EAR/ITAR Compliance Strategies. Network Performance Inc
|
|
- Alvin Shaw
- 8 years ago
- Views:
Transcription
1 EAR/ITAR Compliance Strategies Network Performance Inc
2 Agenda 1. Overview of EAR/ITAR requirements 2. Impacts on computer systems and security 3. Data access policies and restrictions 4. Data Marking/classification 5. Data encryption approaches 6. ITAR Compliance & Logging applications 7. Securing key components(ad, folders, wireless, mobile devices, , media) 8. Data discard/destruction
3 We help our clients succeed by ensuring High performance communications Business continuity Privacy & Security Comprehensive & Flexible support
4 NPI at a Glance Founded in 1988, based in South Burlington, Vermont Customers throughout the Northeast Focused on computer network services and security Developers of SpamRejector service Staff certified by many leading IT manufacturers
5 Design Services Information Technology Planning IT Budgeting Techniques Network Designs Proposal Development Information Technology Staff Recruiting Project Planning
6 Connectivity Services Internet Connectivity Virtual Private Networks Remote Access Wide Area Networking Application Delivery Services Traffic Shaping and Monitoring Wireless Networking Convergence Services
7 Voice Services VoIP Readiness Assessments Bandwidth Analysis & Shaping Infrastructure Tuning QOS configuration ShoreTel VoIP system install & support Computer Telephone Integration
8 Network Services Network Review Server Installation Network Documentation & IP Addressing Switch & Router Installation Active Directory Development Wire Certification Backup & Storage Systems Messaging Systems Network Management Systems
9 Security Security reviews Firewall security Virus protection Intrusion detection & content filtering Spam filtering Forensics Managed security services Authentication
10 EAR/ITAR Services Active Directory hardening Improved user authentication IT physical security enhancements Password policy setting Monitoring and testing security Developing security policies Data encryption installation and configuration EAR/ITAR application installation
11 Support Services Network Administration Service Network Health Checks Remote Support and Expedited Response Pre-Purchased Time Time & Materials Fixed Priced Projects Network Assurance Plan A Fixed Priced contract covering key network elements server, router, switch, firewall Canopy
12 Canopy A fixed priced comprehensive outsourcing contract covering all IT services 24/7 remote network monitoring Patch management of servers and workstations Critical updates of servers, workstations, routers and switches Software distribution to servers and workstations Data backups of servers and workstations Updates for anti-virus protection of servers & workstations Same-day emergency service for repairs on servers, workstations, routers, and switches Remote diagnostics and repairs (eliminates travel costs) Regular trend analyses meetings
13 EAR/ITAR Regulations Overview
14 Relationship between EAR & ITAR Regulations ITAR Military (Dept of State) EAR Dual Use Products Commercial, could be Military (Dept of Commerce) Standard Requirements Required for ALL International Transactions (Multiple Gov t agencies; Example: Denied Party Screening)
15 Goals Scope Export Control Law To prevent terrorism To curtail export of technologies that assist the military potential of adversaries To comply with trade agreements and prevent development of nuclear, chemical and biological weapons Covers commercial & dual use items on the Commerce Control List ( CCL ) Hardware Software Technology Applies to All items that are physically present in the US U.S.-origin items wherever located Certain foreign-manufactured items containing U.S. components
16 Reasons Certain Exports are Controlled National Security (NS) Foreign Policy (FP) Proliferation (MT, NP, CB) Short Supply (SS) Anti-Terrorism (AT) Crime Control (CC) High Performance Computer (XP) Regional Stability (RS) UN Sanctions (UN)
17 Key EAR Definitions Import Transfer inganything to a FOREIGN PERSON by any means, anywhere, anytime, or the knowledge that what you are transferring to a U.S. PERSON, will be further transferred to a FOREIGN PERSON. Technical Data -May take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, or read-only memories. Controlled Technology -specific information required for the development, production, or use of a product which is itself controlled. The information takes the form of technical data or technical assistance.
