CA Technologies Solutions for Criminal Justice Information Security Compliance
|
|
- Amber Berry
- 8 years ago
- Views:
Transcription
1 WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy
2 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Table of Contents Executive Summary 3 Section 1: 4 Criminal Justice Information Security Compliance Section 2: 5 CJIS Security Policy Requirements Section 3: 6 CJIS Policy Detailed Requirements Section 4: 12 Conclusions
3 3 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Executive Summary Challenge The Criminal Justice Information Services (CJIS) Security Policy includes a number of technical safeguards designed to protect and secure criminal justice information. Compliance with this policy is mandatory for any agencies requiring access to Federal Bureau of Investigation (FBI) CJIS Division systems and information. Opportunity CA Technologies provides a number of solutions that can address key requirements within the CJIS Security Policy and help your agency achieve and maintain compliance going forward. Benefits Agencies with access to FBI CJIS systems and information are subject to formal audits by the FBI and may also be subject to special security inquiries and informal audits when alleged security violations are suspected. CA Technologies provides a comprehensive suite of solutions that can secure access to criminal justice information, enable compliance with FBI security requirements and streamline the audit process going forward.
4 4 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 1 Criminal Justice Information Security Compliance The Criminal Justice Information Services (CJIS) Security Policy represents a shared responsibility between the Federal Bureau of Investigation s Criminal Justice Information Services Division, the CJIS Systems Agency (CSA) and State Identification Bureaus (SIB). The purpose of the policy is to establish minimum security requirements to protect and secure various types of criminal justice information, including: Biometric Data data derived from one or more intrinsic physical or behavioral traits of humans typically for the purpose of uniquely identifying individuals from within a population. Used to identify individuals, to include: fingerprints, palm prints, iris scans, and facial recognition data. Identity History Data textual data that corresponds with an individual s biometric data, providing a history of criminal and/or civil events for the identified individual. Biographic Data information about individuals associated with a unique case, and not necessarily connected to identity data. Biographic data does not provide a history of an individual, only information related to a unique case. Property Data information about vehicles and property associated with a crime. Case/Incident History information about the history of criminal incidents.
5 5 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 2 CJIS Security Policy Requirements The CJIS Security Policy outlines a number of administrative, procedural and technical controls agencies must have in place to protect criminal justice information. Our experience is that agencies will generally have many of the administrative and procedural controls already in place, but will need to implement additional technical safeguards in order to be in complete compliance with the mandate. CA Technologies provides a number of security solutions to address the more technical requirements described in this policy, as highlighted in the figure below: Policy Area 1 Policy Area 2 Policy Area 3 Policy Requirement Information Exchange Agreements Security Awareness Training Incident Response CA Technologies Facilitates Compliance Policy Area 4 Auditing and Accountability 4 Policy Area 5 Access Control 4 Policy Area 6 Identification and Authentication 4 Policy Area 7 Configuration Management 4 Policy Area 8 Policy Area 9 Policy Area 10 Policy Area 11 Media Protection Physical Protection Systems and Communications Protection and Information Integrity 4 Formal Audits Policy Area 12 Personnel Security 4
6 6 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 3 CJIS Policy Detailed Requirements Policy Area 4: Auditing and Accountability Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior Auditable Events and Content (Information Systems) The agency s information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The following events shall be logged: Successful and unsuccessful system log-on attempts Successful and unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resource Successful and unsuccessful attempts to change account passwords Successful and unsuccessful actions by privileged accounts Successful and unsuccessful attempts for users to access, modify, or destroy the audit log file All CA Technologies security solutions from our web-based single sign-on and strong authentication solutions to our host-based and virtualization access control solutions generate secure, detailed audit records. The specific events defined within CJIS security policy will need to be collected potentially across a variety of platforms, as well as at different layers where users may potentially access data (application, database, operating system, etc.). Can aggregate and correlate these events in a single location for compliance monitoring and reporting Audit Monitoring, Analysis, and Reporting The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/ analysis shall be conducted at a minimum once a week. While the review of audit logs is primarily a procedural control, CA Privileged Identity Suite can be used to schedule the weekly reports for review and sign-off by designated individuals Protection of Audit Information The agency s information system shall protect audit information and audit tools from modification, deletion and unauthorized access. Audit logs both collected and generated by CA Privileged Identity Suite are a protected resource. They cannot be modified, moved or removed by users on the system, even those with privileged (root, administrator) access.
