IT REMOTE ACCESS POLICY
|
|
- Derick Griffin
- 7 years ago
- Views:
Transcription
1 IT REMOTE ACCESS POLICY PURPOSE The purpose of this Policy is to define requirements for remote connectivity to Brock University s systems, services and data that are not explicitly publically accessible using any device, regardless whether the device is University- or personallyowned. This is to minimize the potential exposure to Brock University of damages which may result from unauthorized use of Brock resources. SCOPE This Policy applies to all employees (i.e., faculty, staff), students, consultants, vendors or any third party affiliate connecting remotely to Brock University s network via the University s provided VPN service. It does not apply to University applications explicitly made available through the internet (e.g., , my.brocku.ca). The scope of this Policy includes all users of remote access systems. POLICY STATEMENT All remote access not explicitly made public must be established by a secured and centrally managed service (e.g., Virtual Private Network (VPN)) that complies with the Standards for Remote Access Users are not permitted to be connected to multiple networks while using VPN (i.e., no split tunneling) Server logs of all VPN access must be retained for a minimum period of 90 days for review / audit. DEFINITIONS Remote Access: Access to Brock University systems from an untrusted network zone (e.g., Internet). Remote Access System: A service (e.g., VPN) which provides remote access to non-public Brock University systems and Page 1 of 2
2 services. Virtual Private Network (VPN): A secured private network connection built on top of a public network. VPN provides a secure tunnel over the internet between a computer and a private network. COMPLIANCE AND REPORTING Information Technology Services ( ITS ) enforces this Policy and the related Standards at all times. Anyone who has reason to suspect a deliberate and / or significant violation of this Policy must promptly report it to the ITS Help Desk. Policy violations that come to the attention of the ITS Help Desk will be escalated to the Director, Infrastructure. Policy violations will be assessed and action taken to remediate the violation subject to collective agreements and / or other contractual conditions. Where Policy violations are considered severe and / or cannot be easily remediated, the incident will be escalated to the Associate Vice-President, ITS for further action. Periodically, the AVP, ITS will provide to SAC a summary of all policy violations. Policy owner: Associate Vice-President, Information Technology Services Authorized by: Board of Trustees, Capital Infrastructure Committee Accepted by: SAC Effective date: March 2016 Next review: March 2017 Revision history: New Related documents: Standards for Remote Access Logical Access Acceptable Use IT Remote Access Policy Page 2 of 2
3 Brock University Version 0.7 Prepared By: Sergio Sartor Andreas Paulisch Chad Cupola
4 Contents 1. Revisions... 3 i. Document Editors... 3 ii. Document Reviewers... 3 iii. Intended Audience... 3 iv. References and Related Documents Purpose Requirements Virtual Private Network (VPN) and Remote Access Services (RAS) Identity Authentication VPN Sessions Remote Computing Devices and Software VPN Service for Brock Users VPN Service for NON-Brock Users Sensitive Information Monitoring VPN Usage VPN Implementation VPN Compliance VPN Security Assessments Responsibilities VPN Users VPN Administrators Remote Access Definitions
5 1. Revisions Version Primary Author(s) Description of Version Date 0.5 Various Initial implementation November 25, Sergio Sartor Updated based on internal ITS feedback December 12, 2014 i. Document Editors Reviewer Section(s) ii. Document Reviewers Reviewer Section(s) iii. Intended Audience This document is intended for all users and administrators of Virtual Private Networking remote access at Brock University. iv. References and Related Documents Version Title Document Location Date Accessed mm/dd/yyyy 3
6 1. Purpose This document outlines requirements that must be adhered to when using, deploying and administering Virtual Private Networks to connect to Brock University s systems and data from an untrusted network zone (eg. Internet). This document contains requirements that are specific to usage, administration, setup, maintenance and configuration. 2. Requirements 2.1 Virtual Private Network (VPN) and Remote Access Services (RAS) Virtual Private Networking (VPN) and Remote Access Services opens a door to Brock s network and extends it to the remote computer. It is imperative that these services be centrally reviewed, monitored and approved. Only remote access services that comply with the requirements in this document will be permitted to connect to Brock s network. Non-compliant remote access services will be reported to Director, IT Infrastructure and the administrator will be required to implement appropriate controls or the solution will be shut down. All systems and services not purposely made public available through the internet by ITS must be accessed through a remote access service. 2.2 Published Services Requests to make new services publically accessible must be submitted via an ITS Help Desk Ticket for review, risk assessment and change control scheduling. These changes must be made in compliance with the policy and standard for Firewalls. 2.3 Identity Authentication The identity of a user connecting via a remote access service must be authenticated upon initiation of each session. Automated log ins are not permitted. 4