18 Penalties for EAR Violations Civil fines up to $250,000 or twice the value of the transaction at issue, whichever is greater Civil penalties can accrue without knowledge of the violation Criminal penalties of up to $1 million Prison sentences up to twenty years Criminal charges cover persons who willfully commit, attempt to commit, conspire to commit, or aid or abet in the commission of a violation
19 International Traffic in Arms Regulations(ITAR) Overview Deals with the export and temporary import of defense articles and defense services (including controlled technical data) Applies to brokering activities by either U.S. or foreign entities and payments of commissions by or on behalf of U.S. entities
20 U.S. Person Key ITAR Definitions A U.S. Citizen, by birth or naturalization A lawful permanent resident, Green Card holder A protected individual, by asylum or as a refugee Any business or organization incorporated in the U.S. or any U.S. government entity (federal, state or local) A non-u.s. Person (or Foreign National) is an individual, business or organization which cannot prove its status in one of the above categories with appropriate documentation Exporting Sending or taking a defense article out of the United States Transferring control or ownership to a foreign person of an item covered by the USML, whether in the United States or abroad Disclosing (oral or visual) or transferring technical data to a foreign person, whether in the United States or abroad
21 Key ITAR Definitions(continued) Defense Article Any item or technical data designated in the USML, or An item specifically designed, developed, configured, adapted, or modified for a military application, and No predominant civil applications or performance equivalent Technical Data Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles This includes information in the form of blueprints, drawings, photographs, plans, instructions, or documentation Software directly related to defense articles
22 Penalties for ITAR Violations Criminal fines for corporations or individuals of up to $1 million per violation and/or imprisonment of up to ten years for willful violations Civil penalties for corporations or individuals of up to $500,000 per violation relating to unauthorized exports of defense articles or defense services Debarment from export of defense articles or defense services
23 Recent Violations and Penalties ITT: $100 Million Fine for exporting Night Vision Goggles without an Export License Hughes Network Systems: $5 Million Fine and 1 year debarment for unauthorized export of technical data, defense services, and defense articles to foreign employees Large U.S. Sporting Goods Store -$750,000 negotiated down from $15M 23 23
24 Comparing EAR/ITAR Regulations ITAR Arms Export Control Act EAR Export Administration Act U.S. Department of State Directorate of Defense Trade Controls (DDTC) International Traffic in Arms Regulations (ITAR) 22 CFR United States Munitions List (USML) U.S. Department of Commerce Bureau of Industry and Security (BIS) Export Administration Regulations (EAR) 15 CFR Commerce Control List (CCL) Defense Articles Dual Use and Commercial 24 24
25 Bottom Line Engaging in international trade is a privilege, not a right. Compliance is essential to good business Compliance is part of a company Code of Conduct and required by your Export Import Compliance Policy Anyone involved in an international transaction is required to understand the requirements of U.S. export control laws/regulations Failure to comply can result in disciplinary action 25
26 Impact of EAR/ITAR on Computer Systems
27 Information Protection Threats Internal threats are just as prevalent as external threats Accidental Intentional Targeted Loss due to carelessness System disposal or repurposing without data wipe System physically lost in transit Data intentionally compromised Foreigner access to unauthorized data Offline attack on lost/stolen laptop Thief steals asset based on value of data Theft of branch office server (high value and volume of data) Theft of executive or engineers laptop Direct attacks with specialized hardware
28 The Growing Threats to EAR/ITAR Data Business is increasingly mobile Laptops rapidly replacing desktops Laptops expected to grow to 68% of all computers by ,000 laptops lost or stolen per week in airports! Cheap storage continues to expand Standard laptop drives > 100GB 2GB USB drives cost < $20 More mobile data, more data to lose Users retain everything by default Mobility increases risk of theft
29 Branch Office Challenges Theft of server and/or its hard drives Re-provision or decommission of server or its hard drives Data theft via disk cloning by maintenance and outsourcing technicians Securing configured machines when shipping Physical security may be lax
