Certification for Information System Security Professional (CISSP)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Certification for Information System Security Professional (CISSP)"

Transcription

1 Certification for Information System Security Professional (CISSP) The Art of Service

2 Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability The information in this book is distributed on an As Is basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book. The Art of Service

3 TABLE OF CONTENTS 1 INTRODUCTION INTRODUCTION TO CISSP WHERE DID CISSP COME FROM? WHAT IS CISSP? HISTORY OF INFORMATION SECURITY WHAT IS INFORMATION SECURITY? UNDERSTANDING THE CIA TRIAD CONFIDENTIALITY INTEGRITY AVAILABILITY LIMITATIONS TO CIA TRIAD WHY CERTIFY FOR CISSP? COMPANIES USING CISSP 23 2 DOMAIN ONE INFORMATION SECURITY AND RISK MANAGEMENT EXPECTATIONS FOR CISSP UNDERSTANDING SECURITY POLICIES, PROCEDURES, STANDARDS, GUIDELINES AND BASELINES WHAT ARE THE COMPLIANCE FRAMEWORKS? COSO ITIL COBIT ISO / BS CHANGING ORGANIZATIONAL BEHAVIOR RESPONSIBILITIES OF THE INFORMATION SECURITY OFFICER CREATING AN ENTERPRISE SECURITY OVERSIGHT 3

4 COMMITTEE WHY SECURITY AWARENESS TRAINING? UNDERSTANDING RISK MANAGEMENT 43 3 DOMAIN TWO ACCESS CONTROL PRINCIPLES OF ACCESS CONTROL INFORMATION CLASSIFICATION CREATING A DATA CLASSIFICATION PROGRAM UNDERSTANDING CATEGORIES TO ACCESS CONTROL UNDERSTANDING ACCESS CONTROL TYPES LOOKING MORE AT ADMINISTRATION ACCESS CONTROLS UNDERSTANDING CHANGE CONTROL UNDERSTANDING BUSINESS CONTINUITY AND DISASTER RECOVERY UNDERSTANDING THE PERFORMANCE MANAGEMENT, CONFIGURATION MANAGEMENT, LIFECYCLE MANAGEMENT AND NETWORK MANAGEMENT UNDERSTANDING VULNERABILITY MANAGEMENT UNDERSTANDING USER MANAGEMENT UNDERSTANDING PRIVILEGE MANAGEMENT UNDERSTANDING TECHNICAL CONTROLS UNDERSTANDING ACCESS CONTROL THREATS EMPLOYING DIFFERENT TYPES OF IDENTIFICATION EMPLOYING DIFFERENT TYPES OF AUTHENTICATION UNDERSTANDING MEMORY CARDS AND SMART CARDS USING BIOMETRICS PERFORMING AUDITS 87 4

5 4 DOMAIN THREE - CRYPTOGRAPHY HISTORY OF CRYPTOGRAPHY METHODS OF CRYPTOGRAPHY TYPES OF CIPHERS UNDERSTANDING ENCRYPTION MANAGEMENT USING PUBLIC KEY INFRASTRUCTURES (PKI) IDENTIFYING ATTACKS TO CRYPTOGRAPHY 99 5 DOMAIN 4 PHYSICAL (ENVIRONMENT) SECURITY IDENTIFYING THREATS AND VULNERABILITIES TO PHYSICAL SECURITY USING THE LAYERED DEFENCE MODEL IMPLEMENTING A LAYERED DEFENCE MODEL UNDERSTANDING INFORMATION PROTECTION AND MANAGEMENT DOMAIN FIVE SECURITY ARCHITECTURE AND DESIGN UNDERSTANDING DESIGN PRINCIPLES HARDWARE SOFTWARE SECURITY MODELS AND ARCHITECTURE THEORY SECURITY PRODUCT EVALUATION METHODS AND CRITERIA DOMAIN SIX BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING CONCERNS OF CONTINUITY PLANNING 129 5

