Rick Taylor, CISA. An Independent Member of Baker Tilly International 1

Size: px
Start display at page:

Download "Rick Taylor, CISA. An Independent Member of Baker Tilly International 1"

Transcription

1 Rick Taylor, CISA 1 An Independent Member of Baker Tilly International 1

2 howmany people use the top social media/ Facebook: 1.06 billion monthly active users, 680 million mobile users, more than 50 million pages and 10 million apps U.S. Population Approximately 315,000,000 as of April 2013 Twitter: 500 million total users, more than 200 million active users Average Number of Tweets Sent Per Day: 400 million Over 400 social media sites world wide 200 are considered well known. 2

3 The 2013 Internal Audit Capabilities and Needs Survey, released by Protiviti, show that 43% of respondents have no social media policy within their organization. Among those with a policy, many fail to address even the most basic issues, such as information security and approved use of social media applications. What s most alarming, however, is that more than half (51%) of organizations do not address social media risk as a part of their risk assessment process 45% indicate they have no plans to do so in the coming year s audit plans. Of those that do address the topic, 84% rated their organization s social media risk assessment capability as not effective or moderately effective. 3

4 4

5 Latest Emerging Threat Social media sites used for Application Login Banking Health Care Insurance Not for Profit.. Why is this an issue? What about growth in commerce? 5

6 Define the audit/assurance objectives and scope. Identify and document risk The risk assessment is necessary to evaluate where audit resources should be focused. In most enterprises, audit resources are not available for all processes. A risk based approach assures utilization of audit resources in the most effective manner. Identify the business risks associated with the social media projects. Review previous audits of social media use. Determine if issues identified previously have been remediated. Evaluate the overall risk factors for performing the review. Based on the risk assessment, identify changes to the scope. Discuss the risks with management, and adjust the risk assessment. Based on the risk assessment, revise the scope. 6

7 Define the change process Define the audit/assurance resources required Define deliverables Communicate. 7

8 Risk Management Audit/Assurance Objective: The risk associated with social media is identified, evaluated, and aligned with enterprise risk profiles and risk appetite. Risk management is routinely evaluated for new and existing social media projects. Initial Risk Assessment Control: Risk assessments are performed prior to initiation of a social media project. Determine if governance policies require a risk assessment prior to the initiation of a social media project. Obtain the policy statement. Verify that the risk assessment policy would pertain to social media resources. 8

9 Determine if a waiver procedure is in place to override performance of a risk assessment relating to social media resources. If a waiver procedure is in place, select specific social media projects. Determine if policy has been followed in the overriding of risk management processes. 9

10 Determine if risk assessment policies are followed. Identify social media projects. Obtain risk assessments for each social media initiative. Determine if the risk assessment has been documented. Determine if the risk assessment utilized the enterprise risk management profile. Determine if the risk assessment had been reviewed by appropriate stakeholders, sponsors and senior management. Determine if the risk assessment has identified specific controlrelated actions that must be included in the implementation of social media projects. If control related requirements have been identified, determine if there has been follow through to ensure that they are included in the specifications for the social media implementation 10

11 Ongoing Risk Assessment Control: Risk assessments are reperformed when social media resources or technologies change. Determine if policy requires the reperformance or updating of the risk assessment pertaining to social media. Obtain the risk assessment policy. Verify that the policy requires reassessment when technologies or requirements change. Determine that risk assessments are performed for changes in the social media technology or scope. Identify changes to the social media technology or scope. Verify that an updated risk assessment has been prepared and reviewed by appropriate stakeholders, sponsors and senior management. 11

12 Data Classification Scheme Control: Social media information has been included in the data classification scheme. Verify if social media information is specifically included in the data classification scheme and that it is in alignment with policies. Question: Does the client have an Information Asset Inventory? 12

13 Policies Audit/Assurance Objective: Policy and supporting standards exist to support social media use. Social Media Policies and Standards 13

14 Control: Policies for social media should address the following specific areas: Communication protocol Standardized terms/key words that may convey the company brand, product, image, campaign, business initiative, corporate social responsibility Use of standard logos, images, pictures, etc. Employee personal use of social media in the workplace Employee personal use of social media outside the workplace Employee use of social media for business purposes (personally owned devices) Use of mobile devices to access social media Required review, monitoring and follow up processes for brand protection Communication of policy via social media sites Notification that compliance monitoring will be the right of the company Management procedures for company accounts on social media sites Response protocols for response process on social media environments 14