30 Potential Consequences of a Data Breach Mobile data is vulnerable 56% of breaches due to lost laptop, removable media, or backup media Prevention is cost-effective Following a breach, encryption is most frequently deployed technology
31 Information Loss is Costly Information loss whether via theft or accidental leakage is costly on several levels Financial Legal & Regulatory Compliance Image & Credibility The U.S. Dept of Justice estimates that intellectual property theft cost enterprises over $250 billion Loss of revenue, market capitalization, and competitive advantage Increasing regulation: EAR/ITAR, SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Leaked executive s e can be embarrassing Unintended forwarding of sensitive information can adversely impact the company s s image and/or credibility
32 EAR/ITAR Data Security Recommendations Build and Maintain a Secure Network Protect Sensitive Data Install and maintain a firewall configuration to protect data. No use of vendor-supplied defaults for passwords and other security parameters Protect stored data Encrypt transmission of sensitive data across public networks Maintain a Vulnerability Management Program Use and regularly update anti-malware software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to EAR/ITAR data by user Assign a unique ID to each person with computer access Restrict physical access to EAR/ITAR data Regularly Monitor and Test Networks Track and monitor all access to network resources and sensitive data Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security
33 Common EAR/ITAR Myths #1: Breaches only happen to big firms Fact: Smaller firms are highly vulnerable and a frequent target because of their large numbers. They are also an easy target as they are typically the least technically sophisticated. #2: EAR/ITAR compliant firms cannot be breached. Fact: EAR/ITAR compliance is not a guarantee. Any firm can be breached at any time as security is a moving target #3: Written policies, user training and physical controls aren t important. Fact: Regulations cover not only data security but also the physical and written security policies. #4: Compliance is too expensive. Fact: Non-compliance can be very expensive if not catastrophic. Non-compliance can result in very high costs and lost business. #5: Compliance is getting easier. Fact: For small firms protecting sensitive data and maintaining a secure environment remains a complex endeavor.
34 Data Access Policies and Restrictions
35 Develop a Technology Control Plan (TCP) Based on best practices, contains required elements from ITAR/EAR regulations. Key Elements: 1. Commodity Jurisdiction & Classification 2. Physical Security Plan 3. Information Security Plan 4. Personnel Screening/ Training 35
36 TCP Element #1 Commodity Jurisdiction & Classification Proper classification is essential. Theconsequences of classification under EAR and ITAR are very different. Most manufacturers canmake their own jurisdictional determinations when using an ITAR lawyer/consultant. If you can t classify the item, draft and submit a Commodity Jurisdiction request.
37 TCP Element #2 Physical Security Plan Minimum One lock principle, sometimes more Use NISPOM & NIST as a guide Map out both restricted and closed areas Use key controls Enforce visitor logs Provide escorts for visitors 37
38 TCP Element #3 Information Security Plan Allow folder, firewall, backup access to US persons only Enforce strict password policies Clean papers off desks, centralize storage, lock storage containers Provide security marking throughout Develop and publish data discard/destruction policy/procedures. Follow NISPOM/NIST. Enforce a secure /mail policy Use secure web sites ( and SSL (Secure Sockets Layer) Use PGP to encrypt controlled files 38
39 TCP Element #4 Personnel Screening and Training Train all personnel with access to controlled items. Screen for nationality and restricted party lists Require all to attend export training A formal security training should happen at least once yearly. Required attendees include: clerks working with sensitive data managers with access to backend servers engineers involved with sensitive data cleaning staff with access to managers offices management
40 Policy Example Physical Controls Shred, incinerate, or pulp hardcopy materials so that sensitive data cannot be reconstructed. What does this mean? -Do you have notes with sensitive data? -Do you shred reports when no longer needed? -Do I have to use a third party shredding company? -No, self certified shredding -What other physical media has sensitive data? -Is your managers office locked at all times? -Are reports stored in a locked cabinet?