6 7.2 PROJECT INITIATION PHASE CURRENT STATE ASSESSMENT PHASE DEVELOPMENT PHASE IMPLEMENTATION AND MANAGEMENT PHASES DOMAIN SEVEN TELECOMMUNICATIONS AND NETWORK SECURITY LAYER 1 PHYSICAL LAYER LAYER 2 DATA-LINK LAYER LAYER 3 NETWORK LAYER LAYER 4 TRANSPORT LAYER LAYER 5 SESSION LAYER LAYERS 6 & 7 PRESENTATION AND APPLICATION LAYERS149 9 DOMAIN EIGHT APPLICATION SECURITY USING PROGRAMMING EFFECTIVELY PROTECTING THE SOFTWARE ENVIRONMENT ENFORCING SECURITY PROTECTION AND CONTROLS IDENTIFYING MALWARE DATABASE MANAGEMENT SYSTEM (DBMS) ARCHITECTURE DOMAIN NINE OPERATIONS SECURITY MANAGING THREATS TO OPERATIONS DOMAIN TEN LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS INFORMATION TECHNOLOGY LAWS AND REGULATIONS 171 6

7 11.2 UNDERSTANDING COMPUTER CRIMES, PRIVACY AND LIABILITY REFERENCES 175 7

8 8

9 1 Introduction 1.1 Introduction to CISSP Today s businesses are faced with security threats which are becoming more complex. The use of mobile devices is becoming more widespread; the more mobile the populace, the harder to manage assets and the information on those assets. As a result, companies are increasingly concerned with the security surrounding those assets and information. In addition, the implementation of Sarbanes-Oxley is the U.S. has required focused attention on the security of financial information for companies. And finally, the worldwide scrutiny on security across the board has increased due to global concerns. Because of these reasons, companies are placing more focus on their Information Technology (IT). The IT Governance Global Status Report-200b, compiled by the IT Governance Institute (ITGI), showed 93 percent of corporate executives believed that IT was somewhat to very important to their overall corporate strategy or vision. This was a 6 percent increase from ITGI s 2005 survey. IT, telecom, and financial service-based companies are much more concerned with IT than other business sectors with 71% and 77% respectively. The bottom line: companies are putting more attention on their IT solutions. Security management and the processes supporting security 9

10 management is one of the top concerns of this increasing attention. Information Security Certifications are becoming more valuable for IT security professionals and companies concerned with IT. According to the 2008 (ISC) 2 Global Information Security Workforce Study, compiled by (ISC) 2, 78% of respondents involved in the hiring process claim certifications are either Very Important or Somewhat Important. This is a diverse change from twenty, even ten years ago when securing a network was a new discipline and not well-understood. According to the 2008 survey, 15 different security certifications were available, which is in contrast to the 40 vendor-neutral and more than 25 vendorspecific certifications available in the marketplace. Of all these certifications, the Certification for Information System Security Professional (CISSP) has become highly recognized. 1.2 Where did CISSP come from? The Certification for Information System Security Professional is administered by the International Information Systems Security Certification Consortium (ISC) 2. First available in 1989, the certification demonstrates the qualifications of information systems security practitioners. 10

11 The CISSP is accredited by the American National Standards Institute (ANSI). The ANSU has been coordinating a voluntary standardization system in the United States since It is a private, non-profit membership organization representing the interests of over 125,000 companies and 3.5 million professionals. The ANSI does not develop standards; rather they facilitate the development of American National Standards (ANS). They also assist in ensuring that ANS complement the standards used internationally, allowing American products to be recognized and used in the global market. Accreditation means that the standard complies with the ANSI Essential Requirements, a set of requirements or procedures used by standard developers. These requirements focus on: Openness Lack of dominance Balance Coordination and harmonization Notification of standards development Consideration of views and objections Consensus vote Appeals Written procedures Compliance with normative American National Standards policies and procedures. 11

12 The ANSI accredits CISSP to ISO/IEC Standard 17024:2003. The purpose of the standard is for organizations and entities wishing international recognition for certifying the competence of individuals through education, knowledge, skills, and experience. It was developed by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC). Fully enacted on April 2003, 17024:2003 is considered a benchmark for organizations responsible for certifying personnel. In short, the CISSP has become a globally recognized standard of achievement for the Information Systems Security Professional. CISSP is the baseline for the U.S. National Security Agency s ISSEP (Information Systems Security Engineering Professional) program. The U.S. Department of Defence Directive requires every defence worker, military or civilian, with privileged access to a DoD system to obtain a certification credential, of which CISSP is fully accepted. 1.3 What is CISSP? CISSP is a credential for persons working in the field of information security. It requires at least five years experience in information security. A person can take an exam based on the CISSP Common Book of Knowledge (CBK), a common framework of information security terms and principles. 12

