Information Security Risk Assessment Guidelines for Systems
|
|
- Derek Weaver
- 7 years ago
- Views:
Transcription
1 Information Security Risk Assessment Guidelines for Systems Introduction and Overview Information security risk management is a foundation of our information security program. The risk assessment is an integral part of a risk management process designed to provide appropriate levels of security for information systems and facilities. Information security risk assessments are required for systems by the University of Maine System Information Security Policy and Standards Section 3.1. A risk assessment of the facility in which a system is located is required by Section Separate guidelines are provided for performing risk assessments of facilities. The risk assessment will help each university determine the acceptable level of risk and the resulting security requirements for the system and its corresponding facility. The university must then devise, implement and monitor a set of security measures to address the level of identified risk. These guidelines should be tailored to the system being assessed. For a new system the risk assessment is typically conducted at the beginning of the System Development Life Cycle (SDLC). For an existing system, risk assessments may be conducted on a regular basis throughout the SDLC and/or on an ad-hoc basis in response to specific events such as when major modifications are made or in response to a security incident or audit. This risk assessment process is based on standard risk assessment practices such as those identified in NIST SP While NIST identifies a nine-step risk activity process, this guide combines steps and is presented in five phases: 1. System Documentation Phase 2. Security Level Determination Phase 3. Self Assessment Phase 4. Risk Determination Phase 5. Safeguard Determination Phase Completion of the risk assessment will result in a report that will be used to determine the appropriate management action. The risk assessment report will include: A summary of the system architecture and components, and its overall level of security. This summary will also identify the scope or system boundary for the purposes of the report as well as the status of risk assessment for interconnected/cross-dependent systems A self-assessment of the system against the Policy and Standards A list of threats and vulnerabilities, with severity of impact and likelihood of occurrence, the system s current security controls, and its risk levels The recommended safeguards, and a description of the expected level of risk that would remain if these safeguards were put in place The level of residual risk that would remain after the recommended changes are implemented. The Appendix provides a template for the documentation of the Risk Assessment report. UMS Security Risk Assessment Guidelines v1.0 Page 1
2 1. System Documentation Phase The System Documentation Phase provides a description of the system and the data it handles, as computing assets used to fulfill the organization s business mission. The information owner in conjunction with Campus or System IT provides the system identification, including the system description, business function and assets. This phase also sets the boundaries for the set of components that constitute the information system. An information system is a group of computing and supporting components that share a business function, under common ownership and management. System Identification List the system name, other related information, and the responsible organization. Complete the System Identification table in the Appendix. System Purpose and Description To identify the assets covered by the risk assessment, provide a brief description of the function and purpose of the system and the organizational business processes it supports, including functions and processing of data. Complete System Purpose and Description Table in the Appendix and attach a network diagram defining the system boundaries. Technical Description and Environmental Factors General description of function and purpose the system General functional requirements Business processes supported Applications supported, services running Technical and business users, list of system user accounts System ownership: Shared or dedicated Description of physical components (include asset and tag numbers) Environmental factors that give rise to security concerns General information flow Network diagram with system boundaries Interrelated systems with cross dependencies or interconnections.(include feeder systems) System Connections and Information Sharing Connected components LAN and WAN connections and topology, firewall configurations Software dependencies Interfaces 2. Security Level Determination Phase The Security Level Determination Phase ranks the level of security based on set criteria. The information owner in conjunction with Campus or System IT must determine the appropriate security levels based on the organization s confidentiality, integrity and availability requirements for the information, as well as its criticality to the organization s business mission. This is the basis for assessing the risks to business operations and assets and in selecting appropriate security controls and techniques. UMS Security Risk Assessment Guidelines v1.0 Page 2