7 7 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Policy Area 5: Access Control Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information Account Management The agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The agency shall validate information system accounts at least annually and shall document the validation process. The validation and documentation of accounts can be delegated to local agencies. The CA Technologies suite of security products is uniquely focused on identity and access management and data governance. We have a number of solutions, including our CA Identity Manager product that is designed to address common account management issues, including automated provisioning, deprovisioning, selfservice and delegation. CA Identity Governance works in conjunction with CA Identity Manager or on a stand-alone basis to help ensure that roles are properly established within your organization. CA Identity Governance also provides a robust entitlement review capability that is commonly used to automate the account validation process and provide documentation and support for compliance objectives such as CJIS Access Enforcement Access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Access control policies (e.g., identity-based policies, role-based policies, rulebased policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. Agencies shall control access to CJI based on one or more of the following: Job assignment or function (i.e., the role) of the user seeking access Physical location Logical location Network addresses (e.g., users from sites within a given agency may be permitted greater access than those from outside) Time-of-day and day-of-week/month restrictions CA Privileged Identity Suite is a host-based access control solution that is commonly used in high-security environments to control privileged user access. With broad platform support and deep kernel integration, CA Privileged Identity Suite serves as a central policy enforcement point to manage and scope what privileged users can do and access on your critical systems. With CA Privileged Identity Suite, complex granular rules can be created to protect critical resources and govern who and how those resources are accessed. These rules can incorporate many of the criteria outlined in the CJIS Security Policy. With additional integrations from our web and strong authentication solutions (CA Single Sign-On [CA SSO] and CA Strong Authentication) we can support and enforce any combination of CJIS rules to create a comprehensive access enforcement capability.
8 8 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Unsuccessful Login Attempts Where technically feasible, the system shall enforce a limit of no more than five consecutive invalid access attempts by a user (attempting to access CJI or systems with access to CJI). The system shall automatically lock the account/ node for a 10 minute time period unless released by an administrator. Depending on whether the user is accessing a web-based application or attempting to sign onto a server or workstation, CA Technologies can address this requirement: Web-based resources CA SSO provides a central mechanism to enforce account policies, including lockout policy and duration for your web-based applications. Host-based resources CA Privileged Identity Suite provides a central mechanism to enforce account policies, including lockout policy and duration for your servers System Use Notification The information system shall display an approved system use notification message, before granting access, informing potential users of various usages and monitoring rules. System use notifications can be configured within CA SSO Session Lock The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Session Locks can be established with CA SSO for web-based resources and CA Privileged Identity Suite for direct server access Remote Access The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency s information system by a user (or an information system) communicating temporarily through an external, nonagency-controlled network (e.g., the Internet). Depending on whether the user is accessing a web-based application or attempting to sign onto a server or workstation, CA Technologies can address this requirement: Web-based resources: CA SSO, CA Strong Authentication and CA Risk Authentication work together to help manage and protect remote access to critical web based resources. We have the ability to detect not only who is attempting to access resources remotely, but also from where and how (home computer, iphone, tablet device, etc.). Our unique profiling capability is able to identify suspicious remote activity based on a variety of variables and dynamically adjust access control requirements based on the perceived risk of that transaction. Host-based resources: CA Privileged Identity Suite can create and enforce central policies to prevent users from logging into servers remotely (non-agency-controlled network).
