT Information

More information

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy. Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

IT Security Standard: Computing Devices

IT Security Standard: Computing Devices IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management INTERNATIONAL STANDARD This is a preview - click here to buy the full publication ISO/IEC 27002 First edition 2005-06-15 Information technology Security techniques Code of practice for information security

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

USC Data Security Requirements (Standards) Guidelines for Compliance Revised 05-Jan-2015

USC Data Security Requirements (Standards) Guidelines for Compliance Revised 05-Jan-2015 USC Data Security Requirements (Standards) Guidelines for Compliance Revised 05-Jan-2015 The purpose of these Guidelines is to assist in the interpretation of USC Data Security Requirements, and in the

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Certification Practice Statement

Certification Practice Statement FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6 to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized

More information

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY POLICY Name Of Policy: Security Audit Logging Policy Domain: Security Date Issued: 05/23/11 Date

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information