WHITEPAPER FIREMON COMPLIANCE WITH THE TECHNOLOGY RISK MANAGEMENT GUIDELINES FROM MONETARY AUTHORITY OF SINGAPORE

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "WHITEPAPER FIREMON COMPLIANCE WITH THE TECHNOLOGY RISK MANAGEMENT GUIDELINES FROM MONETARY AUTHORITY OF SINGAPORE"

Transcription

1 WHITEPAPER FIREMON COMPLIANCE WITH THE TECHNOLOGY RISK MANAGEMENT GUIDELINES FROM MONETARY AUTHORITY OF SINGAPORE By: Jim D. Hietala, CISSP, GSEC, Open FAIR Compliance Research Group

2 Table of Contents Executive Overview...3 Overview of the Technology Risk Management Guidelines...3 FireMon Product Summary...5 and FireMon Compliance Summary...5 Conclusion...12 About the Author About FireMon... 13

3 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 3 Executive Overview Complying with the 12 guidelines and 6 appendicies of the Monetary Authority of Singapore Technology Risk Management Guidelines () requires a detailed understanding of the guidelines and implementation of security controls that can mitigate risks. These include controls that will manage, enforce, and report on compliance to policies in IT infrastructure equipment such as firewalls, routers, and switches. This whitepaper describes the, and its importance and impact in Singapore and throughout Southeast Asia. The paper also describes those security controls in the FireMon family of IT security products that provide effective mitigation of risks to ensure that enterprises meet the security guidelines found in the. By providing capabilities that facilitate compliance with a large percentage of the technical security controls identified in sections 4, 7, 9, 11, 12, 14, and Appendices A and D, FireMon s products help address half of the guidelines and add significantly to the ability of financial institutions and other organisations to comply with the and to effectively secure their customer financial information and IT systems. Overview of the Technology Risk Management Guidelines Published by the Monetary Authority of Singapore (MAS), the is aimed at financial institutions in Singapore. While not mandatory, compliance with the guidelines is something that the financial regulators consider in their risk assessments of financial institutions. In addition, given the leadership shown by the MAS in developing and issuing the guidelines, the best practices described in the have been adopted by other sectors and by organisations outside of Singapore in Southeast Asia. As such, they are a highly influential set of guidelines and recommendations with which to reduce risk in IT systems. The has three primary goals, which are to assist organisations in: Establishing a sound and robust technology risk management framework; Strengthening system security, reliability, resiliency, and recoverability; Deploying strong authentication to protect customer data, transactions, and systems. The contains 12 major sections and 6 appendicies: (3) OVERSIGHT OF TECHNOLOGY RISKS BY BOARD OF DIRECTORS AND SENIOR MANAGEMENT (4) TECHNOLOGY RISK MANAGEMENT FRAMEWORK (5) MANAGEMENT OF IT OUTSOURCING RISKS (6) ACQUISITION AND DEVELOPMENT OF INFORMATION SYSTEMS Description This section of the ensures that boards of directors and senior management are responsible for risk management. It also establishes the requirement for policies, standards, and procedures that support the risk management framework, and for compliance processes that support the framework. In addition, it suggests security awareness programs and requirements. In this section, the MAS specifies the essential elements of a risk framework to be implemented by affected financial institutions (FIs). The section describes numerous key requirements that FIs must address in their risk framework, including in the areas of protection for information system assets, identification of risks, assessment of risks, risk treatment, and risk monitoring and reporting. 5 covers best practices for due diligence when vetting outsourcing providers and understanding the particular security implications of cloud computing. This section provides requirements related to the procurement of IT hardware and software, as well as software development security issues (including code review and system test requirements) and project management requirements.