41 Data Marking/Classification
42 Data Marking & Classification Step 1: Commodity Jurisdiction Sent to Department of State to determine which regulations to use Submit only when determination is difficult, use in house & 3 rd party consultants Step 2: Classification Use U.S. Munitions list to determine the classification(which regulations apply) Determine any further requirements and restrictions. Step 3: Register with the Directorate of Defense Trade Controls
43 Data Marking & Classification Step 4: Determining Intent How will item be used? Sold Sent & returned(for repair) Use as a component to build another item Item used to aid in a service performed by a foreign person Step 5: Review of Exemptions or Application for a License or Agreement Determine if an exemption is available If exemption is not applicable, determine what type of license is needed
44 Data Encryption Techniques
45 What should be encrypted? All sensitive data Hidden data old files, temp files, browser cache, deleted file remnants Encrypt all laptops, thumb drives and mobile devices Encrypt desktops with sensitive data Wireless communications Data transmitted over the Internet Any device at risk of theft, exposure or eavesdropping 45
46 Encryption Technology Requirements Ability to do Whole Disk and Full Disk encryption Pre-boot/Pre-OS encryption File/folder encryption Strong encryption (AES 256) Both Windows & Mac OS X support Strong centralized management (configuration, keys, data recovery) Easy to install/uninstall Ease of use with minimal performance impact USB device support Excellent manufacturer support Recoverable keys, even when on the road Ability to easily integrate into existing architecture Throttled background encryption processing Fault Tolerance to abnormal shutdown Support for Suspend and Hibernation states
47 Local Data Protection Approaches File Encryption Laptops Desktops Full Disk Encryption Laptops Desktops Encryption of Removable Media USB-enabled Devices Flash Drives, ipods, Bluetooth Devices, Thumb Drives, Hard Disks CD/DVD Writers Password and PIN Controls Blackberry Other PDA Devices Standards and data classification guidelines, Usage and Protection, Access Control and Encryption
48 Using Encryption to Protect Mobile Data Full disk encryption Encrypts all data on the drive Prevents access by unauthorized users Transparent to the user & applications Can eliminate breach disclosure requirements Removable media encryption Encrypts all data on easily lost devices Extends protection to data leaving laptop Best practice: Central policy management Enforces consistent data protection Removes user from the decision process Reports on state of protection for auditors
49 Complete EAR/ITAR Data Protection & Security The goal is to secure data, wherever it goes Comprehensive strategy based on multiple technologies Encryption & key management play critical roles protecting data throughout enterprise and beyond
50 Best Encryption Architecture Client Software Management Server Enterprise Directory Whole Disk Encryption Protect data without requiring user action Authenticate using Windows login Encrypt removable media automatically Augment security with two-factor authentication Easy, automatic operation Central Management Server Configure policy enforcement centrally Control enabled/visible client functionality Track and report on disk encryption usage Authorize help desk to access encrypted data Enforced security policies Microsoft Active Directory Integrate with existing enterprise directory Automate enrollment using LDAP groups Assign encryption policy automatically Update encryption policy dynamically Accelerated deployment
51 Whole Disk Encryption Features Comprehensive full disk encryption Transparently defends all data on system Extends protection to removable drives Requires no change to the user experience Flexible strong authentication options Single sign-on using Windows login Optional two-factor authentication Authenticated, assured corporate access Painless lost passphrase recovery process Authenticated IT maintenance access Server management tools Enforces consistent application of policy Monitors deployment of encryption Locks down features available to the user
52 Encryption Technology Features Rapid Deployment Process Automate the installation process Streamline the configuration process Accelerate deployment schedule Defend more data in less time Enhanced Status Reporting Track failed login attempts Monitor removable media usage Audit deployment of disk encryption Report on policy compliance Expanded Client Controls Lock down which features are enabled Hide undesirable functionality from user Eliminate potential help desk questions Enforce encryption usage policy Increased Authentication Options RSA SID800 support, plus many more TPM-based two-factor authentication Authenticated IT help desk access option Meet corporate authentication standards
