Supplier Information Security Addendum for GE Restricted Data

Size: px
Start display at page:

Download "Supplier Information Security Addendum for GE Restricted Data"

Transcription

1 Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing, transmitting, and/or storing GE Restricted Data. Part A: Definitions Part A applies to all Suppliers. GE Restricted Data means any data that GE identifies as being restricted data in a statement of work, attachment, schedule, or other similar document under this Agreement. Incident means any actual or suspected compromise of GE Restricted Data. Mobile Devices means tablets and smartphones running mobile operating systems (e.g. ios, Blackberry OS, Android, or Windows Mobile operating systems). Laptops and voice-only devices with no smartphone functionality are not considered to be Mobile Devices. Information Systems mean Supplier s operating systems, infrastructure, applications, and software used with respect to GE Restricted Data. Highly Privileged Account or HPA means accounts with system level administrative or super-user access to devices, applications or databases, administration of accounts and passwords on a system, or ability to override system or application controls. Supplier Personnel means those Supplier employees, contractors, sub-contractors and agents provided access to the GE Restricted Data. Workstations mean any desktop computer, laptop computer, or mobile device used with respect to GE Restricted Data. Part B: Core Information Security Requirements Part B applies to Suppliers that access, process, transmit, and/or store GE Restricted Data. B.1 Supplier must maintain formal written policies and procedures for the administration of information security throughout its organization. B.2 Supplier must have an IT security organizational function with clearly defined information protection roles, responsibilities and accountability. B.3 Prior to providing access to any GE Restricted Data to any of its own suppliers that were not prequalified by or otherwise disclosed to GE at the time of engagement, Supplier must obtain GE s advanced written approval and perform information security due diligence on the supplier. Supplier shall require its suppliers to comply with the same level of security required herein this Addendum, and Supplier shall take reasonable steps to ensure continuing compliance by its suppliers. Page 1 of 7

2 B.4 Supplier must maintain an inventory of Supplier Information Systems (including owner and location). B.5 Supplier Personnel with access to GE Restricted Data or systems from which GE Restricted Data is accessible must, prior to obtaining access to GE Restricted Data, participate (or have participated) in information security awareness training provided by the Supplier and, thereafter, on a periodic basis (no less frequently than annually). B.6 No later than the date of separation, Supplier shall terminate any separating Supplier Personnel s access, whether physical or logical, that may provide access to GE Restricted Data. For its separating Supplier Personnel with a GE single sign-on (SSO) ID, Supplier must notify GE no later than the date of separation. B.7 Supplier must maintain up-to-date information security Incident plan and processes consistent with the guidance provided in the current version of SANS Incident Response and Management as it may be updated from time to time by SANS. B.8 In the event of an Incident: Supplier must notify GE without unreasonable delay (expectation is within two hours of discovery and mutually agreed upon updates) of any Incident. Supplier must perform a forensic investigation to determine if there was any unauthorized access to GE Restricted Data, and implement a remediation plan to prevent a similar event in the future. In the event that Supplier does not have the internal capabilities or does not designate a third party to perform such a forensic investigation on its behalf, Supplier shall notify GE in writing and Supplier must provide access to data or equipment required for GE to perform forensic analysis to ascertain potential or actual data loss or compromise. Supplier will promptly provide GE the results of any forensic investigations conducted by Supplier or its designee pursuant to the Agreement, including detailed Incident log, root cause analysis, and remediation plan. Supplier must take reasonable actions, at its own (or its relevant supplier s) expense, to mitigate and reduce the impact of the Incident. Supplier may not make or permit any statements concerning any such Incident to any thirdparty without the explicit written authorization of GE. Part C: Additional Information Security Requirements Part C applies to Suppliers that electronically store GE Restricted Data and/or have direct and persistent connectivity (excluding individual, user-based VPN access) to the GE internal network with access to GE Restricted Data. Information Systems audit C.1 Supplier will monitor the effectiveness of its security program by conducting self audits and risk assessments against Supplier Information Systems at minimum every 12 months. Page 2 of 7