3 Security Level For this step, the team will document the criticality and sensitivity of the information handled by the system, then classify the resulting level of security requirements for the system itself. Complete Information Security Levels and Overall System Security Level Table in the Appendix. Below are information security levels that establish common criteria for security by information category. The first table defines the criticality levels. The second table defines sensitivity levels. In cases where information of varying security levels are combined in one system, the highest security level takes precedence. Information Security Levels by Criticality Criticality Description Catastrophic Very serious Moderately serious Explanation Complete loss of mission capability for an extended period; or would result in the loss of major assets or resources and could pose a threat to human life. Severe impairment to an university s missions, functions, image, and reputation. The impact would place an university at a significant disadvantage; or would result in major damage, requiring extensive repairs to assets or resources. Noticeable impact on an university s missions, functions, or reputation. A breach of this security level would result in a negative outcome; or would result in damage, requiring repairs, to an asset or resource. Criticality Level High Medium Low Information Security Levels by Information Classification Information Classification Compliant Data Business Sensitive Data Explanation and Examples Information which has specified requirements for the control of confidentiality, availability, or integrity of the data due to statute or contract or other law or agreement. Compliant data is information which requires special protection because the misuse could harm members of the UMS community or compromise the mission of the System and/or any one of the Universities. Compliant data includes, but is not limited to, personally-identifiable information, confidential research information, and information that requires protection under law or agreement such as the Maine Data Act, FERPA (the Family Educational Rights and Privacy Act), GLBA (the Gramm-Leach Bliley Act), HIPAA (the Health Insurance Portability and Accountability Act), FTC Red Flag Rule, -by the PCI (Payment Card Industry) data security standards, and data placed on legal hold in accordance with e-discovery. Examples of Compliant Data include: financial records, health records, student educational records, and any information which could permit a person to attempt to harm or assume the identity of an individual. Information that is not the subject of statutory or contractual controls, but where the compromise of the confidentiality, integrity, or availability of the information would result in damage or loss to UMS. Sensitivity Level High Medium UMS Security Risk Assessment Guidelines v1.0 Page 3
4 Information Classification Unclassified Data Explanation and Examples Information that does not fall into either of the above categories. This includes any information that is declared for public consumption by official authorities. Sensitivity Level Low 3. Self Assessment Phase The goal of the Self Assessment phase is to measure compliance with the Policy and Standards specific to the systems. Use the Self Assessment Checklist in the Appendix to document what measures are being taken. If contractors access or host the system, also complete the part of the checklist that pertains to contractors/third parties. 4. Risk Determination Phase The goal of the Risk Determination Phase is to calculate the level of risk for each threat / vulnerability pair based on the likelihood of a threat exploiting a vulnerability, and the severity of impact that the exploited vulnerability would have on the system, its data and its business function. Consider the impact in terms of loss of confidentiality, integrity or availability of the data classified in the Security Level Determination Phase, Phase 2. Information will be collected in the form of questionnaires, interviews, documentation review, and automated scanning tools. The Risk Determination Phase is comprised of six steps: 1. Review the most recent vulnerability scan and efforts to remedy deficiencies 2. Identify threats and vulnerabilities 3. Identify existing controls to reduce the risk of the threat exploiting the vulnerability. 4. Determine the likelihood of occurrence for a threat exploiting a related vulnerability given the existing controls. 5. Determine the severity of impact on the system by an exploited vulnerability. 6. Determine the risk level for a threat/vulnerability pair given the existing controls. This six-step process for Risk Determination is conducted for each identified threat / vulnerability pair. Use the Risk Determination Table in the Appendix to document the analysis performed in this phase. Review the most recent vulnerability scan Review the vulnerability scan and the associated remaining deficiencies when completing the next step regarding vulnerabilities. Identify Threats and Vulnerabilities Identify potential dangers to information and system (threats) and the system weakness that could be exploited (vulnerabilities), and generate the threat / vulnerability pair and describe the risks that are associated with the vulnerability pair. Common threat/vulnerability pairs are included in the Risk Determination Table. If any of these pairs are not applicable, N/A can be marked on the table. Other threats/vulnerabilities should be considered. Using the output the system purpose and description task, consider the system s connections, dependencies with other systems, inherited risks and controls, risks from software faults and staff errors and malicious intent, and such factors as proximity to the Internet, incorrect file permissions, risks from maintenance procedures and personnel changes. UMS Security Risk Assessment Guidelines v1.0 Page 4