53 Encrypting Network Shared Files Network file encryption Defends data at the source Prevents access by unauthorized users Transparent to the user & applications Eliminates breach disclosure requirements Scalable, flexible, client-based protection Scales without requiring hardware No changes to infrastructure Extends protection to backups Best practice: central policy management Enforces consistent data protection Removes user from the decision process Reports on state of protection for auditors
54 Encryption Technology encryption Transparent user interface Prevents data leakage Protects data in motion Protecting all data, including attachments Automatically & transparently encrypts all attachments Prevents access by unauthorized users Eliminates breach disclosure requirements Best practice: central policy management Enforces consistent data protection Removes user from the decision process Long-term access to data Reporting and logging for compliance
55 Encryption Implementation Concerns You might lock yourself out forever! Key Management & Distribution Password/Passphrase Protection Offline encrypt/decryption Speed issues Export issues Lack of a centralize key management and recovery processes Establishing clear data encryption and key management goals, criteria and policies Establish a communications plan for systematic and smooth deployment
56 ITAR Compliance & Logging Applications
57 EAR/ITAR Compliance Application Examples Product Cost Comments Code green $10,000 for 50 users Scans for traffic. Somewhat difficult to deploy EMC Documentum $45,000 for 100 users More for big firms. Expensive Fidelis Security $25,000 Focused on stopping traffic related to content use. Expensive GTB Inspector $50 per person Focused on data leakage not rights management. NextLabs Enterprise $6,500, $250 for policy enforcers Both DLP & DRM. Somewhat complicated to manage. Safenet HASP $5,000 Not practical for outside users/management
58 EAR/ITAR Rights Management Secures content with strong encryption Protection cannot be removed Controls and audits data access Users work normally using their existing applications Defines authorized uses through workflows, directory groups, and user
59 Where Rights Management Fits In Granularity of Controls Usage Access Enterprise Content Management Full Disk Encryption Network Security Tools Firewalls, VPNs, ACLs Enterprise Rights Management Encryption Products Content Filtering and Monitoring Secure Transport/Delivery SSL Data at Rest Data in Motion Data in Use
60 LOB App ECM System File server How ERM Works ERM Server 1 Content encrypted and usage rights applied Connection required for offline renewal 2 Read Only 3 Read & Print Read, Edit, Print, & Offline enabled with expiration Content protected at rest or in transit Content protected in use
61 ERM System Considerations User adoption is the most important factor Expect resistance if difficult to use Protection goals must be enforced automatically Users must be aware protection is in effect Users want to work normally
62 Securing Key IT Components
63 Physical Access Compliance Employee Photo ID Badges Temporary Badges Visitor Badges Control with Receptionist Visitor Register Locked doors
64 Portable Computer Device Considerations Restrict access as much as possible Limit sensitive data storage Force encryption Limit wireless communications to known good networks Automatic backup Train users about theft/confiscation issues 64
65 Policy Example - Passwords Goal: Ensure proper user authentication and password management for users and administrators on all system components. Required: Recommended: - Reset after 90 days, minimum of 7 characters - Must be complex (numeric and alphabetic) - 4 password history - Lock accounts after 6 invalid attempts, unlock in 30 minutes - No written passwords or storing in office area - No sharing passwords(including an auditor if they asked) - No use of dictionary words
66 Discarding/Destruction of Data
67 Where Deleted Data May Reside Unallocated Space: Space where files may be written by the operating system. File Slack: Space between the end of the file and the end of the cluster. Volume Slack: Space between the end of the partition and the end of the drive.