15 Determine that clear policies are established and documented. These policies need to describe to employees, vendors and customers acceptable information that can be posted as part of the enterprise social media presence. Consider the following: Personal use in the workplace: Whether it is allowed The nondisclosure/posting of business related content The discussion of workplace related topics Inappropriate sites, content or conversations Personal use outside the workplace: The nondisclosure/posting of business related content Standard disclaimers if identifying the employer The dangers of posting too much personal information Business use: Whether it is allowed The process to gain approval for use and process for removal of access The scope of topics or information permitted to flow through this channel Disallowed activities (installation of applications, playing games, etc.) 15

16 Determine that appropriate policies, processes and technologies are established to ensure that legal and/or regulatory issues relating to social media communications are addressed. Determine if legal counsel has reviewed social media policies to comply with liability and regulatory requirements. 16

17 Determine that policies have been established to identify specific social media to be blocked. Determine that the technology function responsible for implementing the blocking of web sites or access to social media has been notified of the policy. 17

18 Determine that the human resources (HR) function is actively involved in the policy implementation. Determine if the employee acceptable use policies have been updated to include social media. 18

19 Determine if social media policies require appropriate brand monitoring services/protection. Determine if social media policies require the monitoring of enterprise related activities within the social media services. 19

20 Contractor Social Media Policies Control: Contractors are required to adhere to the same or a subset of requirements as employees. Determine that clear policies are established and documented. These policies need to describe to contractors acceptable information that can be posted as part of the enterprise social media presence. Determine that the HR function and contractor sponsors are actively involved in the policy implementation. Determine if the contractor acceptable use policies have been updated to include social media. 20

21 HR Function Audit/Assurance Objective: The HR function has implemented social media related policies. HR Function Actively Participates in Social Media Processes Control: The HR function assumes responsibility for and executes social media related policies. 21

22 Review social media policies. Determine policies that are the responsibility of HR. Determine if these policies have been implemented. Determine if employees sign a notification of acceptance of these policies upon hiring and at least annually. Select a sample of employees. Determine that all employees in the sample have signed the social media acceptance policies for the current year and at the time of hiring. Select a sample of employees, and interview them on their understanding of the social media policies. Consider using web access logs to identify frequent social media sites accessed and distribute sample across the sites identified rather than just concentrating on users of a single application. 22

23 HR Social Media Violation Policy Control: The HR function has established and distributed defined consequences for violation of social media policies. Determine the procedures for handling social media policies violations. Evaluate whether the consequences are commensurate with the risks associated with the violation. Determine if violator consequences are fairly assessed and implemented. 23

24 Audit/Assurance Objective: Employees, contractors and customers are trained and are aware of their responsibilities relating to social media. Responsibility for Training and Awareness Control: The responsibility for social media acceptable practice training and awareness has been assigned to a specific job function. 24

25 Determine which job function is responsible for training and awareness. Determine how the job function interfaces with technical, governance and personnel stakeholders. Determine how the effectiveness of the training and awareness process is evaluated and monitored. 25

26 Training and Awareness Programs Control: The training and awareness programs are defined, well communicated, documented and regularly scheduled. Key performance indicators (KPIs) or key success factors (KSFs) are used to monitor its effectiveness. Obtain the training and awareness program. Using the governance policies and training and awareness programs, determine if the programs are adequate to train or create awareness of social media etiquette and usage for the employees. 26

27 Determine if the training awareness program addresses: Business social media activities using enterprise owned equipment Business social media activities using personally or third party owned equipment Personal social media activities using enterprise owned equipment Personal social media activities using personally or third party owned equipment during business hours Personal social media activities discussing enterprise activities using personally or third party owned equipment outside business hours Alignment of both business and social media activities with the data classification scheme 27

28 Determine if training and awareness programs address consequences for failing to adhere to social media policies. Determine if the training and awareness programs are routinely offered and executed. Determine if the appropriate personnel has attended social media training. Identify the KPIs or KSFs used to monitor the effectiveness of the program, and assess whether they promote the behaviors required. Verify if nonconformity issues raised are followed up. 28