4 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 4 Description (7) IT SERVICE MANAGEMENT In 7, service management issues such as change management, release management, incident and problem management, and capacity management are described. (8) SYSTEMS RELIABILITY, AVAILABILITY This section describes requirements for reliability, availability, and recoverability of IT systems AND RECOVERABILITY and infrastructure. It documents requirements for disaster recovery, data backup, and redundant equipment for failover. (9) OPERATIONAL INFRASTRUCTURE This section presents key requirements for technical security controls that aim to protect SECURITY MANAGEMENT customer information and other information assets. Included are requirements for user authentication, access controls, firewalls, data loss prevention, data protection both for data at rest on endpoints and for data in motion, encryption, and network and security configuration management. The section further describes requirements for wireless security, vulnerability assessments, penetration tests, vulnerability management, patch management, security monitoring, and logging and auditing. (10) DATA CENTRES PROTECTION AND 10 provides requirements for data centre protection and security. This includes CONTROLS performing threat and vulnerability risk assessments and deploying physical security controls to ensure the resiliency and operation of the facility. (11) ACCESS CONTROL This section of the describes access controls aligned with fundamental security principles (never alone principle, segregation of duties, and access control/principle of least privilege). It also mentions access management, user privilege management for both insiders and for contractors, password controls and policies, and restrictions on concurrent access to both production and backup data. 11 also describes numerous controls for privileged users. (12) ONLINE FINANCIAL SERVICES 12 is specific to online financial services. It segments online into different categories (information, interactive information, and transactional service), and guides FIs to assess risks for these services appropriately. Numerous controls specific to online services are provided to ensure the confidentiality, integrity, and availability of these systems. These include encryption, logical segmentation of networks, monitoring and surveillance of activity, anti- DDoS measures, two-factor authentication, and customer security awareness education. (13) PAYMENT CARD SECURITY 13 describes security controls specific to payment cards. From a security requirements (AUTOMATED TELLER MACHINES, CREDIT standpoint, this section recommends safeguards to protect sensitive payment card data from AND DEBIT CARDS) magnetic strips, and it calls for one-time password implementations for internet-based card transactions. It also requires ATM physical security measures and anti-fraud controls. (14) IT AUDIT The IT Audit section of the identifies how the IT audit function should be organised and governed, and it gives recommendations for audit frequency and scope. APPENDIX A: SYSTEMS SECURITY TESTING A more detailed set of recommendations and requirements regarding testing of software, AND SOURCE CODE REVIEW systems and networks is described in this appendix. APPENDIX B: STORAGE SYSTEM RESILIENCY This appendix describes requirements for the resiliency of IT storage systems. APPENDIX C: CRYPTOGRAPHY The specific recommendations regarding the use of cryptographic algorithms and standards are provided here. APPENDIX D: DISTRIBUTED DENIAL-OF- Recommendations to maintain availability and continuity of operation in the face of SERVICE PROTECTION attempted DDoS attacks are provided here. APPENDIX E: SECURITY MEASURES FOR More detailed recommendations for security controls for online services are detailed in this ONLINE SYSTEMS appendix. APPENDIX F: CUSTOMER PROTECTION AND Describes measures the FIs should undertake to educate customers on security threats. EDUCATION

5 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 5 The includes requirements that span people, processes, and technological controls. Many areas of the specify people and process controls, where technological solutions aren t useful or applicable. From the summary table on the previous page, FireMon s products provide key capabilities that help FIs to address many of the technology control requirements in the. This includes significant coverage of compliance requirements found in sections 4, 7, 9, 11, 12, 14. The FireMon products also help address compliance requirements found in appendices A and D. For reference, the complete Technology Risk Management Guidelines from MAS is available on their website 1. A helpful compliance checklist for MAS is also available on their website 2. FireMon Product Summary FireMon provides a range of products that help organisations to better manage their IT infrastructure and understand risks from network access configuration. The FireMon Security Manager platform provides constant visibility into network security enforcement, the impact of policy change, and the exposure of vulnerable systems to attack, allowing organisations to optimize their existing defenses and focus remediation on truly critical IT risks. FireMon Risk Analyzer provides attack vector analysis, continuous attack surface monitoring, pre-change risk analysis, and network security enforcement gap analysis. FireMon Policy Planner provides rule recommendations, and allows network managers to manage the rule change process, perform policy change impact analysis, and continuous policy compliance assessment. Requirements and FireMon Compliance Summary The mapping table below includes the specific reference, the requirement language, and explanatory text describing how the relevant FireMon product helps FIs to meet the requirement. Note that this table does not contain the full set of sections and requirements, focusing on 6 of the 12 where the FireMon products either directly enable compliance, or support efforts to comply. (4) TECHNOLOGY RISK MANAGEMENT FRAMEWORK b. Identification and prioritisation of information system assets c. Identification and assessment of impact and likelihood of current and emerging threats, risks, and vulnerabilities This section of the ensures that boards of directors and senior management are responsible for risk management. It also establishes the requirement for policies, standards, and procedures that support the risk management framework, and for compliance processes that support the framework. In addition, it suggests security awareness programs and requirements. FireMon risk reports help managers understand where the highest network security risks are due to reachable assets with known vulnerabilities. 1 TRM%20Guidelines%20%2021%20June% pdf 2 TRM_Checklist