13 The CISSP CBK is based on the CIA triad, the core information security and assurance tenets: confidentiality, integrity, and availability. It works with ten areas of interest, or domains. Those domains are: Access control Application Security Business Continuity and Disaster Recovery Planning Cyptography Information Security and Risk Management Legal, regulations, compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security For CISSP credential, professional experience must be in two or more of the domains listed above. Fortunately for those lacking the experience required for the certification, the certification administrator, (ISC)2, has a program for those who pass the exam, called Associate of (ISC)2. Each certification is valid for three years and a professional must be recertified at the end of that period. In addition, a CISSP credential holder in good standing is also completing the minimum annual number of Continuing Professional Education credits (CPEs). 13

14 As information security continues to evolve, additional credentials have been developed beyond the foundational CISSP to meet the specific needs of the business. These credentials concentrate on key areas of information security: Architecture (ISSAP) appropriate for persons who develop, design, or analyze a business overall security plan, such as Chief Security Architects and Analysts. Engineering (ISSEP) developed in conjunction with the U.S. National Security Agency, this Concentration serves as a guide for integrating security into all areas of operations. Management (ISSMP) provides deeper elements into managing security policies and procedures that support the overall goals of a business. Each Concentration has its own (CBK) domains. Of course additional experience must be proven as well as the successful passing of the examination for each Concentration. 1.4 History of Information Security Before moving forward, it would be wise to understand the discipline of information security, what it is and how it evolved. Since the invention of writing, messages from heads of state and military leaders have been intercepted or stolen, even forged. Julius Caesar used the Caesar cipher to ensure that his messages did not fall into enemy 14

15 hands, one of the earliest known encryption techniques. To ensure authenticity of a message, persons of importance would use a wax seal with their families crest on messages. Throughout the ages, different techniques were used to maintain the security of information. However, the professional field of information security started during World War II, where information, both physical and intellectual, needed protection. A formalized classification of data was introduced that described the sensitivity of the information and identified those individuals who had access to it. Background checks started to be conducted during WWII. The years after WWII, particularly the McCarthy era, showed governments increased concern with the protection of intelligence, information concerning the workings, military build-ups, and technological advancements of government and the country, both domestic and foreign. The Cold War struggle between the United States and the Soviet Union perpetuated the need for information security. But even then, the number of professionals who were dedicated to the tenets of this disciplined were few. Not until the widespread emergence of the Internet did information security have such a strong presence in our society. With the rapid advancements of telecommunications and computers, the availability of smaller, more powerful equipment became less expensive. Now the small business owner, the home owner, and the 15

16 underage computer geek had access to information from every area of the world. Electronic data processing and electronic business is rapidly growing because of the Internet, along with more occurrences of global terrorism. As a result, information security is now an academic discipline designed to insure the security and reliability of information security. But information security is not just a concern for the business owner, but everyone. The rise of ID theft has required more attention on the security of information on the individual, as well. Currently every software package being released, specifically office productivity software, has to be concerned with providing features for securing information. 1.5 What is Information Security? Information security is simply the methods used to protect information and information systems. Using the tenets of the CIA triad, information security is concerned with protecting data regardless of form: electronic, print, film, or any other form. Information is being collected everywhere by everyone. An individual is compiling information about themselves and others nearly every moment. And information, such as credit ratings, police records, financial holdings, and trivial facts are being collected on every individual over time. As individuals connect or forced together into a network, such 16

17 as a business, the amount of data being collected increases exponentially. Most of this information is being collected, processed, and stored electronically and transmitted across networks to other computers. Some information is so sensitive, that unauthorized access to it could result in financial loss, loss in credibility, and legal problems. For businesses, protecting sensitive information is a requirement, in many cases an ethical or legal requirement. Several concerns are presented to the information security professional dealing with the protection of data. The foremost concern is ensuring the appropriate access to data by authorized personnel, while restricting all or part of the information from unauthorized persons. While some information may not be confidential, disclosure of the information must be regulated. How data is used or even modified has been a concern for information security professionals. The disruption of data transmissions from one computer to another, even one network to another, has had increasing concerns with the growth of the Internet. And finally, even the proper disposal or destruction of information, or prevention against destruction, is a concern for the information security professional. 17