9 9 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Policy Area 6: Identification and Authentication The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems or services Identification Policy and Procedures Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of a full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be kept current by adding new users and disabling and/or deleting former users. CA Identity Governance can help your organization evaluate existing accounts for signs of security issues (use of shared id s, orphan accounts, etc.) and create a rolebased access model that will support CJIS compliance objectives going forward. CA Identity Manager can automate the provisioning of accounts based on your organization s particular authorization process (e.g. background checks, etc.). In addition, CA Identity Manager also provides segregation of duties enforcement, account self-service and delegation capabilities, as well as automated synchronization with authoritative user stores (HR databases, etc.) Authentication Policy and Procedures Each individual s identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency s audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish direct web-based interactive sessions with FBI CJIS Services. The FBI CJIS Division shall authenticate the ORI of all message-based sessions between the FBI CJIS Division and its customer agencies but will not further authenticate the user nor capture the unique identifier for the originating operator because this function is performed at the local agency, CSA, SIB or Channeler level. Agencies shall follow the secure password attributes, below, to authenticate an individual s unique ID. Passwords shall: Be a minimum length of eight (8) characters on all systems Not be a dictionary word or proper name Not be the same as the Userid Expire within a maximum of 90 calendar days Not be identical to the previous ten (10) passwords Not be transmitted in the clear outside the secure location Not be displayed when entered CA SSO, CA Strong Authentication and CA Risk Authentication work together to provide a comprehensive authentication infrastructure that supports standards-based identity federation between and amongst various member agencies. We fully support the password complexity requirements defined in the CJIS Security Policy and also provide the most advanced, risk-based authentication capabilities on the market, including device-forensics, pattern analysis, support for knowledge based authentication (KBA) and more. The CJIS Security Policy mandates that Advanced Authentication be used to verify user access in certain conditions. Methods cited in the policy include biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or Risk-based Authentication that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.
10 10 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Policy Area 7: Configuration Management Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications Least Functionality The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/ or restrict the use of specified functions, ports, protocols, and/or services. CA Privileged Identity Suite restricts access to critical systems resources, including ports, protocols and services. Configuration changes can be managed through CA Privileged Identity Suite s password vaulting capabilities, which provide a controlled method for privileged users to access systems and make authorized changes to the environment. In virtualized environments, CA Privileged Identity Suite can also monitor host configurations for unauthorized changes and automates the remediation of configuration drift. Policy Area 10: System and Communication Protection and Information Integrity Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency s virtualized environment. In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information Information Flow The network infrastructure shall control the flow of information between interconnected systems. The CJIS Security Policy requires that a number of controls be placed at the boundary to protect criminal justice information. CA Data Protection provides a network boundary appliance that can detect leakage of criminal justice information or prevent that information from being transmitted unencrypted across the internal network.
11 11 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com # Requirement Partitioning and Virtualization Virtualized environments are authorized for criminal justice and non-criminal justice activities. In addition to the security controls described in this policy, the following additional controls shall be implemented in a virtual environment: Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines that process CJI internally. Device drivers that are critical shall be contained within a separate guest. The following are additional technical security control best practices and should be implemented wherever feasible: Encrypt network traffic between the virtual machine and host. Implement IDS and IPS monitoring within the virtual machine environment. Virtually firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer firewall) and ensure that only allowed protocols will transact. Segregate the administrative duties for the host. CA Technologies Solution CA Privileged Identity Suite for Virtual Environments provides fine grained access controls and host hardening capabilities for your virtual infrastructure. While CA Privileged Identity Suite does not provide encryption or intrusion detection capabilities, it does handle all of the other CJIS virtualization requirements, including host-vm isolation, enhanced auditing and logging capabilities, virtual firewalling and segregation of duties/privileged access control. Policy Area 12: Personnel Termination Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI Personnel Termination The agency, upon termination of individual employment, shall immediately terminate access to CJI. While the CJIS Security Policy suggests this requirement may be satisfied by procedural controls, CA Identity Manager can automate this process so that user access to CJI systems and data is automatically deprovisioned when users are terminated.