6 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore d. Implementation of appropriate practices and controls to mitigate risks e. Periodic update and monitoring of risk assessment to include changes in systems, environment or operating conditions that would affect risk analysis Information system assets are adequately protected from unauthorised access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure The criticality of information system assets is ascertained and appropriate plans are developed to protect them Mutating and growing risks are monitored vigilantly A threat and vulnerability matrix is developed to assess the impact of threat to the organisation s IT environment, and to prioritise IT risks For each type of risk identified, risk mitigation and control strategies that are consistent with the value of the information system assets and level of risk tolerance are developed and implemented. Controls and security policies deployed through FireMon Security Manager are intended to mitigate risks. These include policies and firewall rulesets and baseline configurations that are deployed to network firewalls. New rules can be pretested for compliance before deploying them. The product also reports on changes to rules that have moved firewalls out of compliance with policy. Baseline policies are assessed in real time, and managed and controlled before any new implementation of a service or application. FireMon Security Manager reports on firewall rule changes, as well as changes to risks over time. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed. Attack path analysis and identification reports from FireMon can be used in the face of attacks to determine which assets are at risk and to plan network changes and new firewall rules to protect assets. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help network security risks, and plan effective mitigation.

7 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Priority is given to threat and vulnerability pairings with high-risk ranking which could cause significant harm or impact to the organisation s operations Risks of the highest severity are accorded top priority and monitored closely with regular reporting on the actions that have been taken to mitigate them. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. A monitoring and review process for continuous assessment and treatment of risks is instituted IT risk metrics are developed to highlight the systems, processes, or infrastructure that have the highest risk exposure Past risk-control methods are re-evaluated with renewed testing and assessment of the adequacy and effectiveness of risk management processes. (7) IT SERVICE MANAGEMENT A change management process is established to ensure that changes to production systems are assessed, approved, implemented, and reviewed in a controlled manner The change management process applies to changes pertaining to system and security configurations, patches for hardware devices, and software updates. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices.

8 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Prior to deploying changes to the production environment, an assessment of whether the introduced change would spawn security implications or software compatibility problems to affected systems or applications is performed Separate physical or logical environments for systems development, testing, staging, and production are established A root-cause and impact analysis is performed for major incidents which result in severe disruption of IT services. Remediation actions are taken to prevent the recurrence of similar incidents a. ii. Root cause analysis where did it happen? a. iii. Why and how did the incident happen? c. ii. Measures to address the root cause of the incident c. iii. Measures to prevent similar or related incidents from occurring. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Firewalls typically are used to maintain separation between test and production environments. FireMon helps manage rules for both environments and can evaluate network security policies and the impacts of changes across both. FireMon reporting capabilities, including attack path analysis, risky protocols, ports, and services, devices with failed controls, and firewall verification reports, provide the deep view into network security policy configuration required to perform root cause analysis of network traffic. FireMon reporting capabilities, including attack path analysis, risky protocols, ports, and services, devices with failed controls, and firewall verification reports, provide the deep view into network security policy configuration required to perform root cause analysis of network traffic. (9) OPERATIONAL INFRASTRUCTURE SECURITY MANAGEMENT Security solutions are implemented at the data, application, database, operating systems, and network layers to adequately address and contain threats. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed.

9 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Security solutions are implemented at the data, application, database, operating systems, and network layers to adequately address and contain threats. Measures are implemented to protect sensitive or confidential information such as customer personal, account, and transaction data that are stored and processed in systems Important data are identified and adequate measures are adopted to detect and prevent unauthorised access, copying, or transmission of confidential information Measures are implemented to address risks of data theft, data loss and data leakage from endpoint devices, customer service locations, and call centres Measures are implemented to prevent and detect the use of unsafe internet services within the organisation Confidential information stored on IT systems, servers and databases are encrypted and protected through strong access controls, bearing in mind the principle of least privilege An up-to-date inventory of software and hardware components used in the production and disaster recovery environments is maintained. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. This can include blocking unsafe internet services across the network. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. The FireMon asset inventory report provides information on all security and network assets in use across the entire network.