29 Audit/Assurance Objective: Staffing levels are adequate to support additional responsibilities resulting from social media projects. Control: Management routinely evaluates staffing levels to assure adequate service levels and staffing resources. Determine if staffing levels have been modified to reflect additional social media related responsibilities. Determine if staffing levels have been modified to reflect additional social media related responsibilities. Determine if there has been a marked increase in overtime or a backlog of incomplete work due to social media projects. 29

30 Social Media Alignment With Business Processes Audit/Assurance Objective: Processes exist to manage new and existing social media programs to adhere to enterprise strategy, governance and management objectives and policies. Social Media Program Management Control: Social media program management and evaluation are included in routine management oversight processes. Determine if social media program management and evaluation are part of the routine assessment of business processes. Obtain meeting minutes or memos documenting the routine evaluation of social media programs. 30

31 Determine if changes or additions to processes that leverage social media are aligned with the policy prior to implementation through a change control procedure. Social Media Brand Protection Audit/Assurance Objective: The enterprise brand is protected from negative publicity or adverse reputational issues. 31

32 User Agreement Management Control: User agreements are reviewed by legal and communications professionals prior to implementing a program with a social media site. Obtain evidence of a legal and/or communications professional review prior to the use of or contractual agreement with a social media site. Review the terms and conditions to determine that the current terms and conditions are in alignment with organizational policies. 32

33 Social Media Monitoring Control: Social media sites are monitored for adverse posts, publicity, etc. Determine if a brand protection firm or other monitoring mechanism is engaged to locate, identify and report dummy profiles set up on social media that may tarnish the entity or its brand image or carry contradictory messages. Determine how often the scans are executed. Obtain the reports generated by the brand protection scans and determine if an issue monitoring process is in place to review and follow up on branding issues on a timely basis 33

34 Determine the process for escalating branding issues to the appropriate management representative. Identify incidents requiring the escalation of branding issues. Determine the resolution of escalated branding incidents. 34

35 Social Media Branding Enforcement Control: Management actively litigates brand infringement. Identify brand infringement occurrences. Determine the adequacy of the infringement followup and resolution. 35

36 Audit/Assurance Objective: Enterprise information is protected from unauthorized access or leakage through/by social media. Social Media Included in Data Classification Control: Information shared/posted through social media is included in the data classification program. Obtain the data classification process. Determine if social media, either generically or specifically (i.e. Facebook, LinkedIn, Twitter, etc.), have been included in the data classification policy. Obtain a list of the criteria or specific information approved for social media access and sharing. Determine if this list is routinely reviewed and approved. 36

37 Access Management of Social Media Control: Data accessible via social media sites are subjected to the standard access management procedures and approvals. Determine if social media data access is managed using enterprise access management procedures. Select a sample of social media related data access requests. Determine if appropriate authorizations were received prior to access being granted. 37

38 Determine if the data access reauthorization process includes social media. Select a sample of social media data access requests. Determine if the authorizations have been reviewed and approved as prescribed in the reauthorization procedure. 38

39 Social Media Technology Infrastructure Audit/Assurance Objective: IT infrastructure supports risks introduced by social media. Antimalware and Antivirus Technologies Protect the Environment Control: Antimalware and antivirus software is in use. Determine that antivirus and antimalware applications are in place, with appropriate configuration settings. Verify that that appropriate controls for antimalware and social media site limitations are also installed on mobile devices such as smartphones. Verify that only authorized individuals can modify the antimalware/antivirus software and settings at both the server and workstation levels. 39

40 Incident Response Control: Incident response for social media risks has been included in the information security response plan. Verify that the information security incident response plan addresses social media risks. 40

41 Content Filtering Control: Content filtering and monitoring are installed and reviewed. Determine if content filtering technology is used to restrict or limit access to social media sites. Determine that browser settings and data leak prevention products are in place, with appropriate configuration settings. Determine if social media web sites requiring blocking have been blocked either by specific web site name (uniform resource locator [URL]) and/or port. Identify other technologies, policies and procedures used to limit or monitor social media processes. 41

42 Audit/Assurance Objective: Use of social media technology is actively monitored, and its effect on the IT architecture and technology are regularly evaluated. Social Media Monitoring Control: Appropriate tools are used to evaluate the effectiveness of social media usage and related activities. 42

