Secure Data Center Operations Gilbert Held Payoff

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "83-20-10 Secure Data Center Operations Gilbert Held Payoff"

Transcription

1 Secure Data Center Operations Gilbert Held Payoff The data center stores information necessary for the effective and efficient operation of the entire organization. Loss of this data, conveyance of it to a competitor, or unauthorized alteration of it can harm or even destroy the organization. Therefore, the data security manager should employ data center security measures that do more than just protect equipment. This article outlines such measures. Problems Addressed This article examines a core set of methods, procedures, equipment, and techniques to help secure data center operations. No measures can completely secure these operations. However, by appropriate planning and the implementation of methods, procedures, and techniques to increase the level of security and security awareness within an organization, the data security manager can minimize the number and severity of security breaches. The data security manager must provide three types of security: Physical security. Personnel security. Communications security. To provide physical security, the data security manager must have the personnel, equipment, and procedures necessary to bar unauthorized personnel from the data center. To provide personnel security, the manager must ensure that the organization hires suitable applicants and periodically reviews their eligibility for employment. To provide communications security, the data security manager must enforce procedures and techniques that control the use of communications equipment or line facilities to access the organization's information systems. This article focuses on each of the three categories of data center security and their components, as illustrated in Exhibit 1. Data Center Security and Major Security Components Physical Security In many organizations, the data center is divided into two or more secure areas. One area houses processing equipment, including processors and disk drives, printers, and other peripheral devices. A second area houses communications equipment, including modems, multiplexers, Data Service Unit, channel bank, and the physical line terminals from the communications carrier or carriers serving the organization. The personnel working in these two areas perform very different functions, and these areas have disparate security requirements. Building Access In most organizations, building access is controlled. Personnel must pass a guard station at the main entrance, where they show the guard the badge or other type of

2 identification to prove they are eligible to enter the building. In small organizations, building access may be controlled by a badge reader, cipher lock, or simple door key. Many, if not most, of an organization's visitors never require access to its data center, nor do many of its employees, and many buildings house more than one firm's processing or communications equipment. The data security managers of such organizations must employ methods to limit access to their organizations' data center facilities. Data Center Access One of the most common methods of controlling access to a data center is the use of a cipher key-controlled door. By pressing a valid numeric key combination, usually a fourdigit code, the visitor transmits a signal that activates a door release. Access to most data centers is restricted to operations and support personnel. Programmers, system analysts, and other employees usually do not enjoy uninhibited access to the center. However, these employees, as well as visitors, periodically require access. The data security manager should therefore formulate a policy and procedure for providing access to the data center for personnel who do not work in the computer operations department. Many data centers use a television monitor connected to a TV camera mounted outside the main data center door. The monitor is located within the data center in a control area that also contains a sign-in/out visitor book and badges. A person who does not know the cipher key code and who needs to enter the data center presses a buzzer to alert data center personnel. A designated person sees the visitor on the monitor in the control area before releasing the door lock. Many organizations require that visitors wear an identifying badge and that they be escorted during their visits to the data center. Enhancing Physical Security Data security managers can do several things to enhance the physical security of their centers. First and foremost, they can develop a policy that specifies which employees can enter the data center, the manner in which they gain access, and who is responsible for their supervision. Visitors who are not performing repairs or tests should never be allowed near data center equipment. Another important task for enhancing the center's physical security is changing the cipher lock key combination. When data security managers do not change the combination, former employees, who can gain access to the building, can also enter the data center. Cipher key combinations should therefore be changed periodically; the frequency should be based on organizational turnover. The combination should also be changed whenever an incident compromises the lock security (e.g., a visitor observes an authorized employee entering the access code). To prevent unauthorized personnel from observing employees entering the code, the data security manager should instruct employees to use their bodies to block the cipher lock from view. Another item that deserves careful consideration is the control of printouts, tapes, disks, and cartridges. As the repository of corporate information, the data center generates critical information that must not be accessed by unauthorized persons. Information leaving the data center should be routed through an input/output (I/O) control facility, which, in many organizations, is located in the production control department. (This department provides the data center with magnetic media from outside sources and delivers system output and magnetic media from the data center to persons working outside the data center.) With an appropriate policy and procedure in place, I/O control personnel can ensure the delivery of data center materials to persons authorized to receive such material, minimizing the risk of critical information winding up in the hands of unauthorized personnel. The data security manager should require that all material leave the data center through I/O control.