10 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Effective risk mitigation controls are established where necessary IT systems and devices are configured with security settings that are consistent with the expected level of protection. Baseline standards are established to facilitate consistent application of security configurations to operating systems, databases, network devices, and enterprise mobile devices within the IT environment Regular enforcement checks are conducted to ensure that baseline standards are applied uniformly and noncompliances are detected and raised for investigation Network security devices, such as firewalls as well as intrusion detection and prevention systems, are installed at critical junctures to protect network perimeters. Network security devices, such as firewalls as well as intrusion detection and prevention systems, are installed at critical junctures to protect network perimeters. Rules on network security devices are regularly backed up. Rules on network security devices are regularly reviewed to determine their appropriateness and relevancy. FireMon Risk Measurement, Risk Recommendations, and Risk Scoring reports help identify where risk exists, and how best to mitigate it. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure they are consistently applied throughout the IT infrastructure. FireMon continuous assessment reports including traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services details and can determine regular baseline security behaviors checks. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure they are consistently applied throughout the IT infrastructure. FireMon also provides backups for firewall rules, and manages deployment of rulesets to network devices. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can inform needed and planned changes to firewall rules.

11 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Rules on network security devices are regularly reviewed to determine their appropriateness and relevancy Automated tools and manual techniques are used to perform a vulnerability assessment Penetration tests on internet-facing systems are conducted at least annually Security monitoring tools which enable the detection of changes to critical IT resources such as databases, system or data files and programs, are implemented to facilitate the identification of unauthorised changes. (11) ACCESS CONTROL User access to IT systems and networks is granted on a need-to-use basis and within the period when the access is required. (12) ONLINE FINANCIAL Risks associated with SERVICES different types of services provided over the internet are clearly identified in the risk management process A security strategy is devised and measures are put in place to ensure the confidentiality, integrity, and availability of data and systems. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure that they are consistently applied throughout the IT infrastructure. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can inform needed and planned changes to firewall rules. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can help to identify vulnerabilities that exist at the network layer, as a part of a larger vulnerability assessment. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can help to identify vulnerabilities that exist at the network layer. While not a direct part of a penetration test, these reports will be critical to understanding how penetration tests were successful, and how best to address the security weaknesses. For network security devices, FireMon monitors and flags changes to firewall rule configurations, and manages changes to firewall rulesets. Logical access to IT resources is controlled at the network layer through the deployment of firewalls. FireMon Security Manager manages the access rules in firewalls across the network. FireMon risk reports describe network access risks, including those related to assets supporting online services. Fundamental to ensuring CIA for online services is understanding risks and attack paths for assets used in online IT systems. FireMon identifies these through extensive reporting, and provides the ability to consistently deploy security policies to network devices throughout the network.

12 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Physical and logical access security are implemented to allow only authorised staff to access systems Adequate safeguards are implemented to protect sensitive or confidential information used for mobile online services and payments. FireMon manages the network access to IT systems to ensure that only authorised staff are allowed access to systems. FireMon ensures that consistent security policies are deployed throughout the network to secure access to sensitive data. The processing of sensitive or confidential information is performed in a secure environment. (14) IT AUDIT The scope of IT audit is comprehensive and includes all critical IT operations. APPENDIX A: SYSTEMS A.1.1 Rigorous testing of SECURITY TESTING AND systems is conducted to SOURCE CODE REVIEW verify the security, reliability and availability of systems under normal and extreme conditions. APPENDIX D: DISTRIBUTED D2.2 Devices such as DENIAL-OF-SERVICE application and network PROTECTION firewalls, network and hostbased intrusion detection/ preventions systems, routers and other specialised equipment are installed and configured to alert security staff and divert and/or filter network traffic in real-time once an attack is suspected or confirmed. FireMon supports effective IT audits through numerous reports that describe attack paths, network audit logs, risk measurement and visibility, risky protocols, services and ports, and firewall rule reporting. FireMon supports systems security testing by documenting access and attack paths to network devices. FireMon reports provide visibility into attack vectors/paths, and to the firewall rules that may need modification as a result of attacks. Conclusion Management of network security devices and network access is fundamental to securing IT systems and customer information. It is also a core capability that is critical in meeting the explicit technical control requirements found in the, and in providing supporting information necessary to comply with many of the process-related control requirements of the. FireMon s security products provide extensive capabilities across the requirements. They provide comprehensive coverage of compliance requirements found in s 4, 7, 9, 11, and 12, and Appendices A and D of the.