12 12 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 4: Conclusions Agencies with access to FBI CJIS systems and information are subject to formal audits by the FBI and may also be subject to special security inquiries and informal audits when alleged security violations are suspected. CA Technologies provides a comprehensive suite of solutions that can secure access to criminal justice information, enable compliance with FBI security requirements and streamline the audit process going forward. Policy Requirement CA Single Sign-On CA Identity Manager CA Identity Governance CA Data Protection CA Strong Authentication and CA Risk Authentication CA Privileged Identity Suite Policy Area Auditing and Accountability. 4 Policy Area 5 Access Control Policy Area 6 Identification and Authentication Policy Area 7 Configuration Management 4 4 Policy Area 10 Systems and Communications Protection and Information Integrity 4 4 Policy Area 12 Personnel Security 4
13 13 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, Laws ), referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations. CS200_94653_1014
The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationAuthentication Strategy: Balancing Security and Convenience
Authentication Strategy: Balancing Security and Convenience Today s Identity and Access Security Strategies Are Being Driven by Two Critical Imperatives: Enable business growth by: Quickly deploying new
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationexpanding web single sign-on to cloud and mobile environments agility made possible
expanding web single sign-on to cloud and mobile environments agility made possible the world of online business is rapidly evolving In years past, customers once tiptoed cautiously into the realm of online
More informationCA SiteMinder SSO Agents for ERP Systems
PRODUCT SHEET: CA SITEMINDER SSO AGENTS FOR ERP SYSTEMS CA SiteMinder SSO Agents for ERP Systems CA SiteMinder SSO Agents for ERP Systems help organizations minimize sign-on requirements and increase security
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationCA Arcot RiskFort. Overview. Benefits
PRODUCT SHEET: CA Arcot RiskFort CA Arcot RiskFort CA Arcot RiskFort provides real-time protection against identity theft and online fraud via risk based, adaptive authentication. It evaluates the fraud
More informationsolution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?
solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? provides identity and access management capabilities as a hosted cloud service. This allows you to quickly
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationDesigning a CA Single Sign-On Architecture for Enhanced Security
WHITE PAPER FEBRUARY 2015 Designing a CA Single Sign-On Architecture for Enhanced Security Using existing settings for a higher-security architecture 2 WHITE PAPER: DESIGNING A CA SSO ARCHITECTURE FOR
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationClosing the Biggest Security Hole in Web Application Delivery
WHITE PAPER DECEMBER 2014 Closing the Biggest Security Hole in Web Application Delivery Addressing Session Hijacking with CA Single Sign-On Enhanced Session Assurance with DeviceDNA Martin Yam CA Security
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationWhite Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS
White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services Over the past decade, the demands on government agencies to share information across the federal, state and local levels
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationSOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite
SOLUTION BRIEF Enterprise Mobility Management Critical Elements of an Enterprise Mobility Management Suite CA Technologies is unique in delivering Enterprise Mobility Management: the integration of the
More informationPhysical Protection Policy Sample (Required Written Policy)
Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationSOLUTION BRIEF SEPTEMBER 2014. Healthcare Security Solutions: Protecting your Organization, Patients, and Information
SOLUTION BRIEF SEPTEMBER 2014 Healthcare Security Solutions: Protecting your Organization, Patients, and Information SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT 94% of healthcare organizations
More informationHow To Comply With Ffiec
SOLUTION BRIEF authentication in the internet banking environment: The solution for FFIEC compliance from CA Technologies agility made possible Introduction to FFIEC Compliance In October of 2005, the
More informationSecurely Outsourcing to the Cloud: Five Key Questions to Ask
WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationSOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?
SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE How Can the CA Security Solution Help Me With PCI Compliance? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT CA Technologies
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationGENERAL ORDER DISTRICT OF COLUMBIA I. BACKGROUND
GENERAL ORDER DISTRICT OF COLUMBIA Subject CJIS Security Topic Series Number SPT 302 12 Effective Date March 28, 2014 Related to: GO-SPT-302.08 (Metropolitan Police Department (MPD) Wide Area Network)
More informationEffective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head:
Policy Title: Effective Date: Revision Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head: Every 2 years or as needed Purpose: The purpose of
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationOracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009
Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 EXECUTIVE OVERVIEW Enterprises these days generally have Microsoft Windows desktop users accessing diverse enterprise applications
More informationOracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007
Oracle Identity Management for SAP in Heterogeneous IT Environments An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments Executive Overview... 3 Introduction...
More informationHow To Manage A Privileged Identity Manager On A Linux System
WHITE PAPER NOVEMBER 2014 Is Your Agency Subject to the Requirements Specified in Army Regulation 25-2? Chris Boswell North American Security 2 WHITE PAPER: ARMY REGULATION 25-2 ca.com Table of Contents
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationManaging for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud
Deploying and Managing Private Clouds The Essentials Series Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud sponsored by Managing for the Long Term: Keys to
More informationNetop Remote Control Security Server
A d m i n i s t r a t i o n Netop Remote Control Security Server Product Whitepaper ABSTRACT Security is an important factor when choosing a remote support solution for any enterprise. Gone are the days
More informationcontent-aware identity & access management in a virtual environment
WHITE PAPER Content-Aware Identity & Access Management in a Virtual Environment June 2010 content-aware identity & access management in a virtual environment Chris Wraight CA Security Management we can
More information1 CA SECURITY SAAS VALIDATION PROGRAM 2015 ca.com. CA Security SaaS Validation Program. Copyright 2015 CA. All Rights Reserved.
1 CA SECURITY SAAS VALIDATION PROGRAM 2015 ca.com CA Security SaaS Validation Program 2 CA SECURITY SAAS VALIDATION PROGRAM 2015 ca.com At a Glance KEY BENEFITS/ RESULTS The CA Security SaaS Validation
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationSafeguarding the cloud with IBM Dynamic Cloud Security
Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from
More informationA to Z Information Services stands out from the competition with CA Recovery Management solutions
Customer success story October 2013 A to Z Information Services stands out from the competition with CA Recovery Management solutions Client Profile Industry: IT Company: A to Z Information Services Employees:
More information20 Critical Security Controls
WHITE PAPER June 2012 20 Critical Security Controls How CA Technologies can help federal agencies automate compliance processes Philip Kenney CA Security Management Table of Contents Executive Summary
More informationidentity as the new perimeter: securely embracing cloud, mobile and social media agility made possible
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,
More informationTECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management
TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for
More informationIDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY POLICY Name Of Policy: Security Audit Logging Policy Domain: Security Date Issued: 05/23/11 Date
More information5 Pillars of API Management with CA Technologies
5 Pillars of API Management with CA Technologies Introduction: Managing the new open enterprise Realizing the Opportunities of the API Economy Across industry sectors, the boundaries of the traditional
More informationNC CJIN Governing Board. 13 October, 2011. George A. White
Advanced Authentication NC CJIN Governing Board 13 October, 2011 George A. White FBI CJIS ISO Brief Policy History Two year development Fully vetted by all state representation Criminal and civil Requirements
More informationADM:49 DPS POLICY MANUAL Page 1 of 5
DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The
More informationLogica Sweden provides secure and compliant cloud services with CA IdentityMinder TM
CUSTOMER SUCCESS STORY Logica Sweden provides secure and compliant cloud services with CA IdentityMinder TM CUSTOMER PROFILE Industry: IT services Company: Logica Sweden Employees: 5,200 (41,000 globally)
More informationEnsuring the security of your mobile business intelligence
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
More informationSOLUTION BRIEF BIG DATA MANAGEMENT. How Can You Streamline Big Data Management?