3 One often overlooked security mechanism is the physical placement of equipment. Within a data center are terminals and consoles that continuously monitor production jobs or that control job scheduling, the dispatching of jobs, and related processes. Those terminals and consoles control computers and communications facilities within the data center, and some of these devices can be used to initiate computer shutdown. These terminals and consoles usually operate throughout the day, and a group taking a tour of the data center or employees with time on their hands could inadvertently cause havoc by experimenting with them. To minimize this possibility, the data center operations manager should consider relocating monitor and control terminals within the operations area of the data center and away from corridors where they can be easily accessed by unauthorized persons. Because one or more members of the operations staff are usually on duty, the manager should consider delegating control of access to those terminals and consoles to the operations branch or department. Personnel Security Although the use of some personnel security procedures, such as drug testing and lie detectors, is determined by corporate policy, the data security manager or other IS managers can still implement a basic personnel security policy. To do so, the data security manager should check job applicant references, possibly asking the corporate legal department for a release form that applicants can sign to allow the organization to obtain their transcripts, proof of college degrees, and other verification of attendance at schools. One of the frequently overlooked aspects of personnel security is controlling contractor personnel. Data security managers should exercise as much care in reviewing backgrounds of full- or part-time contractors as they do for permanent employees. Personnel Review Once an employee or contractor passes an initial screening or investigation, most organizations forget an important characteristic of life things rarely remain the same! An employee's personal circumstances can change through marriage, divorce, bankruptcy, or other factors (e.g., chemical dependence or another form of substance abuse). People who were hired a few years ago might not be eligible for employment if an updated screening or investigation were periodically performed. Therefore, a key to avoiding personnel problems is periodically updating personnel investigations. Doing so alerts managers to the need to refer employees to a counseling service or to the fact that an employee or contractor has become a potential threat instead of a valuable resource. Communications Security Communications security involves the use of hardware, software, policies, and procedures to control the use of communications facilities to access the organization's information systems. Although passwords, which govern this type of access, are generally considered the primary component of communications security, their use is only a small part of an effective communications security effort. Other aspects of communications security that the data security manager should consider include: Packet filtering. The use of callback modems and data encryption devices. The manner in which telephone rotary numbers are ordered and changed.

4 Policies and procedures that govern the duration of unattended access to online application programs. Packet Filtering The growth in the number of corporate connections to the Internet involves both an opportunity and a threat. With access to a network of networks containing more than 25 million computers, an organization's employees can send electronic mail messages to users throughout the world. Employees with Internet access can use thefile Transfer Protocol to download files from tens of thousands of file transfer protocol (FTP) servers with programs and data bases on a wide variety of topics. Employees can use Telnet to obtain a remote connection to other computers on the Internet, and they can use such Internet applications as Archie and Gopher to perform information searches. However, Internet access is a two-way street, and Internet organizations that do not implement packet filtering expose themselves to the good or bad intentions of millions of Internet users. Exhibit 2 suggests some of the security exposures of a LAN connected to the Internet. In this example, a bus-based Ethernet LAN links 50 workstation users to a mainframe and, through a router, to an Internet service provider. Without implementing packet filtering, the organization's data flow is bidirectional. Any person connected to the Internet can try to access the organization's computational facilities on the Ethernet LAN, including its mainframe and LAN workstations. Typical Nonprotected Internet Connection For example, a hacker could develop a script program to probe different Internet addresses until he or she located the organization's. Then, the hacker could create a second script to attempt to log into one or more of the computers connected to the Ethernet LAN. Once access was obtained, the hacker could plant a virus, alter files, or otherwise compromise the well-being of the organization. Packet filtering, a technique used to control the routing of packets to LANs, can eliminate this security exposure. Packet filtering is usually implemented in a router. However, some routers offered by Internet service providers as part of an Internet access package provide only a limited packet filtering capability. An organization that uses these routers usually purchases a standalone router that is used only for its packet filtering capability. When used in this manner, the router is commonly called a firewall, because it provides a barrier between an organization's network computational resources and the rest of the world. Exhibit 3 illustrates the use of a firewall to protect network resources. Data flow in this network could be restricted in several ways because packet filtering permits either bidirectional or one-way data flows in either direction. However, with some applications, such as simple mail transport protocol (SMTP), an organization probably would not wish to filter in either direction because it would want to support the bidirectional flow of carried by Simple Mail Transfer Protocol. With other Internet applications, such as the file transfer protocol (FTP), which allows users to transfer files, and Telnet, which is used to obtain a remote computer connection, an organization may prefer to allow only outbound access. It may not want outside users to download files onto the LAN or to obtain remote access into the network's computers. Using a Firewall to Protect a Network