5 Identify Existing Controls Identify existing controls that reduce the likelihood or probability of a threat exploiting a system vulnerability, and/or reduce the magnitude of impact of the exploited vulnerability on the system. Existing controls may be management, operational or technical controls depending on the threat / vulnerability and the risk to the system. Determine Likelihood of Occurrence Estimate the likelihood that a threat will exploit a vulnerability. Likelihood of occurrence is based on a number of factors that include system architecture, system environment, information system access and existing controls; the presence, motivation, tenacity, strength and nature of the threat; the presence of vulnerabilities; and the effectiveness of existing controls. Refer to this table to when estimating the likelihood that the threat will be realized and exploit the vulnerability on the system. Likelihood Negligible Very Low Low Medium High Very High Extreme Likelihood of Occurrence Levels Description Unlikely ever to occur Likely to occur two/three times every five years Likely to occur once every year or less Likely to occur once every six months or less Likely to occur once per month or less Likely to occur multiple times per month Likely to occur multiple times per day Determine Severity of Impact Determine the magnitude or severity of impact on the system s operational capabilities and the information it handles, if the threat is realized and exploits the associated vulnerability. Determine the severity of impact for each threat / vulnerability pair by evaluating the potential loss in each security category (confidentiality, integrity, availability) based on the system s information security level as explained in the Appendix. Insignificant Minor Significant Damaging Serious Critical Impact Severity Levels Little or no impact Minimal effort to repair, restore or reconfigure Small but tangible harm, maybe noticeable by a limited audience, some embarrassment, some effort to repair Damage to reputation, loss of confidence, significant effort to repair Considerable system outage, loss of connected customers, business confidence, compromise of large amount information Extended outage, permanent loss of resource, triggering business continuity procedures, complete compromise of information Determine Risk Levels Risk level is the likelihood of occurrence multiplied by the severity of impact. The final value is subject to the information owner s and system technical owners discretion. Risk determination For each threat / vulnerability pair, assess the following: - Likelihood of the threat attempting to exercise the vulnerability; UMS Security Risk Assessment Guidelines v1.0 Page 5
6 - Magnitude of impact if the threat / vulnerability exploit is successful; - Adequacy of planned or existing security controls for reducing or eliminating risk; Note: The project team must decide whether to use only currently implemented controls for this analysis, or to include controls that are budgeted and scheduled for installation, and document that decision in the Report. - Resulting risk to the information on the system from the threat and vulnerability. This table shows the resulting risk level, for each degree of likelihood and each level of severity. Risk Levels Likelihood Impact Severity of Occurrence Insignificant Minor Significant Damaging Serious Critical Negligible Low Low Low Low Low Low Very Low Low Low Low Low Moderate Moderate Low Low Low Moderate Moderate High High Medium Low Low Moderate High High High High Low Moderate High High High High Very High Low Moderate High High High High Extreme Low Moderate High High High High 5. Safeguard Determination Phase The safeguard determination phase involves identification of additional controls, safeguards or corrective actions to minimize the threat exposure and vulnerability to exploitation for each threat/ vulnerability pair with a moderate or high risk level. The residual risk level is the amount of risk that would remain if the recommended control or safeguard were implemented. Safeguard determination steps: 1. Identify controls and safeguards to reduce the risk level of each risk-threat pair, if the risk level is moderate or high. 2. Determine the residual likelihood of occurrence of the threat if the recommended safeguard is implemented. 3. Determine the residual impact severity of the exploited vulnerability once the recommended safeguard is implemented. 4. Determine the residual risk level for the system. Consider safeguards related to testing and maintenance, improved audit capability, and restricting physical access. Recommend Controls and Safeguards Identify controls and safeguards to reduce the risk presented by each threat / vulnerability pair with a moderate or high risk level as identified in the Risk Determination Phase. When identifying a control or safeguard, consider: 1. Security area where it belongs, such as management, operational, technical. 2. Method it employs to reduce the opportunity for the threat to exploit the vulnerability. 3. Its effectiveness in mitigating the risk to information. 4. Policy and architectural parameters required for its implementation in the environment. UMS Security Risk Assessment Guidelines v1.0 Page 6
7 5. Information security category (confidentiality, integrity, availability, access control, audit, etc.) to which the safeguard applies. 