18 1.6 Understanding the CIA Triad Information security is based on three fundamental tenets, called the CIA triad. Those tenets are confidentiality, integrity, and availability. As a security model, the CIA triad has been used to identify possible problems in a system and discover appropriate solutions for information security Confidentiality Whether the information is considered confidential, or a person would simply like it to be private requires systems and processes to be put into place preventing unauthorized access and use. For this reason, one leg of the CIA triad model is confidentiality. The first step in this area is to provide an ability to identify a specific piece of data as confidential. Not all information is confidential, and not all information has the same level of confidentiality. Therefore, a simple task of identifying the level of privacy data should have can become a rather complex project. However, once the information has been declared confidential appropriately, the next step is to identify who has access to that information. File permissions, access control lists, and encryption methods are all means by which to control access to data. A information security professional is concerned with managing, monitoring, and 18

19 verifying those means constantly, enforcing access based on policies given from management Integrity One of the most important concerns in data control is the integrity of the data; that is, the ability of the data to be accurate, reliable, and available at any given time. In order to maintain a world class business, it is a necessity to have a solid ability to modify the data available to the business, whether that data is customer and employee records, intellectual property, company policies and procedures, press releases, or the like. At the same time, it is important to ensure that the data isn t changed by unauthorized personnel. The CIA triad leg of integrity focuses on these concerns. Sarbanes-Oxley forced the business community into understanding the need for integrity within financial records, requiring the need to track financial transactions in detail to understand exactly where money was coming and where it was going. As businesses started adapting to those requirements, they also started recognizing the value this commitment to integrity had on other information groups used in the business. The concerns became apparent. A) The slightest change in the most sensitive information could result in service disruptions or breaches in security. 19

20 B) Unapproved changes to policy information could pose concerns to customer relations and possible loss of business. C) Possible deletion of information, through accident or malicious conduct, could render a business paralyzed in its ability to conduct business. These are just a few examples of the important concerns for information security. The more popular techniques for managing integrity of data is version control systems, backups, and file permissions Availability When information is not available, it might as well be useless. This is the concern of the third leg of the CIA triad: availability. In this area, the information security professional is focused on creating and maintaining a computer architecture that allows for the greater availability to the information housed on the system. One major concern is to manage the computer infrastructure from possible threats, such as malicious viruses, power outages, and failures in hardware. The second major concern is ensuring that components are maintained appropriately, providing the required health checks, and making upgrades to hardware and software as required. Approaches to maintaining availability include, but not limited to, clustering, redundancy systems and capabilities 20

IT Security Management 100 Success Secrets

IT Security Management 100 Success Secrets IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management

More information

Disaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know

Disaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know Disaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know Copyright by Gladys Noel Notice of rights All rights reserved. No part of this

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

Security Transcends Technology

Security Transcends Technology INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP Paul.Wang@ch.pwc.com

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Information Security Specialist Training on the Basis of ISO/IEC 27002

Information Security Specialist Training on the Basis of ISO/IEC 27002 Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu

More information

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar

More information

The Value of Information Security Certifications

The Value of Information Security Certifications The Value of Information Security Certifications Ed Zeitler, CISSP Executive Director, (ISC) 2 www.isc2.org Overview Why professional certificate for information security? About (ISC) 2 and its credentials

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

IT Security Training. Why Security Certification? A Serious Business - Fear Drives the Demand High Demand Freedom to Make and Break Rules

IT Security Training. Why Security Certification? A Serious Business - Fear Drives the Demand High Demand Freedom to Make and Break Rules IT Security Training Why Security Certification? A Serious Business - Fear Drives the Demand High Demand Freedom to Make and Break Rules Benefits of Certification Provides Assurance to Employers Certification

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Certification and Training

Certification and Training Certification and Training CSE 4471: Information Security Instructor: Adam C. Champion Autumn Semester 2013 Based on slides by a former student (CSE 551) Outline Organizational information security personnel

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information

Safeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals

Safeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals Safeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals The U.S. government stands at a critical juncture in its cybersecurity efforts. As a country we face increasingly