7 2.4 Remote Access Sessions Termination of remote access sessions must occur after a period of inactivity of sixty (60) minutes in order to reduce the possibility of unauthorized users accessing unattended devices. Split tunneling will be disabled so that devices connected to Brock s network cannot be connected to other networks at the same time. 2.5 Remote Computing Devices and Software Remote devices must be operated in accordance with and maintain a level of security commensurate with that enforced on devices connected to the local area network. To achieve this principle, all VPN connected users must: Have vendor supported operating system and software that is up to date; Be protected with a personal or desktop firewall; Be protected with antivirus/anti malware software with signatures that are automatically updated. 2.6 Remote Access Service for Brock Users Active Staff, Faculty and Students are eligible for Remote access. Staff and faculty user accounts are automatically granted Remote access rights to core services such as printing and file shares. Course instructors may request remote access on behalf of their students for the duration of the course if they need to access networked resources not available through normal means. This is completed via an ITS Help Desk ticket. Additional services (eg. remote desktop, SSH) may be requested via an ITS help desk ticket and granted on a per user account basis. 2.7 Remote Access Service for NON-Brock Users Brock employees may request that remote access to Brock s network be provided to individuals external to Brock via the Information Technology Services Help Desk. Such accounts will be set up by the Help Desk with a defined expiry date not exceeding 30 days or the length of a contracted agreement. The account may be renewed upon request by a Brock employee. 5
8 An up-to-date list of all external user accounts with remote access must be maintained by the ITS Help Desk. The list must include the expiry date, user s contact information including referring department, home and cell contact information. 2.8 Sensitive Information Brock University sensitive data (such as credit card information) must not be downloaded or stored on the remote device. 2.9 Monitoring Remote Access Usage A central remote access log must be maintained by ITS and retained for a minimum period of 90 days. The log must contain successful and failed login attempts Remote Access Implementation Equipment used to provide and support remote access gateways must be: Placed in a DMZ Hardened with updated patches and antivirus. Comply with the Policy and Standards for System Security Administrative access to remote access services must be limited to authorized and trained technical staff whose identity is authenticated using a strong and centrally administered authentication mechanism (i.e., no local user accounts). Remote access services which are not managed by ITS will be reviewed and monitored for compliance with the policy and standards for remote access. Remote access services can be requested by creating a Schedule 8 project request Remote Access Compliance Policy violations that come to the attention of the ITS Help Desk will be reported to the Director, IT Infrastructure. In the event that the issue is not remediated, it will be escalated to the AVP, ITS. 6
9 Periodically, the AVP, ITS will provide a summary of policy violations to SAC in order to raise awareness and achieve compliance with this Policy and related Standards Remote Access Security Assessments Remote Access infrastructure is a boundary level control for the entire Brock network and therefore must be reviewed for security posture, assessed regularly and when there is significant change to the technology, physical design or other elements that may introduce new threats or vulnerabilities. This assessment will be conducted as part of the change management process 3. Responsibilities 3.1 Remote Access Users All Remote Access users are responsible for: Adhering to the Remote Access Policy and related standards and the University s Acceptable Use Policy Ensuring that security safeguards installed to protect their remote device are not disabled or tampered with Exercising good judgment regarding the selection of remote device used to connect the remote access service Avoiding use of public terminals Protecting Brock University systems and data from unauthorized individuals Reporting any suspected security breaches to the ITS Help Desk. 3.2 Remote Access Administrators Remote Access administrators are responsible for: Ensuring that a request for termination of a VPN privileges is promptly acted upon Monitoring the administration, operations and security of the VPN infrastructure for adherence to these requirements Ensuring that security testing and evaluation of the VPN gateway is completed whenever there is a change that could introduce new threats or vulnerabilities. 7
10 4. Remote Access Definitions Demilitarized Zone (DMZ): A DMZ is a computer host inserted as a neutral zone between a company s private network and the outside public network. It prevents outside users from getting direct access to company data. Remote Access: Access to a Brock University system from an untrusted network zone (e.g., Internet). Remote Access System: A service (eg. VPN) which provides remote access to non-public Brock University systems and services. Remote Desktop: Is a program or operating system feature that allows the user to connect to a computer in another location. Secure Shell (SSH): SSH is a secure shell user for remote command line login, remote command execution and other secure network services between networked computers. Virtual Private Network (VPN): A secured private network connection built on top of a public network. VPN provides a secure tunnel over the internet between a computer and a private network. 8
IT BACKUP POLICY. This Policy applies to all University electronic data stored on all IT-managed applications and systems.