5 Because Internet applications occur on well-defined port numbers that represent logical connections, an effective firewall filters by source and destination address, as well as by port number. For example, if a data security manager wanted to permit bidirectional by means of SMTP, he or she, because the SMTP application used port 25, would set the following filter: Action Inbound Outbound Port allow yes yes 25 A filter should be set to allow both inbound and outbound communications for an Internet application because, with most firewalls, all that is not expressly permitted is prohibited. Thus, if the manager does not specify the prior filter, most firewalls will preclude in both directions. If the data security manager wants to permit network users to use file transfer protocol (FTP) to download files from servers on the Internet but preclude Internet users using file transfer protocol (FTP) from accessing network facilities, he or she would establish the following filters: Action Inbound Outbound Port allow no yes 21 allow yes no 20 These filters permit network users making control file transfer protocol (FTP) requests to access the Internet, but they accept only files transferred due to those requests as inbound traffic. Callback Modems If an organization has a network that supports dial-in calls from terminals and microcomputers, anyone who can access the switched telephone network can intentionally or unintentionally dial a number that accesses the organization's computer. To reduce this threat, the data security manager can install callback modems instead of conventional modems at dial-in ports, which are connected to the communications equipment that provides access to the network's information systems facilities. A callback modem is programmed to contain a table of user names or user code and corresponding telephone numbers. A dial-in user who calls a callback modem is initially prompted to enter the user name or user code. The modem then displays a message instructing the user to hang up and wait for a callback. The modem then disconnects and dials the telephone number associated with the caller. The callback modem thus restricts calls to those originating from known telephone numbers. Unfortunately, a callback modem cannot be effectively used when an organization's employees travel and must access the organization's central communications facilities from numerous locations. In additon, the cost of the second telephone call constitutes the greater part of the cost of billed communications. Charging these costs to the departments of those employees who originated the long-distance calls is usually difficult. Encryption Devices Several communications vendors manufacture encryption devices that are compatible with the National Institute of Standards and TechnologyData Encryption Standard algorithm. Although the use of encryptors provides secure communications, the data security manager must develop a policy to govern both the generation and distribution of encryption keys. The policy should address the need to change these keys periodically. However, unless the organization transfers funds or very critical information, the use of