6. Whether the cost of the safeguard is commensurate with its reduction in risk. If more than one safeguard is identified for the same threat / vulnerability pair, list them in this column in separate rows and continue with the analysis steps. The residual risk level must be evaluated during this phase of the assessment and may be further evaluated in risk management activities outside the scope of this project. If the recommended safeguard cannot be completely implemented in the environment due to cost, management, operational or technical constraints, document the circumstances and continue with the analysis. Consider control elements implemented as policies and procedures, training, and improved policy enforcement. Determine Residual Likelihood of Occurrence Follow the directions in the Likelihood of Occurrence step of the Risk Determination phase, while assuming the selected safeguard has been implemented. Determine Residual Severity of Impact Follow the directions in Severity of Impact step of the Risk Determination phase while assuming the selected safeguard has been implemented. Determine Residual Risk Levels Determine the residual risk level for the threat/vulnerability pair and its associated risk once the recommended safeguard is implemented. The residual risk level is determined by examining the likelihood of occurrence of the threat exploiting the vulnerability and the impact severity factors in categories of Confidentiality, Integrity and Availability. Follow the directions in the Risk Levels step of the Risk Determination phase to determine the residual risk level once the recommended safeguard is implemented. Depending on the nature and circumstances of threats and vulnerabilities, a recommended safeguard may reduce the risk level to Low. Make a note of the situation with a description below the table, if needed, if such special conditions exist. UMS Security Risk Assessment Guidelines v1.0 Page 7
CMS Information Security Risk Assessment (RA) Methodology
DEPARTMENT OF HEALTH & HUMAN SERVICES Centers for Medicare & Medicaid Services 7500 Security Boulevard, Mail Stop N2-14-26 Baltimore, Maryland 21244-1850 CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS)
More informationPerforming Effective Risk Assessments Dos and Don ts
Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013 Introduction Who am I? Why Risk Management? Because you have to Because
More informationAutomated Risk Management Using SCAP Vulnerability Scanners
Automated Risk Management Using SCAP Vulnerability Scanners The management of risks to the security and availability of private information is a key element of privacy legislation under the Federal Information
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationVulnerability Management Policy
Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationHow to Use the NYeC Privacy and Security Toolkit V 1.1
How to Use the NYeC Privacy and Security Toolkit V 1.1 Scope of the Privacy and Security Toolkit The tools included in the Privacy and Security Toolkit serve as guidance for educating stakeholders about
More informationAutomated Risk Management Using NIST Standards
Automated Risk Management Using NIST Standards The management of risks to the security and availability of private information is a key element of privacy legislation under the Federal Information Security
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationUoB Risk Assessment Methodology
[Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationInformation Security Plan May 24, 2011
Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised
More informationNetwork Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients
Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com
More informationState of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard
State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna
More informationISSN: 2321-7782 (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies
ISSN: 2321-7782 (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies Research Article / Survey Paper / Case Study Available online
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationHHS Information System Security Controls Catalog V 1.0
Information System Security s Catalog V 1.0 Table of Contents DOCUMENT HISTORY... 3 1. Purpose... 4 2. Security s Scope... 4 3. Security s Compliance... 4 4. Security s Catalog Ownership... 4 5. Security
More informationCMS REPORTING PROCEDURE FOR INFORMATION SECURITY (IS) ASSESSMENTS
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS REPORTING PROCEDURE FOR INFORMATION SECURITY (IS) ASSESSMENTS March 19, 2009 Version 5.0 Final SUMMARY
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationOutsourcing and third party access
Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationInformation Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH
Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework
More informationSecurity Risk Assessment
Security Risk Assessment Applied Risk Management July 2002 What is Risk? Risk is: Something that creates a hazard A cost of doing business Risk can never be eliminated, merely reduced to an acceptable
More informationSecurity Self-Assessment Guide for Information Technology Systems Marianne Swanson
NIST Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems Marianne Swanson C O M P U T E R S E C U R I T Y NIST Special Publication 800-26 Security Self-Assessment
More informationInformation Security for IT Administrators
Fiscal Year 2015 Information Security for IT Administrators Introduction Safeguarding the HHS Mission Information Security Program Management Enterprise Performance Life Cycle Enterprise Performance Life
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationInformation Technology Project Oversight Framework
i This Page Intentionally Left Blank i Table of Contents SECTION 1: INTRODUCTION AND OVERVIEW...1 SECTION 2: PROJECT CLASSIFICATION FOR OVERSIGHT...7 SECTION 3: DEPARTMENT PROJECT MANAGEMENT REQUIREMENTS...11
More informationHandbook for Information Technology Security Risk Assessment Procedures
ADMINISTRATIVE COMMUNICATIONS SYSTEM U.S. DEPARTMENT OF EDUCATION Handbook OCIO-07 Page 1 of 72 (01/13/2004) Distribution: Approved by: /s/ All Department of Education Employees William J. Leidinger Assistant
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationCIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationSecurity Officer s Checklist in a Sourcing Deal
Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client Abstract Sourcing deals creates opportunities and challenges.