43 Evaluate the usage of technology for control and monitoring. Determine if a third party monitors social media activities, including the use of KPIs and proactive incident response. Evaluate the usage of tools and reporting for control and monitoring of social media use. Evaluate involvement of all relevant stakeholders in review of reports, including business leadership, risk management professionals, and HR and legal representation. Evaluate the holistic approach used to integrate emerging technologies into the enterprise, which helps to ensure that risks are being considered in the context of broader business goals and objectives. 43

44 44

45 Rick Taylor, CISA

Social Networking and its Implications on your Data Security

Social Networking and its Implications on your Data Security Social Networking and its Implications on your Data Security Canadian Chamber of Commerce of the Philippines June 8, 2011 Warren R Bituin Partner -SGV & Co. About the Speaker Warren R. Bituin SGV & Co./Ernst

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Seven Requirements for Successfully Implementing Information Security Policies and Standards Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

ASU Web Application Security Standard

ASU Web Application Security Standard ASU Web Application Security Standard Spring 2014 2 1 PURPOSE This standard seeks to improve the security of ASU Web applications by addressing the following: Threat modeling and security testing Web application

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

CISM (Certified Information Security Manager) Document version: 6.28.11

CISM (Certified Information Security Manager) Document version: 6.28.11 CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed

More information

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy: Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Building a Digital Governance Program

Building a Digital Governance Program ISACA Geek Week August 8 10, 2016 Building a Digital Governance Program Stacy Wiedman swiedman@gmail.com TODAY S AGENDA Building a Digital Governance Program- an approach for implementing within a large

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of AccessData Cyber Intelligence and Response Technology v2.1.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

WILLIAM J. DOWLING VICE PRESIDENT, ENGINEERING

WILLIAM J. DOWLING VICE PRESIDENT, ENGINEERING June 28, 1999 WILLIAM J. DOWLING VICE PRESIDENT, ENGINEERING Subject: Tray Management System Software Management () As part of an ongoing audit of the Tray Management System, the Office of Inspector General

More information

Sarbanes-Oxley Compliance for Cloud Applications

Sarbanes-Oxley Compliance for Cloud Applications Sarbanes-Oxley Compliance for Cloud Applications What Is Sarbanes-Oxley? Sarbanes-Oxley Act (SOX) aims to protect investors and the general public from accounting errors and fraudulent practices. For this

More information

The Role of Internal Audit in Risk Governance

The Role of Internal Audit in Risk Governance The Role of Internal Audit in Risk Governance How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management Executive summary Risk is inherent in running any

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Social Media Control with the Barracuda Web Security Gateway

Social Media Control with the Barracuda Web Security Gateway Social Media Control with the Securing the power of the collaborative Internet through discovery, policy control, and archiving White Paper While social media and Web 2.0 applications enable rich user

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

SECURITY THROUGH PROCESS MANAGEMENT

SECURITY THROUGH PROCESS MANAGEMENT SECURITY THROUGH PROCESS MANAGEMENT Jennifer L. Bayuk Price Waterhouse, LLP Headquarters Plaza North Morristown, NJ 07962 jennifer_bayuk@notes.pw.com Overview This paper describes the security management

More information

NOS for Network Support (903)

NOS for Network Support (903) NOS for Network Support (903) November 2014 V1.1 NOS Reference ESKITP903301 ESKITP903401 ESKITP903501 ESKITP903601 NOS Title Assist with Installation, Implementation and Handover of Network Infrastructure

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Address IT costs and streamline operations with IBM service desk and asset management.

Address IT costs and streamline operations with IBM service desk and asset management. Asset management and service desk solutions To support your IT objectives Address IT costs and streamline operations with IBM service desk and asset management. Highlights Help improve the value of IT

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

WHITE PAPER Mapping Organizational Roles & Responsibilities for Social Media Risk. A Hootsuite & Nexgate White Paper

WHITE PAPER Mapping Organizational Roles & Responsibilities for Social Media Risk. A Hootsuite & Nexgate White Paper WHITE PAPER Mapping Organizational Roles & Responsibilities for Social Media Risk A Hootsuite & Nexgate White Paper Mapping Organizational Roles & Responsibilities for Social Media Risk Executive Summary

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

Compliance Policy AGL Energy Limited

Compliance Policy AGL Energy Limited Compliance Policy AGL Energy Limited November 2013 Table of Contents 1. About this Document... 3 2. Policy Statement... 4 3. Purpose... 4 4. AGL Compliance Context... 4 5. Scope... 5 6. Objectives... 5