6 encryptors may not be justified because of the cost of the equipment and the labor required to change keys. Telephone Rotary Numbers When an organization orders a group of telephone lines on a rotary switch to provide access to communications equipment, the data security manager usually ensures that the telephone numbers will not be listed. The appearance of these numbers in a telephone directory can tip off hackers. If the organization wishes to provide some segment of the public with easy access to its computer facilities, the data security manager should assess the advantages and disadvantages of listing the organization's communications access telephone numbers only in brochures distributed to customers instead of in a public directory. On occasion, a hacker may stumble across one or more of the organization's telephone rotary groups. Unfortunately, under current law, it is not illegal for the hacker to continuously attempt to gain access to an organization's computer and, in doing so, tie up a portion of its communications resources. Under the laws of most states, a legal violation occurs only if the hacker actually penetrates the system. Changing the numbers usually corrects the problem and is generally a practical remedy to an attempted computer penetration. Policy and Procedures One communications security vulnerability that organizations ofter overlook is the terminal user who, after signing onto an application, leaves to get coffee, go to lunch, or take a break. Anyone walking by that terminal can access the application currently being used. To avoid this situation, the data security manager should consider using software that automatically logs a user off if no activity accurs within a predefined time interval. In addition to enhancing security, these activity monitors support the effective use of communications and computer resources because they make those resources available to other users. Recommended Course of Action There are three key components to data center security: physical security, personnel security, and communications security. By carefully considering the elements associated with each component; developing plans, policies, and procedures; and obtaining appropriate hardware and software, the data security manager can minimize potential risks. Careful consideration of these issues both increases the safety of personnel and equipment in the data center and minimizes the intentional or unintentional removal of information from the data center. Therefore, the data security manager should carefully review the elements of the security program against elements discussed in this article. The data security manager should then initiate appropriate action to eliminate any deficiencies that could adversely affect security, working within the constraints of the data center's budget and available personnel. Author Biographies Gilbert Held Gilbert Held, an internationally known author and lecturer, is the author of more than 25 books and 200technical articles on computer systems and communications. He is the director of 4-Degree Consulting in Macon GA.

7

8

9

86-10-15 The Self-Hack Audit Stephen James Payoff

86-10-15 The Self-Hack Audit Stephen James Payoff 86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

More information

PROTECTING NETWORKS WITH FIREWALLS

PROTECTING NETWORKS WITH FIREWALLS 83-10-44 DATA SECURITY MANAGEMENT PROTECTING NETWORKS WITH FIREWALLS Gilbert Held INSIDE Connecting to the Internet; Router Packet Filtering; Firewalls; Address Hiding; Proxy Services; Authentication;

More information

51-30-10 Selecting a Firewall Gilbert Held

51-30-10 Selecting a Firewall Gilbert Held 51-30-10 Selecting a Firewall Gilbert Held Payoff Although a company may reap significant benefits from connecting to a public network such as the Internet, doing so can sometimes compromise the security

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

IT Security Standard: Remote Access to Bellevue College Systems

IT Security Standard: Remote Access to Bellevue College Systems IT Security Standard: Remote Access to Bellevue College Systems Introduction This standard defines the specific requirements for implementing Bellevue College policy # 5250: Information Technology (IT)

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

1-06-20 Internet Security Using Firewalls Vincent C. Jones

1-06-20 Internet Security Using Firewalls Vincent C. Jones 1-06-20 Internet Security Using Firewalls Vincent C. Jones Payoff Openness has long been the modus operandi on the Internet. Now, as more businesses connect to the Internet as a service to their internal

More information

Getting a Secure Intranet

Getting a Secure Intranet 61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004L Payment Card Industry (PCI) Physical Security (proposed) 01.1 Purpose The purpose

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

Lisbon School District 15 Newent Road Lisbon, CT 06351

Lisbon School District 15 Newent Road Lisbon, CT 06351 Pur pose The purpose of this policy is to establish direction, procedures, requirements, and responsibilities to ensure the appropriate protection of the Lisbon Public Schools computer and telecommunication

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Cyber Security: Beginners Guide to Firewalls

Cyber Security: Beginners Guide to Firewalls Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started

More information

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE 51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report

More information

Inter Tribal Council of Arizona STARS Project

Inter Tribal Council of Arizona STARS Project Inter Tribal Council of Arizona STARS Project WIC Automation System Deliverable #8D - Security Plan Final Contract # 04-06 Submitted On: January 10, 2005 Starling Consulting, Inc. 711 S. Capitol Way, Suite

More information

Network Security Policy De Montfort University January 2006

Network Security Policy De Montfort University January 2006 Network Security Policy De Montfort University January 2006 Page 1 of 18 Contents 1 INTRODUCTION 1.1 Background... 1.2 Purpose and Scope... 1.3 Validity... 1.4 Assumptions... 1.5 Definitions... 1.6 References..