3 C.2 Supplier must perform vulnerability assessments on Supplier Information Systems at least annually. For Supplier Information Systems that are internet facing, Supplier must engage an independent external party to perform the vulnerability assessment. C.3 Upon request, Supplier must provide to GE formal reports for any audits and assessments conducted on Supplier Information Systems, which shall include at a minimum the scope of the audit and/or assessment and any vulnerabilities/issues/findings/concerns/recommendations. Such formal reports provided by Supplier to GE shall be considered Confidential Information under the Agreement. C.4 Supplier must use its best efforts to remediate any items rated as high or critical (or similar rating indicating commensurately similar risk) in any audits or assessments of Supplier Information Systems within 30 days. If such items are not remediated within 30 days, Supplier must notify GE. Communications and Operations Management C.5 Supplier must implement and maintain controls to prevent and detect unauthorized access, intrusions, computer viruses and other malware on its Information Systems. At a minimum these must include: Client and server-side antivirus programs that includes the latest antivirus definitions; A process that would install for production, within 30 days, any critical patches or security updates; and Hardening and configuration requirements meeting industry best practices, such as SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). C.6 Cryptographic and hashing algorithm types, strength, and key management processes consistent with industry practices as defined by NIST. C.7 Security-relevant events on Suppliers Information Systems must be logged, reviewed on a periodic basis (minimum quarterly), secured, and maintained for a minimum of 12 months. Access Control C.8 Supplier Personnel are to be given no more privilege than is required for Supplier Personnel to perform their respective duties in support of the obligations set forth in the applicable Agreement with Supplier and are given access to GE Restricted Data only for as long as such access is required for the performance of Supplier Personnel s duties hereunder. C.9 Supplier must ensure each account is attributable to a single individual. C.10 In addition to Supplier assigning a unique ID, all Supplier Personnel must be required to authenticate their identity (e.g. password) prior to accessing GE Restricted Data. C.11 Supplier must implement processes to support the secure creation, modification and deletion of accounts and HPAs. Supplier must review and update access rights at least annually (at minimum quarterly for HPAs). Page 3 of 7

4 C.12 All HPA access must be encrypted during transmission and HPA usage must be reviewed at minimum weekly. C.13 Supplier Information Systems must enforce the following password requirements: Temporary passwords must be given to Supplier Personnel in a secure manner, with expiration on first use. Passwords must be encrypted or hashed when transmitting over networks and in storage. User account credentials (e.g. password) must not be shared. Strong password practices must be enforced that include minimum password length (at least 8 characters), lockout (maximum 6 incorrect attempts), set expiration period (maximum age of 90 days unless an exception has otherwise approved by GE in writing), and complexity consistent with industry practices. Default passwords are prohibited. C.14 Workstations must not be left authenticated when unattended and must be password or PIN protected when not in use. C.15 Mobile Devices used to access GE Restricted Data (including s) must have strong mobile device security controls enforced that include required passcode, minimum passcode length (at least 4 digits), inactivity lock after maximum 30 minutes of inactivity, device wipe capabilities, and encryption. The Supplier must have a process in place to immediately wipe the device when notified that a Mobile Device is lost. C.16 Supplier Personnel must not store GE Restricted Data on personally-owned Workstations. C.17 In shared environments, Supplier must implement physical and/or logical access controls to prevent unauthorized access to GE Restricted Data. Change Management C.18 Supplier must maintain documented change management procedures that provide a consistent approach for controlling and identifying changes (including emergency changes) for Supplier Information Systems which includes segregation of duties. C.19 Development and testing environments for Supplier Information Systems must be physically or logically separated from production environments and must not contain GE Restricted Data. Production changes must be approved by the appropriate system owner and such changes must not be made by any Supplier developers. Network Access Control C.20 Supplier networks used to access or store GE Restricted Data must have security controls that can detect and prevent attacks by making use of network layer firewalls and intrusion detection/prevention Systems (IDS/IPS) in a risk based manner (e.g. between the Internet and DMZ, and between DMZ and internal servers containing GE Restricted Data). IDS/IPS high and critical priority alerts (or similar alerts Page 4 of 7