More informationTABLE OF CONTENTS INTRODUCTION... 1
TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5
More informationMAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
More informationWright State University Information Security
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationJuly 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263
July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67
More informationREVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Inquiries about this report may be addressed
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationRisk Management Policy
Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012
More informationRisk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.
Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C. Burget September 14, 2014 1 Agenda Information Assurance
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationCIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationA Risk Assessment Checklist for Medicaid State Agencies
PProject Management Checklist Tool for the HIPAA Privacy Rule A Risk Assessment Checklist for Medicaid State Agencies Checklist Information g to gauge where they are in the overall picture of HIPAA Privacy
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More informationINFORMATION TECHNOLOGY RISK MANAGEMENT PLAN
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
More informationFISMA Compliance: Making the Grade
FISMA Compliance: Making the Grade A Qualys Guide to Measuring Risk, Enforcing Policies, and Complying with Regulations EXECUTIVE SUMMARY For federal managers of information technology, FISMA is one of
More informationNational Information Assurance Certification and Accreditation Process (NIACAP)
NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationInfrastructure Information Security Assurance (ISA) Process
Infrastructure Information Security Assurance (ISA) Process Handbook AS-805-B March 2005 Transmittal Letter A. Explanation. As part of the Postal Service s efforts to enhance security across all technology
More informationInformation Security Standards
Information Security Standards Policy as approved by the Board of Trustees on 3/14/2011 is in black print. Standards (operating draft) as of 8/3/2011 are in blue print. 8/3/2011 Operating Draft The University
More informationTom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh
Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationChecklist for Vulnerability Assessment
Checklist for Vulnerability Assessment Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationPROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE0000191
Interim Techlogy Performance Report 1 PROJECT BOEING SGS Contract ID: DE-OE0000191 Project Type: Revision: V2 Company Name: The Boeing Company December 10, 2012 1 Interim Techlogy Performance Report 1
More informationData Security and Identity Management
Data Security and Identity Management Leading Change Data Pre-Conference June 16, 2014 Ed Jung Chief Technology Officer Arizona Department of Education DATA SECURITY Are you prepared Likelihood of a data
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationRISK ASSESSMENT GUIDELINES
RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationCustomer-Facing Information Security Policy
Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationEDUCATION AND TRAINING
A Model to Quantify the Return on Investment of Information Assurance By Charley Tichenor Defense Security Cooperation Agency [The following views presented herein are solely those of the author and do
More informationHow Much Do I Need To Do to Comply? Vice president SystemExperts Corporation
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationRISK MANAGEMENT POLICY
RISK MANAGEMENT POLICY Nuffield College s Risk Management Policy defines the College's approach to risk and how risk management should be embedded into management processes to ensure that the major risks
More informationDEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE
DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 Washington, DC 20420 Transmittal Sheet March 22, 2010 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE 1. REASON FOR ISSUE: This
More informationHow To Review The Security Plans Of Noaa
U.S. DEPARTMENT OF COMMERCE Office of Inspector General NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION Progress Being Made in Certification and Accreditation Process, but Authorizing Officials Still Lack
More information