SOLUTION BRIEF BIG DATA MANAGEMENT How Can You Streamline Big Data Management? Today, organizations are capitalizing on the promises of big data analytics to innovate and solve problems faster. Big Data
More informationCA Service Desk Manager - Mobile Enabler 2.0
This Document is aimed at providing information about the (CA SDM) Mobile Enabler and mobile capabilities that is typically not available in the product documentation. This is a living document and will
More informationAtkins safeguards availability of client s geospatial systems with a CA AppLogic private cloud environment
CUSTOMER SUCCESS STORY Atkins safeguards availability of client s geospatial systems with a CA AppLogic private cloud environment CLIENT PROFILE Industry: Engineering Company: Atkins Employees: 17,700
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationVirtualization Demystified
Virtualization Demystified Oregon State Police CJIS Statewide Training September 24, 2015 Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program Virtualization Demystified What is
More informationCA Explore Performance Management for z/vm
PRODUCT SHEET CA Explore Performance Management for z/vm CA Explore Performance Management for z/vm CA Explore Performance Management for z/vm (CA Explore for z/vm) is a comprehensive performance management
More informationCA ControlMinder for Virtual Environments May 2012
FREQUENTLY ASKED QUESTIONS May 2012 Top Ten Questions 1. What is?... 2 2. What are the key benefits of?... 2 3. What are the key capabilities of?... 2 4. Does this release include anything from the recently
More informationEnsuring the security of your mobile business intelligence
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationNew River Community College. Information Technology Policy and Procedure Manual
New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management
More informationHIPAA: The Role of PatientTrak in Supporting Compliance
HIPAA: The Role of PatientTrak in Supporting Compliance The purpose of this document is to describe the methods by which PatientTrak addresses the requirements of the HIPAA Security Rule, as pertaining
More informationMCOLES Information and Tracking Network. Security Policy. Version 2.0
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
More informationThe Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway
The Essentials Series: Enterprise Identity and Access Management Authentication sponsored by by Richard Siddaway Authentication...1 Issues in Authentication...1 Passwords The Weakest Link?...2 Privileged
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationCA Technologies Healthcare security solutions:
CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA
More informationHow can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?
SOLUTION BRIEF Content Aware Identity and Access Management May 2010 How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? we can CA Content
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationCA Spectrum and CA Embedded Entitlements Manager
CA Spectrum and CA Embedded Entitlements Manager Integration Guide CA Spectrum Release 9.4 - CA Embedded Entitlements Manager This Documentation, which includes embedded help systems and electronically
More informationSOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management
SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management improving SAP security with CA Identity and Access Management The CA Identity and Access Management (IAM) suite can help you
More informationThe Benefits of an Industry Standard Platform for Enterprise Sign-On
white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed
More informationProvide access control with innovative solutions from IBM.
Security solutions To support your IT objectives Provide access control with innovative solutions from IBM. Highlights Help protect assets and information from unauthorized access and improve business
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationAddressing PCI Compliance
WHITE PAPER DECEMBER 2015 Addressing PCI Compliance Through Privileged Access Management 2 WHITE PAPER: ADDRESSING PCI COMPLIANCE Executive Summary Challenge Organizations handling transactions involving
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationCA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam
CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as
More informationCA Technologies optimizes business systems worldwide with enterprise data model
CUSTOMER SUCCESS STORY CA Technologies optimizes business systems worldwide with enterprise data model CLIENT PROFILE Industry: IT Organization: CA Technologies Employees: 13,600 Revenue: $4.8 billion
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationWhite paper December 2008. IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview
White paper December 2008 IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview Page 2 Contents 2 Executive summary 2 The enterprise access challenge 3 Seamless access to applications 4
More informationProduct overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities
PRODUCT SHEET: CA SiteMinder CA SiteMinder we can CA SiteMinder provides a centralized security management foundation that enables the secure use of the web to deliver applications and cloud services to
More informationWHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0
WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of
More informationSecurity awareness training is not a substitute for the LEADS Security Policy.
Revised 4/2014 This training will discuss some of the duties of the Terminal Agency Coordinator (TAC), Local Agency Security Officer (LASO) and provide basic security awareness training. Security awareness
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More information