5 indicating commensurately similar risk) must be continuously monitored and responded to as soon as reasonably practicable. C.21 Any Supplier Personnel accessing Supplier s internal network remotely must be authenticated using a minimum two-factor authentication method and such transmissions must be encrypted. C.22 Network layer security devices must allow only authorized connections and rulesets must be reviewed at minimum semi-annually. C.23 If Supplier has a trusted connection as identified by GE, then Supplier must use only GE managed network devices to connect to the trusted connection and the network architecture must be approved by the GE Network team. Part D: Data Security Requirements Part D applies to Suppliers that electronically store GE Restricted Data on Supplier Information Systems. D.1 while backup tapes containing GE Restricted Data are kept onsite, they must be kept in a secure location (e.g. locked office or locked file cabinet). If off-site tape storage is used, then Supplier must have a tape check-in/check-out process with locked storage for transportation. Back-up information must be given an appropriate level of physical and environmental protection consistent with the level of control applied at the main site. D.2 GE Restricted Data must not be stored on removable media (e.g. thumb drives or external hard drives) other than physically secured retention media expressly used for the purpose of backup or data retention for business continuity planning/disaster recovery purposes which must be encrypted. D.3 Supplier must use an auditable process (e.g. certification of destruction) to remove GE Restricted Data from Supplier Information Systems prior to disposal or re-use in a manner that ensures that the information may not be accessed or readable. D.4 GE Restricted Data must be encrypted when transferred (including s) over public networks (such as the Internet). D.5 At a minimum, GE Restricted Data must be stored in a directory or folder with controlled access, (e.g., password protection). Where technically feasible, GE Restricted Data must be stored in encrypted form (except where encryption in storage is mandatory in such cases of removable media and Mobile Devices as set forth in D.2 and D.8). D.6 Supplier must gain approval from GE prior to moving GE Restricted Data from its GE approved physical location or jurisdiction to a different physical location or jurisdiction. D.7 Supplier must identify and implement risk based data loss prevention controls (e.g. disabling of USB ports, DLP software, URL/Web filtering) to protect GE Restricted Data. Page 5 of 7

6 D.8 Mobile Device storage drives and laptop hard drives used to store or access GE Restricted Data must be encrypted. Part E: Basic Physical Security Part E applies to Supplier facilities (including its suppliers) that physically or electronically store GE Restricted Data and/or have direct and persistent connectivity (excluding individual, user-based VPN access) to the GE internal network with access to GE Restricted Data. E.1 Supplier facilities must have physically secure perimeters, and external entry points must be suitably protected against unauthorized access. Access to all locations must be limited to Supplier Personnel and authorized visitors. Reception areas must be either manned or have other means to control physical access. E.2 Access to areas where GE Restricted Data is stored or can be accessed must be restricted to authorized Supplier Personnel. Such areas must restrict access using reasonable access controls and authentication mechanisms. Access must be monitored, recorded and controlled with physical access rights reviewed at minimum annually. Logs detailing access must be stored for a period of one year to the extent permitted by local law. If not staffed 24x7, alarms and entry point security cameras must be installed for off-hours access monitoring with recordings retained for at least 30 days. E.3 All Supplier Personnel and authorized visitors must be issued identification cards. Identification cards must be visibly displayed at all times while on the premises. Visitor identification cards must be easily distinguishable from Supplier Personnel identification cards and must be retrieved and inventoried daily. E.4 Visitors must be required to sign a visitors register (maintained for at least one year) and be escorted or observed at all times, upon each entry to and exit from the premises. E.5 A clear desk policy must be enforced throughout the Supplier facilities. Documents that contain GE Restricted Data must be kept secured (e.g. locked office or file cabinet) when not in use. E.6 All servers and/or network equipment used to store or access GE Restricted Data must be kept in a secure room with the following controls; Additional access control mechanisms are required on entry doors in order to further restrict access to only authorized Supplier Personnel. Rooms must be located on the interior of the building with no windows unless safeguards are in place to prevent shattering. Telecommunications equipment, cabling and relays receiving data or supporting services must be protected from interception or damage. Part F: System Availability Part F applies to any Supplier as identified by GE, if its Information Systems were to have an outage, such outage would likely significantly adversely impact GE or overall GE operations, financial position, regulatory compliance, and/or reputation. Page 6 of 7