More information

XX Bank. Enterprise Risk Management. Policy. Date

XX Bank. Enterprise Risk Management. Policy. Date XX Bank Enterprise Risk Management Policy Date 1 TABLE OF CONTENTS PURPOSE OF ENTERPRISE RISK MANAGEMENT PROGRAM... 3 PROGRAM OVERVIEW... 3 ERM FUNCTIONAL ALIGNMENT... 5 Defined Positions... 5 Defined

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape January 2013 Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape At a glance Threats to data security both

More information

Managing Risk at Bank of America Corporation. Overview

Managing Risk at Bank of America Corporation. Overview Managing Risk at Bank of America Corporation Overview Risk is inherent in every material business activity that we undertake. Our business exposes us to strategic, credit, market, liquidity, compliance,

More information

COMPUTER SECURITY INCIDENT RESPONSE POLICY

COMPUTER SECURITY INCIDENT RESPONSE POLICY COMPUTER SECURITY INCIDENT RESPONSE POLICY 1 Overview The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish computer security incident response capabilities.

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

DOT.Comm Oversight Committee Policy

DOT.Comm Oversight Committee Policy DOT.Comm Oversight Committee Policy Enterprise Computing Software Policy Service Owner: DOTComm Operations Effective Date: TBD Review Schedule: Annual Last Review Date: Last Revision Date: Approved by:

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Security Control Standard

Security Control Standard Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the

More information

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0 MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:

More information

ISO 20000-1:2005 Requirements Summary

ISO 20000-1:2005 Requirements Summary Contents 3. Requirements for a Management System... 3 3.1 Management Responsibility... 3 3.2 Documentation Requirements... 3 3.3 Competence, Awareness, and Training... 4 4. Planning and Implementing Service

More information

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015 July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,

More information

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer Office of Compliance and Ethics Introductory Report Lynette Fons, Chief Compliance Officer Why the Office of Compliance and Ethics was Created The City operates in a highly complex regulatory environment

More information

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011 APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS

More information

The Risk Management Policy (the Policy ) establishes the framework, structure, and delegations of authority for American Red Cross risk management.

The Risk Management Policy (the Policy ) establishes the framework, structure, and delegations of authority for American Red Cross risk management. American Red Cross Risk Management Policy 1. Purpose Status FINAL Policy ID 1006 Responsible Office Office of the President Sponsor President and CEO Related Policies N/A The Risk Management Policy (the

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Identity Assurance Framework

Identity Assurance Framework Executive Summary Assurance of a user s identity in an electronic system is required for many University business processes to function efficiently and effectively. As the risk associated with an electronic

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Data Loss Prevention Program

Data Loss Prevention Program Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

Information Security Framework. Revision Date: 10/01/2013. Information Security Framework

Information Security Framework. Revision Date: 10/01/2013. Information Security Framework State of Indiana Information Resources Policy and Practices Indiana Office of Technology 1 Table of Contents Chapter 1 Security Policy 1.1 Information security policy ownership 1.2 Information security

More information

Wifi, Church Internet, and Church Computer Policy

Wifi, Church Internet, and Church Computer Policy Wifi, Church Internet, and Church Computer Policy A. Purpose Family Christian Center (FCC aka Toledo 3 Foursquare Church) is committed to preventing the occurrence of inappropriate, unethical, or unlawful

More information

COMMUNIQUE. Information Technology (IT) Governance Guidance

COMMUNIQUE. Information Technology (IT) Governance Guidance COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance

More information

Certification Report

Certification Report Certification Report EAL 2+ Evaluation of McAfee Email and Web Security Appliance Version 5.5 Patch 2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Question: 1 Which of the following should be the FIRST step in developing an information security plan? 1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight Compliance Management System Introduction Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market

More information

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Specific observations and recommendations that were discussed with campus management are presented in detail below. CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE

More information

A Best Practice Guide

A Best Practice Guide A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. - 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must

More information

Data Privacy Framework

Data Privacy Framework Data Privacy Framework Table of Contents 1. INTRODUCTION...4 2. SCOPE & DEFINITIONS...4 2.1 SCOPE OF THE DATA PRIVACY FRAMEWORK...4 2.2 DEFINITIONS...4 3. SECURITY ORGANIZATION & RESPONSIBILITIES...4 3.1