More information

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan

More information

Career Survey. 1. In which country are you based? 2. What is your job title? 3. Travel budget. 1 of 28. Response Count. answered question 88

Career Survey. 1. In which country are you based? 2. What is your job title? 3. Travel budget. 1 of 28. Response Count. answered question 88 Career Survey 1. In which country are you based? 88 answered question 88 skipped question 0 2. What is your job title? 88 answered question 88 skipped question 0 3. Travel budget not at all 21.0% 17 somewhat

More information

Full-Speed Ahead: The Demand for Security Certification by James R. Wade

Full-Speed Ahead: The Demand for Security Certification by James R. Wade Full-Speed Ahead: The Demand for Security Certification by James R. Wade It s no secret that technology is creating a more connected world every day. But as new technologies are released and adopted, the

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

Certified Software Development Associate (CSDA)

Certified Software Development Associate (CSDA) Certified Software Development Associate (CSDA) Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Software Development Associate (CSDA) Certified Job 1 2 Write a review to

More information

TOGAF Success Secrets. Copyright by Rebecca Hicks

TOGAF Success Secrets. Copyright by Rebecca Hicks TOGAF 9 143 Success Secrets Copyright by Rebecca Hicks Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying,

More information

SNAP WEBHOST SECURITY POLICY

SNAP WEBHOST SECURITY POLICY SNAP WEBHOST SECURITY POLICY Should you require any technical support for the Snap survey software or any assistance with software licenses, training and Snap research services please contact us at one

More information

Technical Proposition. Security

Technical Proposition. Security Technical Proposition ADAM Software NV The global provider of media workflow and marketing technology software ADAM Software NV adamsoftware.net info@adamsoftware.net Why Read this Technical Proposition?

More information

IT Security. Securing Your Business Investments

IT Security. Securing Your Business Investments Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information

More information

Bellevue University Cybersecurity Programs & Courses

Bellevue University Cybersecurity Programs & Courses Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security- Perspective for Management Information Security Management Program Concept

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

Contingency Plan 32 Success Secrets. Copyright by Philip Downs

Contingency Plan 32 Success Secrets. Copyright by Philip Downs Contingency Plan 32 Success Secrets Copyright by Philip Downs Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical,

More information

An expert s tips for cracking tough CISSP exam

An expert s tips for cracking tough CISSP exam 35 / 83 Chapter 6 An expert s tips for cracking tough CISSP exam Rahul Kokcha, an experienced instructor for CISSP explains how to prepare for the CISSP exam, what are important topics, and what you do

More information

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Service Oriented Architecture 68 Success Secrets. Copyright by Irene Gray

Service Oriented Architecture 68 Success Secrets. Copyright by Irene Gray Service Oriented Architecture 68 Success Secrets Copyright by Irene Gray Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic,

More information

The Second National HIPAA Summit

The Second National HIPAA Summit HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice

More information

Disaster Recovery 100 Success Secrets

Disaster Recovery 100 Success Secrets Disaster Recovery 100 Success Secrets Disaster Recovery 100 Success Secrets - IT Business Continuity, Disaster Recovery planning and Services Gerard Blokdijk Disaster Recovery 100 Success Secrets Copyright

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Certified Information Security Manager

Certified Information Security Manager Certified Information Security Manager Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Information Security Manager Certified Job 1 2 Write a review to receive any FREE

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Administrative Awareness Case Study: Government Offices Certification and Accreditation:

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Information Security Awareness Training

Information Security Awareness Training Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information

More information

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY CSCSS / ENTERPRISE TECHNOLOGY + SECURITY C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CENTRE FOR STRATEGIC CSCSS CYBERSPACE + SECURITY SCIENCE CSCSS / ENTERPRISE TECHNOLOGY + SECURITY GROUP Information

More information

Key Performance Indicator 26 Success Secrets. Copyright by Benjamin Hodges

Key Performance Indicator 26 Success Secrets. Copyright by Benjamin Hodges Key Performance Indicator 26 Success Secrets Copyright by Benjamin Hodges Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic,

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

(ISC) 2 2012 Career Impact Survey Executive Summary. The Double Edged Sword: Security Career Opportunities Spike While Hiring Challenges Grow