7 F.1 Suppliers must maintain a disaster recovery (DR) program for all Supplier Information Systems locations used to provide services to GE. The program must be designed to ensure that Supplier Information Systems can continue to function through an operational interruption and that Supplier can continue to provide services as specified in the applicable Agreement. At a minimum, the DR program should include the following elements: Supplier s operational procedures must verify the successful completion of backups and the backup media must be tested regularly (at minimum quarterly) to ensure that it will operate in the event of an emergency. Maintain inventories that list all critical Supplier Information Systems. The inventories must be updated at minimum annually. DR plans must be developed for all Supplier Information Systems and facilities that are used to provide services to GE and reviewed/approved at minimum annually. Supplier must conduct full scale DR tests annually against DR plans (unless otherwise agreed with GE) for Supplier Information Systems that Supplier reasonably believes are critical for providing services to GE to ensure that such Supplier Information Systems can be recovered in a matter that meets the applicable contractual service level agreements. A summary of DR results sufficient for GE to exercise its oversight responsibilities must be documented and provided to GE upon request. F.2 For rooms containing servers and/or network equipment used to provide services to GE, controls must be implemented to mitigate the risk of power failures (e.g. surge protectors, uninterruptible power supplies (UPS), and generators), and environmental conditions (e.g. temperature and humidity). Part G: Software Development Part G applies to Suppliers that either perform code development services for GE, or host Information Systems that store, process, or transmit GE Restricted Data. G.1 Supplier must have a documented software development lifecycle process which includes requirements gathering, system design, integration testing, user acceptance testing, and system acceptance. G.2 Supplier must provide all developers application security training and information regarding vulnerabilities discovered along with prevention and remediation measures for those vulnerabilities. G.3 Information security checkpoints following industry best practice, such as The Open Web Application Security Project (OWASP), must be incorporated into the software development lifecycle including but not limited to risk assessments, documented security requirements, secure coding guidelines and checklists, source code review, and security testing prior to moving to production. All confirmed high/critical vulnerabilities found during testing must be remediated and retested prior to moving to production. Page 7 of 7

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: April 28, 2016 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL REQUIREMENTS... 3 4. ACCESS REQUIREMENTS... 3 5. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION...

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents Chapter 84 Information Security Rules for Street Hail Livery Technology System Providers Table of Contents 84-01 Scope of the Chapter... 2 84-02 Definitions Specific to this Chapter... 2 83-03 Information

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service) Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. - 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must

More information

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire SAMPLE CREDIT UNION INFORMATION SECURITY DUE DILIGENCE QUESTIONNAIRE FOR POTENTIAL VENDORS Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire 1. Physical security o Where is

More information

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Controls for the Credit Card Environment Edit Date: May 17, 2007

Controls for the Credit Card Environment Edit Date: May 17, 2007 Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health

More information

Physical Protection Policy Sample (Required Written Policy)

Physical Protection Policy Sample (Required Written Policy) Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the

More information

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Exhibit to Data Center Services Service Component Provider Master Services Agreement Exhibit to Data Center Services Service Component Provider Master Services Agreement DIR Contract No. DIR-DCS-SCP-MSA-002 Between The State of Texas, acting by and through the Texas Department of Information

More information

Privacy + Security + Integrity

Privacy + Security + Integrity Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Date: Completed By: Name: Department: Position: Phone: Email Address: Section 1: Security Education and Awareness

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

HIPAA Privacy and Security Risk Assessment and Action Planning

HIPAA Privacy and Security Risk Assessment and Action Planning HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

Hang Seng HSBCnet Security. May 2016

Hang Seng HSBCnet Security. May 2016 Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Third Party Security Compliance Standard for BBC Suppliers

Third Party Security Compliance Standard for BBC Suppliers Third Party Security Compliance Standard for BBC Suppliers BBC Third Party Security Requirements Standard Author Christina Coutts Department ISGC (Policy, Compliance and Risk) Version History Version Date

More information