More information

Internal Audit Report. Toll Operations Contract Management TxDOT Office of Internal Audit

Internal Audit Report. Toll Operations Contract Management TxDOT Office of Internal Audit Internal Audit Report Toll Operations Contract Management TxDOT Office of Internal Audit Objective To determine whether the Toll Operations Division (TOD) contract management structure is designed and

More information

Provisions and Guidelines for Information Security Management. Dhr. C. Walters

Provisions and Guidelines for Information Security Management. Dhr. C. Walters Provisions and Guidelines for Information Security Management Dhr. C. Walters 1 Why impose rules for Information Security Management? Supervised institutions have been requesting rules; Rules promotes

More information

Information Security Series: Security Practices. Integrated Contract Management System

Information Security Series: Security Practices. Integrated Contract Management System OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment Information Security Series: Security Practices Integrated Contract Management System Report No. 2006-P-00010 January 31,

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

Telecommunications Systems Manager I (Supervisor) Essential Task Rating Results

Telecommunications Systems Manager I (Supervisor) Essential Task Rating Results Telecommunications Systems Manager I (Supervisor) Essential Task Rating Results 1 2 3 4 5 6 7 8 9 10 11 12 13 Supervise activities and direct personnel in the implementation of various departmental programs

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

ISO 9001:2008 STANDARD OPERATING PROCEDURES MANUAL

ISO 9001:2008 STANDARD OPERATING PROCEDURES MANUAL 8200 Brownleigh Drive Raleigh, NC 27617-7423 Phone: (919) 510-9696 Fax: (919) 510-9668 ISO 9001:2008 STANDARD OPERATING PROCEDURES MANUAL ALLIANCE OF PROFESSIONALS & CONSULTANTS, INC. - 1 - Table of Contents

More information

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar

More information

Web Protection for Your Business, Customers and Data

Web Protection for Your Business, Customers and Data WHITE PAPER: WEB PROTECTION FOR YOUR BUSINESS, CUSTOMERS............ AND.... DATA........................ Web Protection for Your Business, Customers and Data Who should read this paper For security decision

More information

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction CPA Global North America LLC SAFE HARBOR PRIVACY POLICY Introduction CPA Global North America LLC ( CPA Global ) is the US affiliate of the world's leading intellectual property (IP) management and IP

More information

Information Technology Project Oversight Framework

Information Technology Project Oversight Framework i This Page Intentionally Left Blank i Table of Contents SECTION 1: INTRODUCTION AND OVERVIEW...1 SECTION 2: PROJECT CLASSIFICATION FOR OVERSIGHT...7 SECTION 3: DEPARTMENT PROJECT MANAGEMENT REQUIREMENTS...11

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

Software Licenses Managing the Asset and Related Risks

Software Licenses Managing the Asset and Related Risks AUDITOR GENERAL S REPORT ACTION REQUIRED Software Licenses Managing the Asset and Related Risks Date: February 4, 2015 To: From: Wards: Audit Committee Auditor General All Reference Number: SUMMARY The

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Corporate Investigations Management

Corporate Investigations Management Corporate Investigations Management abmintellicase TM is a secure Corporate Investigations Management Software A proven, robust solution designed for management of incidents, investigations and intelligence

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM REPORT NO. 2015-007 AUGUST 2014 DEPARTMENT OF EDUCATION FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM Information Technology Operational Audit DEPARTMENT OF EDUCATION Pursuant to Article IX, Section

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

SIEM Implementation Approach Discussion. April 2012

SIEM Implementation Approach Discussion. April 2012 SIEM Implementation Approach Discussion April 2012 Agenda What are we trying to solve? Summary Observations from the Security Assessments related to Logging & Monitoring Problem Statement Solution Conceptual

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201

Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201 PURCHASE ORDER ATTACHMENT Q-201A Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201 1. A qualified employee shall be selected by the Software Quality Manager

More information

Information Assurance Policy for Information Systems

Information Assurance Policy for Information Systems Information Assurance Policy for Information Systems 1. Purpose... 3 2. Goals... 3 3. Applicability... 4 4. Compliance... 4 5. Roles & Responsibilities... 4 5.1. All Departments...4 5.2. FCT Information

More information

Managing General Agents (MGAs) Guideline

Managing General Agents (MGAs) Guideline Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information