68 One Data Destruction Study Purchased 236 used hard drives on ebay. Only 19% had been wiped/scrubbed so data recovery was impossible. Most drives only formatted, FDisked or nothing. Seven had significant sensitive data
69 Not Just Hard Drives Cell phones PDAs Thumb drives Floppy disks CDs/DVDs
70 What Doesn t Work o Deleting the file. o Formatting the drive. o FDISKing the drive. o Installing a new operating system. What DOES Work o Certain wiping programs o Hardware devices o Physical destruction
71 DOD Sanitization Standards Department of Defense M, National Industrial Security Program Operating Manual(NISPOM) A 100 page document with 2 paragraphs on data sanitization. Often cited as the standard for data sanitization. Does NOT specify any particular method of sanitization
72 National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization NIST publication Designed to assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information.
73 Sanitization Methods Disposal -Discarding media without any other sanitization considerations. Clearing -Overwriting every byte on the drive once with a neutral character. Must not allow information to be retrieved by data, disk, or file recovery utilities. Destroying Disintegration. Incineration. Pulverization. Melting.
74 Option #1 Disposal Not recommended Highly likely data can be retrieved A breach of EAR/ITAR regulations
75 Option #2 Clearing (Overwriting) Use either Pseudorandom method US DoD M method Requires 35 writes of data to destroy
76 Option #3 Destruction Options Disintegration. Incineration. Pulverization. Melting. Internal or External Get certificate of destruction
77 Additional Resources
78 5 Most Common First-time EAR/ITAR Mistakes 1. Classification Thinking products are dual use instead of ITAR 2. IT Access Poor controls on widely used technical data 3. Personnel/employee training Lack of fundamental knowledge 4. Personnel/defense services Lack of controls on people providing defense services 5.License/technical assistance agreements Not getting them signed, lack of understanding of provisos and communicating with foreign licensees. Poor record keeping.
79 A Prioritized Approach to ERP/ITAR Compliance 1. Remove sensitive data - if you don t need it, don t store it 2. Protect the perimeter, internal & wireless networks 3. Secure the applications 4. Monitor & control access by limiting who is accessing the sensitive data 5. Protect stored data. If you must store it, apply controls 6. Focus on policies, process and procedures
80 Additional Tips for EAR/ITAR Improvement Encrypt all offsite media(backuptapes and USB devices) Examine applications for vulnerabilities Check logs for sensitive data and remove it Look for sensitive data in unencrypted files and databases Verify strength of identity management and authentication Segment data by using network addresses or VLANs Check monitoring and intrusion detection system (IDS) Check that PC drives don t store sensitive data on them Keep your PCs current with the latest patches and updates Make sure your PCs are configured securely Choose strong passwords and keep them safe Check paper reports to remove data that is no longer needed Use certificates between web, application and DB servers Document the flow of sensitive data
81 Contact Information TeamITAR JohnBurton Q & A
Using Technology Control Plans in Export Compliance. Mary Beran, Georgia Tech David Brady, Virginia Tech
Using Technology Control Plans in Export Compliance Mary Beran, Georgia Tech David Brady, Virginia Tech What is a Technology Control Plan (TCP)? The purpose of a TCP is to control the access and dissemination
More informationwhite paper Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations
white paper Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations WWW.EPIQSYSTEMS.COM 800 314 5550 Mitigate Risk in Handling ediscovery Data Subject to the U.S.