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Columbus Police Division Directive. I. Definitions. May 15, 1993 10.01 REVISED. Division Computer Systems

Columbus Police Division Directive. I. Definitions. May 15, 1993 10.01 REVISED. Division Computer Systems Columbus Police Division Directive EFFECTIVE NUMBER May 15, 1993 10.01 REVISED TOTAL PAGES Mar. 30, 2014 9 Division Computer Systems I. Definitions A. Executable File A program or file that automatically

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Controls for the Credit Card Environment Edit Date: May 17, 2007

Controls for the Credit Card Environment Edit Date: May 17, 2007 Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information

Facility XXXX Site Security Survey Date: 10/9-10/10/02. (A) Perimeter Security Feature Yes No Comments

Facility XXXX Site Security Survey Date: 10/9-10/10/02. (A) Perimeter Security Feature Yes No Comments Facility XXXX Site Security Survey Date: 10/9-10/10/02 (A) Perimeter Security DELAY/DETER Site Boundary None of the critical facilities have protective Fence (Height and Construction) fences. Outriggers

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Hosted Testing and Grading

Hosted Testing and Grading Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or

More information

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Network Security: From Firewalls to Internet Critters Some Issues for Discussion Network Security: From Firewalls to Internet Critters Some Issues for Discussion Slide 1 Presentation Contents!Firewalls!Viruses!Worms and Trojan Horses!Securing Information Servers Slide 2 Section 1:

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household This appendix is a supplement to the Cyber Security: Getting Started Guide, a non-technical reference essential for business managers, office managers, and operations managers. This appendix is one of

More information

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)

More information

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router 1. Installation and configuration guidelines for the router replacement This guideline served as a reference for schools which plan to replace the existing WebSAMS router by the recommended router, and

More information

87-01-30 Secure External Network Communications Lynda L. McGhie Payoff

87-01-30 Secure External Network Communications Lynda L. McGhie Payoff 87-01-30 Secure External Network Communications Lynda L. McGhie Payoff Large organizations must be able to communicate with external suppliers, partners, and customers. Implementation of bidirectional

More information

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Multi-State Information Sharing and Analysis Center (MS-ISAC) U.S.

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

CUSTOMER INFORMATION COMMZOOM, LLC PRIVACY POLICY. For additional and updated information, please visit our website at www.commzoom.com.

CUSTOMER INFORMATION COMMZOOM, LLC PRIVACY POLICY. For additional and updated information, please visit our website at www.commzoom.com. CUSTOMER INFORMATION COMMZOOM, LLC PRIVACY POLICY YOUR PRIVACY AS A COMMZOOM CUSTOMER As a customer of commzoom, LLC, you are entitled to know what we do with personal information about you that we receive.

More information

Introduction to Computer Networks and Data Communications

Introduction to Computer Networks and Data Communications Introduction to Computer Networks and Data Communications Chapter 1 Learning Objectives After reading this chapter, you should be able to: Define the basic terminology of computer networks Recognize the

More information

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts. Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS

More information

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8 Device Interface

More information

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION

More information

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008

More information

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Determine if the expectations/goals/strategies of the firewall have been identified and are sound. Firewall Documentation Develop background information about the firewall(s) in place: Segment diagrams Software Hardware Routers Version levels Host names IP addresses Connections Specific policies for

More information

PERSONAL FIREWALLS: FIREWALL PROTECTION FOR PCS AND HOME NETWORKS

PERSONAL FIREWALLS: FIREWALL PROTECTION FOR PCS AND HOME NETWORKS July WHITE 2001 PAPER PERSONAL FIREWALLS: FIREWALL PROTECTION FOR PCS AND HOME NETWORKS Today's always on cable modem and Digital Subscriber Line (DSL) Internet access connections offer unprecedented bandwidth

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

Information Technology Acceptable Use Policies

Information Technology Acceptable Use Policies White Paper: Information Technology Acceptable Use Policies A practical guide for protecting IT assets from the largest single IT Security threat inappropriate use of IT services, including desktops, email,

More information

CYBER SECURITY POLICY For Managers of Drinking Water Systems

CYBER SECURITY POLICY For Managers of Drinking Water Systems CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

AASTMT Acceptable Use Policy

AASTMT Acceptable Use Policy AASTMT Acceptable Use Policy Classification Information Security Version 1.0 Status Not Active Prepared Department Computer Networks and Data Center Approved Authority AASTMT Presidency Release Date 19/4/2015