13 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 13 About the Author Jim D. Hietala, CISSP, GIAC GSEC, and Open FAIR, heads security standards activities for a major IT industry standards group, where he has led the development of a number of IT security and risk industry standards. He is also a principal with Compliance Research Group, a risk and compliance consulting organisation. Jim is an active participant in the SANS Analyst/Expert program. A frequent speaker at industry conferences, he has published numerous articles on information security, risk, and compliance topics in publications including the ISSA Journal, Risk Factor, Bank Accounting & Finance, SC Magazine, and Cutter IT Journal. A security industry veteran, he has held leadership roles at a number of security technology startups. He holds a B.S. in Marketing from Southern Illinois University. About FireMon FireMon is the industry leader in providing enterprises, governments and managed services providers with proactive security intelligence solutions that deliver deeper visibility and tighter control over their network security infrastructure. The FireMon Security Intelligence Platform, including Security Manager, Policy Planner and Risk Analyzer, enables customers to identify network risk, proactively prevent access to vulnerable assets, clean up firewall policies, automate compliance, strengthen security throughout the organization, and reduce the cost of security operations. For more information, visit CONTACT FIREMON: 8400 W. 110th Street, Suite 400 Overland Park, KS USA Phone: Fax:

14 Follow us on Like us on Facebook: W. 110th Street, Suite 400 Overland Park, KS USA Phone: FireMon and the FireMon logo are registered trademarks of FireMon, LLC. All other product or company names mentioned herein are trademarks or registered trademarks of their respective owners. Copyright FireMon, LLC 2014 rev031914

Technology Risk Management

Technology Risk Management 1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

FIREMON SECURITY MANAGER

FIREMON SECURITY MANAGER FIREMON SECURITY MANAGER Regain control of firewalls with comprehensive firewall management The enterprise network is a complex machine. New network segments, new hosts and zero-day vulnerabilities are

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Monetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES

Monetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES Monetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 TABLE OF CONTENTS 1 INTRODUCTION... 4 2 APPLICABILITY OF THE GUIDELINES... 5 3 OVERSIGHT OF TECHNOLOGY RISKS BY BOARD OF

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Proactive Security through Effective Management

Proactive Security through Effective Management Proactive Security through Effective Management COMPANY Overview There are fundamental flaws in the way enterprises manage their network security infrastructures. We created FireMon, an enterprise security

More information

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

HOW MX PROTECTS YOUR DATA

HOW MX PROTECTS YOUR DATA HOW MX PROTECTS YOUR DATA Overview MX is passionate about and dedicated to protecting, safeguarding, and securing customer data. To do so, MX has established a strong security program supported by a comprehensive

More information

EA-ISP-012-Network Management Policy

EA-ISP-012-Network Management Policy Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:

More information

Keyfort Cloud Services (KCS)

Keyfort Cloud Services (KCS) Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

McAfee Acquires NitroSecurity

McAfee Acquires NitroSecurity McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance

BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance GUARDING YOUR BUSINESS BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance www.balabit.com In 2008, the Monetary Authority of Singapore (MAS),

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING 6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

IT Security. Securing Your Business Investments

IT Security. Securing Your Business Investments Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Test du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.

Test du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais. Test du CISM Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais. 1. Which of the following would BEST ensure the success of information security governance within an organization?

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Introduction The new standard ISO/IEC 27001:2013 has been released officially on 1 st October 2013. Since we understand that information

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

IT Security Policy - Information Security Management System (ISMS)

IT Security Policy - Information Security Management System (ISMS) IT Security Policy - Information Security Management System (ISMS) Responsible Officer Contact Officer Vice-President, Finance & Operations Chief Digital Officer Superseded Documents IT Security Policy,

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Achieving SOX Compliance with Masergy Security Professional Services

Achieving SOX Compliance with Masergy Security Professional Services Achieving SOX Compliance with Masergy Security Professional Services The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (and commonly called

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS A White Paper by i2c, Inc. 1300 Island Drive Suite 105 Redwood City, CA 94065 USA +1 650-593-5400 sales@i2cinc.com www.i2cinc.com Table of

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE

More information

Understanding Sage CRM Cloud

Understanding Sage CRM Cloud Understanding Sage CRM Cloud Data centre and platform security whitepaper Document version 2016 Table of Contents 1.0 Introduction 3 2.0 Sage CRM Cloud Data centre Infrastructure 4 2.1 Site location 4

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information