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationGeorgia Institute of Technology Data Protection Safeguards Version: 2.0
Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationChapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents
Chapter 84 Information Security Rules for Street Hail Livery Technology System Providers Table of Contents 84-01 Scope of the Chapter... 2 84-02 Definitions Specific to this Chapter... 2 83-03 Information
More informationBest Practices for Protecting Laptop Data
Laptop Backup, Recovery, and Data Security: Protecting the Modern Mobile Workforce Today s fast-growing highly mobile workforce is placing new demands on IT. As data growth increases, and that data increasingly
More informationOther terms are defined in the Providence Privacy and Security Glossary
Subject: Device and Media Controls Department: Enterprise Security Executive Sponsor: EVP/COO Approved by: Rod Hochman, MD - President/CEO Policy Number: New Date: Revised 10/11/2013 Reviewed Policy Owner:
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationResearch Information Security Guideline
Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different
More informationMiddle Tennessee State University. Office of Research Services
Middle Tennessee State University Office of Research Services Procedure No.: ORS 007: Export Control Date Approved: December 08, 2011 1. INTRODUCTION: It is the intent of Middle Tennessee State University
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationTenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014
Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology
More informationCourse: Information Security Management in e-governance
Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security
More informationPhysical Protection Policy Sample (Required Written Policy)
Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationSecurity Overview Enterprise-Class Secure Mobile File Sharing
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationHIPAA and Cloud IT: What You Need to Know
HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationHow to Secure Your Environment
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationCounty Identity Theft Prevention Program
INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such
More informationIntroduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI
Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved
More informationDatabase Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG
Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationEffective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head:
Policy Title: Effective Date: Revision Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head: Every 2 years or as needed Purpose: The purpose of
More informationPage 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
More informationNetwork and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationWhite Paper. BD Assurity Linc Software Security. Overview
Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about
More informationExport Control Compliance Procedure Guide June 8, 2012
Export Control Compliance Procedure Guide June 8, 2012 1 TABLE OF CONTENTS Contents TABLE OF CONTENTS... 1 SUMMARY... 2 INTRODUCTION... 3 SCHOOL POLICY... 4 EXCLUSIONS... 4 WHAT IS AN EXPORT?... 4 CONDUCTING
More informationUniversity of Louisiana System
Policy Number: M-(16) University of Louisiana System Title: EXPORT CONTROL Effective Date: October 26, 2009 Cancellation: None Chapter: Miscellaneous Policy and Procedures Memorandum The University of
More informationBitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation
BitLocker Drive Encryption Hardware Enhanced Data Protection Shon Eizenhoefer, Program Manager Microsoft Corporation Agenda Security Background BitLocker Drive Encryption TPM Overview Building a BitLocker
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationEnsuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services
Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationHamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationData Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.
Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History
More informationTop Five Ways to Protect Your Network. A MainNerve Whitepaper
A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationThe Ministry of Information & Communication Technology MICT
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
More informationMONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
More informationHealthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service
Services > Overview MaaS360 Ensure Technical Safeguards for EPHI are Working Monitor firewalls, anti-virus packages, data encryption solutions, VPN clients and other security applications to ensure that
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationRisk Assessment Guide
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationRSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief
RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The
More informationSecond Annual Impact of Export Controls on Higher Education & Scientific Institutions
The following presentation was presented at the Second Annual Impact of Export Controls on Higher Education & Scientific Institutions Hosted by Georgia Institute of Technology In cooperation with Association
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationMOBILE DEVICE SECURITY POLICY
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
More informationEnsuring Security and Compliance of Your EMC Documentum Enterprise Content Management System: A Collaborative Effort of EMC Documentum and RSA
Ensuring Security and Compliance of Your EMC Documentum Enterprise Content Management System: A Collaborative Effort of EMC Documentum and RSA Applied Technology Abstract This white paper discusses the
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationenicq 5 System Administrator s Guide
Vermont Oxford Network enicq 5 Documentation enicq 5 System Administrator s Guide Release 2.0 Published November 2014 2014 Vermont Oxford Network. All Rights Reserved. enicq 5 System Administrator s Guide
More informationEXPORT CONTROLS COMPLIANCE
Responsible University Official: Vice President for Research Responsible Office: Office for Export Controls Compliance Origination Date: May 1, 2014 EXPORT CONTROLS COMPLIANCE Policy Statement Northwestern
More informationHIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationExcerpt of Cyber Security Policy/Standard S05-001. Information Security Standards
Excerpt of Cyber Security Policy/Standard S05-001 Information Security Standards Issue Date: April 4, 2005 Publication Date: April 4, 2005 Revision Date: March 30, 2007 William F. Pelgrin Director New
More informationSplunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More information