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Using a Firewall General Configuration Guide

Using a Firewall General Configuration Guide Using a Firewall General Configuration Guide Page 1 1 Contents There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Data Security Systems Internal Control Questionnaire

Data Security Systems Internal Control Questionnaire Data Security Systems Internal Control Questionnaire I. GENERAL DATA SECURITY SYSTEM A. Does security system management: 1. Determine how access levels are granted? 2. Define when access is granted unless

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Standard: Network Security

Standard: Network Security Standard: Network Security Page 1 Executive Summary Network security is important in the protection of our network and services from unauthorized modification, destruction, or disclosure. It is essential

More information

Common Remote Service Platform (crsp) Security Concept

Common Remote Service Platform (crsp) Security Concept Siemens Remote Support Services Common Remote Service Platform (crsp) Security Concept White Paper April 2013 1 Contents Siemens AG, Sector Industry, Industry Automation, Automation Systems This entry

More information

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Information Security and Electronic Communications Acceptable Use Policy (AUP) Policy No.: AUP v2.0 Effective Date: August 16, 2004 Revision Date: January 17, 2013 Revision No.: 1 Approval jwv / mkb Information Security and Electronic Communications (AUP) 1. INTRODUCTION Southwestern

More information

Firewalls. Steven M. Bellovin https://www.cs.columbia.edu/~smb. Matsuzaki maz Yoshinobu <maz@iij.ad.jp>

Firewalls. Steven M. Bellovin https://www.cs.columbia.edu/~smb. Matsuzaki maz Yoshinobu <maz@iij.ad.jp> Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki maz Yoshinobu 1 What s a Firewall? A barrier between us and the Internet All traffic, inbound or outbound, must pass

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.

More information

OHIO VALLEY EDUCATIONAL COOPERATIVE TECHNOLOGY ACCEPTABLE USE POLICY

OHIO VALLEY EDUCATIONAL COOPERATIVE TECHNOLOGY ACCEPTABLE USE POLICY OHIO VALLEY EDUCATIONAL COOPERATIVE TECHNOLOGY ACCEPTABLE USE POLICY 03.13211 Referenced by OVEC Policy Manual and OVEC Employee Handbook Version 2.0.0 2/12/2014 Section headings: 1. Introductory paragraph

More information

TekTalk WELCOME GUIDE

TekTalk WELCOME GUIDE TekTalk WELCOME GUIDE Follow these instructions for an accurate guide to your TekTalk hardware setup. 1 2 3 4 5 When first connecting TekTalk, connect the included Ethernet cable to an available Ethernet

More information

Lesson 24 Network Fundamentals

Lesson 24 Network Fundamentals Network Fundamentals Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition 1 Objectives Describe a network. Explain the benefits of a network. Identify the risks of network computing. Describe

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Basic Network Configuration

Basic Network Configuration Basic Network Configuration 2 Table of Contents Basic Network Configuration... 25 LAN (local area network) vs WAN (wide area network)... 25 Local Area Network... 25 Wide Area Network... 26 Accessing the

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Information Systems Security Assessment

Information Systems Security Assessment Physical Security Information Systems Security Assessment 1. Is the server protected from environmental damage (fire, water, etc.)? Ideal Answer: YES. All servers must be housed in such a way as to protect

More information

POLICY STATEMENT Commonwealth of Pennsylvania Department of Corrections

POLICY STATEMENT Commonwealth of Pennsylvania Department of Corrections POLICY STATEMENT Commonwealth of Pennsylvania Department of Corrections Policy Subject: Policy Number: Computer Forensic Investigations (CFI) 2.4.1 Date of Issue: Authority: Effective Date: August 28,

More information

Network Security Policy

Network Security Policy Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

GCSE Computing A451 Unit 6.1 Networks

GCSE Computing A451 Unit 6.1 Networks Candidates should be able to: a. Explain the advantages of networking stand-alone computers into a LAN b. Describe H/W needed to connect stand-alone computers into a LAN, including hub/switches, wireless

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information