(ISC) 2 2012 Career Impact Survey Executive Summary. The Double Edged Sword: Security Career Opportunities Spike While Hiring Challenges Grow (ISC) 2 2012 Career Impact Survey Executive Summary The Double Edged Sword: Security Career Opportunities Spike While Hiring Challenges Grow Skilled security professionals enjoy job stability and mobility,

More information

Point of sale 22 Success Secrets - 22 Most Asked Questions On Point of sale - What You Need To Know. Copyright by Henry Alford

Point of sale 22 Success Secrets - 22 Most Asked Questions On Point of sale - What You Need To Know. Copyright by Henry Alford Point of sale 22 Success Secrets - 22 Most Asked Questions On Point of sale - What You Need To Know Copyright by Henry Alford Notice of rights All rights reserved. No part of this book may be reproduced

More information

ISO 27001: Information Security and the Road to Certification

ISO 27001: Information Security and the Road to Certification ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD 2013 CANADIAN PAYMENTS ASSOCIATION 2013 ASSOCIATION CANADIENNE DES PAIEMENTS This Rule is copyrighted

More information

Cyber Security solutions

Cyber Security solutions Cyber Security solutions The scenario IT security has become a highly critical issue for all businesses as a result of the growing pervasiveness and diffusion of ICT technology. Risks can arise both inside

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

This story appeared on Information Management Journal at http://www.entrepreneur.com/tradejournals/article/print/189486076.

This story appeared on Information Management Journal at http://www.entrepreneur.com/tradejournals/article/print/189486076. This story appeared on Information Management Journal at http://www.entrepreneur.com/tradejournals/article/print/189486076.html Nov-Dec, 2008 How to create a security culture in your organization: a recent

More information

Executive Management of Information Security

Executive Management of Information Security WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

LINUX / INFORMATION SECURITY

LINUX / INFORMATION SECURITY LINUX / INFORMATION SECURITY CERTIFICATE IN LINUX SYSTEM ADMINISTRATION The Linux open source operating system offers a wide range of graphical and command line tools that can be used to implement a high-performance,

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

CLASSIFICATION SPECIFICATION FORM

CLASSIFICATION SPECIFICATION FORM www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

InfoSec Academy Application & Secure Code Track

InfoSec Academy Application & Secure Code Track Fundamental Courses Foundational Courses InfoSec Academy Specialized Courses Advanced Courses Certification Preparation Courses Certified Information Systems Security Professional (CISSP) Texas Security

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY 229 Information Security Fundamentals I. Basic Course Information A. Course Number & Title: CISY-229 Information Security Fundamentals B. New or Modified

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Getting and Finding Computer Network, Systems, and Database Administrators Jobs. The Ultimate Guide for Job Seekers and Recruiters

Getting and Finding Computer Network, Systems, and Database Administrators Jobs. The Ultimate Guide for Job Seekers and Recruiters Getting and Finding Computer Network, Systems, and Database The Ultimate Guide for Job Seekers and Recruiters Copyright Notice of Rights All rights reserved. No part of this book may be reproduced or transmitted

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Information Systems Security Engineering Professional (ISSEP)

Information Systems Security Engineering Professional (ISSEP) Information Systems Security Engineering Professional (ISSEP) 1 Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification Specifics 2 Systems Security Engineering

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Chapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition

Chapter 1: Information Security Fundamentals. Security+ Guide to Network Security Fundamentals Second Edition Chapter 1: Information Security Fundamentals Fundamentals Second Edition Objectives Identify the challenges for information security Define information security Explain the importance of information security

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information

How SUSE Manager Can Help You Achieve Regulatory Compliance

How SUSE Manager Can Help You Achieve Regulatory Compliance White Paper Server How SUSE Manager Can Help You Achieve Regulatory Compliance Table of Contents page Why You Need a Compliance Program... 2 Compliance Standards: SOX, HIPAA and PCI... 2 What IT Is Concerned

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

Certified Chief Information Security Officer (CCISO)

Certified Chief Information Security Officer (CCISO) Certified Chief Information Security Officer (CCISO) Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Chief Information Security Officer (CCISO) Certified Job 1 2 Write

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

Asset Management 42 Success Secrets. Copyright by Patrick Clements

Asset Management 42 Success Secrets. Copyright by Patrick Clements Asset Management 42 Success Secrets Copyright by Patrick Clements Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical,

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information