IT BACKUP POLICY PURPOSE Brock University requires its data and systems to be backed up and the backup media (both tape and disk) be stored in a secure manner. This Policy aims to protect data and systems
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access
Policy Title: Remote Access Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access Approval Date: 05/20/2014 Revised Responsible Office: Office of Information
More informationWright State University Information Security
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
More informationIT CHANGE MANAGEMENT POLICY
IT CHANGE MANAGEMENT POLICY PURPOSE The purpose of the IT Change Management Policy is to manage changes in a planned and predictable manner in order to assign resources, assess risk and minimize any potential
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationSecondary DMZ: DMZ (2)
Secondary DMZ: DMZ (2) Demilitarized zone (DMZ): From a computer security perspective DMZ is a physical and/ or logical sub-network that resides on the perimeter network, facing an un-trusted network or
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationUIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting
SECURITY HANDBOOK Mission Statement: UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting investigations. UIT Security
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationSAO Remote Access POLICY
SAO Remote Access POLICY Contents PURPOSE... 4 SCOPE... 4 POLICY... 4 AUTHORIZATION... 4 PERMITTED FORMS OF REMOTE ACCESS... 5 REMOTE ACCESS USER DEVICES... 5 OPTION ONE: SAO-OWNED PC... 5 OPTION TWO:
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationBlue Ridge Community College Information Technology Remote Access Policy
Blue Ridge Community College Information Technology Remote Access Policy Last Revised June 13, 2008 1. Purpose Blue Ridge Community College Information Technology Remote Access Policy This policy provides
More informationmodules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:
SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationPCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationAltus UC Security Overview
Altus UC Security Overview Description Document Version D2.3 TABLE OF CONTENTS Network and Services Security 1. OVERVIEW... 1 2. PHYSICAL SECURITY... 1 2.1 FACILITY... 1 ENVIRONMENTAL SAFEGUARDS... 1 ACCESS...
More informationAntivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)
Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for
More informationSTRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction
Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,
More informationConsensus Policy Resource Community. Lab Security Policy
Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationNetwork Security Policy
Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS
More informationAutomation Suite for. 201 CMR 17.00 Compliance
WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency Access Control Policy April 2014 Agenda Questions & Follow-Up Policy Overview: Access Control Policy Risk Assessment Framework
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More information1B1 SECURITY RESPONSIBILITY
(ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,
More informationDOT.Comm Oversight Committee Policy
DOT.Comm Oversight Committee Policy Enterprise Computing Software Policy Service Owner: DOTComm Operations Effective Date: TBD Review Schedule: Annual Last Review Date: Last Revision Date: Approved by:
More informationIT Security Standard: Computing Devices
IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationUMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY Firewall Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator: Recommended by Director
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationCalifornia State Polytechnic University, Pomona. Desktop Security Standard and Guidelines
California State Polytechnic University, Pomona Desktop Security Standard and Guidelines Version 1.7 February 1, 2008 Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM DESKTOP SECURITY STANDARD...3 ROLES
More informationTECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations
TECHNICAL WHITE PAPER Symantec pcanywhere Security Recommendations Technical White Paper Symantec pcanywhere Security Recommendations Introduction... 3 pcanywhere Configuration Recommendations... 4 General
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationRemote Access Agreement
Purpose: The purpose of this agreement is to define standards, procedures, and restrictions for connecting to Wayne Public Schools internal network(s) from external hosts (e.g., your home computer) via
More informationHow To Protect Your School From A Breach Of Security
SECURITY MANAGEMENT IT Security Policy (ITSP- 1) 1A Policy Statement District management and IT staff will plan, deploy, and monitor IT security mechanisms, policies, procedures, and technologies necessary
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationM E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General
M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology
More informationInformation Security: A Perspective for Higher Education
Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More informationSECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS
SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS Karen Scarfone, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Many people
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationInformation Security Network Connectivity Process
Information Security Network Connectivity Process Handbook AS-805-D September 2009 Transmittal Letter A. Purpose It is more important than ever that each of us be aware of the latest policies, regulations,
More informationHow To Protect A Hampden County Hmis From Being Hacked
Hampden County HMIS Springfield Office of Housing SECURITY PLAN Security Officers The Springfield Office of Housing has designated an HMIS Security Officer whose duties include: Review of the Security
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationc) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.
Responsible Office: Chief Information Officer Pages of these Procedures 1 of 5 Procedures of Policy No. (2) - 1. User Access Management a) User Registration The User ID Registration Procedure governs the
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationHow does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1
How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management
More informationIntroduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI
Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationBest Practices for DanPac Express Cyber Security
March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction
More informationGuideline on Access Control
CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationMobile Devices Policy
Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationUMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationThis policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
- 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must
More informationChecklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)
hecklist of Requirements for Protection of Restricted ata ollege of Medicine epartments (v 03/2014) These requirements must be met to comply with U data protection policies, including HIPAA Policies and
More informationP02.07.066. Mobile Device Security.
P02.07.066. Mobile Device Security. A. University employees and students using a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationRemote Access and Network Security Statement For Apple
Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and
More information