1 Introduction 2. 2 Document Disclaimer 2
|
|
- Doris Little
- 8 years ago
- Views:
Transcription
1 Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document highlights and identifies these responsibilities to help our customers operate in a defined and mutually understood environment. P a g e 0
2 1 Introduction 2 2 Document Disclaimer 2 3 Our Responsibilities Security of Data Centre s Hardware Maintenance Security Testing of Our Infrastructure Maintaining security best practices Confidentiality of Our Services and Infrastructure Integrity of Our Services and Infrastructure Availability of Our Services and Infrastructure Principal of Least Privilege Service Availability Secure Destruction of Data, Hardware, Removable Media Secure Data Communications on Our Networks Incident Management on Our Networks Internet Connections Change Management Notification of Planned Outages Denial of Service Attacks Managed Firewall and VPN Concentrator 5 4 Typical Infrastructure Management Responsibilities of Customers Software Installation and Build Firewall Between On-Premise and Off-Premise Networks Hardening of the Host Operating System Change Default System Settings, Usernames and Passwords Applying Service Packs, Security Patches and Software Updates Maintaining Infrastructure optimization Testing/Quality Assurance of Applications and Services Event Logging Anti-virus and Anti-Malware Protection Backup Remote Administration and Maintenance Application and License Management Change Management Compliance with License Agreements, Local Legal and Regulatory Bodies Managing User Accounts Managing Passwords Operating System Failure First Line Support Customer Initiated Penetration Testing Managed Firewalls and VPN Concentrator 9 P a g e 1
3 guidelines as examples and for indicative and understanding purposes only. Fasthosts is committed to building informationsecurity principles into everything it does and maintains or exceeds industry best practices. Fasthosts Dedicated and Virtual Servers are supplied on a Self-Managed basis. This document details the responsibilities of Fasthosts and its customers for infrastructure security within a Self-Managed service. It also offers recommendations on how customers can carry out these responsibilities. The customer using this document must be made aware that the contents of this document setting out the responsibilities of each party are shown as guidelines. This document is designed to demonstrate the typical and normal responsibilities of each party within an infrastructure-as-a-service (IaaS) or hosted environment to ensure there is a clear understanding of responsibilities. This document cannot cater for every eventuality so customers should use the Fasthosts wishes to ensure that the customer accepts and understands the variety and complexity of possible solutions and services that may be made available and that it is not feasible to provide comprehensive guidance for all circumstances and individual customer requirements. It is the customers responsibility to ensure that they seek clarity or additional advice before making any assumptions on the applicable responsibilities as each customers circumstances may be different. This may therefore necessitate a modified set of responsibility requirements to be specified depending on the technical and products / services proposed. Fasthosts shall accept no responsibility for reliance on the guidelines or misinterpretations and we recommend that the customer seeks prior clarification and advice from Fasthosts or an IaaS professional if they have queries or nontypical requirements or require clarification on any related responsibility concern. P a g e 2
4 Virtual Private Servers We are responsible for managing and protecting our Data Centres by: Conducting annual physical security reviews to ensure we adhere with policies and best practices Escorting visitors while they re in data centres and signing them in and out of facilities Restricting access to data centres with fences, gates, swipe-card-entry systems and role-based privileges Protecting facilities with out-of-hours security guards CCTV monitoring and a reception that s manned 24/7/365 Maintaining operations during short-term power fluctuations with reserve power supplies, backups (e.g. uninterrupted power supply) and redundant generators, which we test regularly. Maintaining optimum environmental conditions in our data centres with airconditioning systems, which we test regularly. Providing fire detection and suppression systems, which we test regularly. We are responsible for maintaining optimum system performance in our data centres. How we maintain this performance differs depending upon the type of server you are using: Dedicated Servers Providing hardware support and investigating issues at the request of customers Maintaining redundant hardware to transfer services to; in the unlikely event of an outage Monitoring business-critical hardware and resolving issues for customers We are responsible for testing the security of our infrastructure by: Conducting regular security tests on our infrastructure and managing the results of tests through incident/risk management processes to resolve issues quickly. We are responsible for maintaining security best practices by: Utilising an Information Security manager to manage and implement security standards and best practice. Regularly reviewing policy s and updating them to follow best practice Utilising an Information Security Steering committee to approve and govern changes to policy Clearly and comprehensively train all staff on current information policies. Maintain clear disciplinary policy s and procedures which it outlines during employee inductions. Identifying and replacing faulty hardware. We strive to protect, the confidentiality of customer data by preventing our employees P a g e 3
5 from accessing data unless customers provide them with root / admin access. We also use the following to ensure confidentiality: Reliable and interoperable security processes and network security mechanisms. Network security protocols Network authentication services Data encryption services Physical entry controls Additional hardening of internal operating systems depending upon their role, importance and location within our network. We ensure that only engineers who need access to servers, infrastructure and networks get it. Employees who don t have a business requirement to access these can t do so without authorized personnel. We strive to protect, the integrity of customer data by preventing our employees from accessing it and using the following to ensure integrity: Multiple level Firewall services and network segmentation. Access depends upon business requirements and the services being accessed. Communications security management We strive to maintain the availability of customer data by implementing redundant internet connections, power supplies, generators, network infrastructure and storage area network (SAN) disks. We will also use the following to ensure availability: Role Based Access Control (RBAC) Redundant disk systems and internet connections Acceptable logins and operating process performance We are responsible for maintaining 99.99% availability for virtual private servers and 99.99% availability for dedicated servers. We are responsible for securely destroying our data, hardware and removable media and use accredited partners to securely destroy hardware such as hard disk drives and backup media. Cleanse hard disks before reusing them and test samples to ensure data can t be recovered. The company does this with software that adheres to HMG CESG standards. We are responsible for maintaining secure communications in our private network by: Segmenting customers networks to prevent unauthorized access. Encrypting virtual private network (VPN) tunnels with IPsec to protect traffic to customers sites. (VPN Tunnelling and Managed firewalls only available via our sales department) P a g e 4
6 We are responsible for managing incidents on our network by: Note: We may give less notice for emergency maintenance needed to resolve high-risk security incidents that affect multiple customers. Following ITIL-based management processes to deal with incidents. Providing an on duty incident manager, who is on duty 24/7/365. We are responsible for maintaining internet connections for servers by using multiple 10Gb/s connections to the Internet and diverse routing to ensure that connectivity is not lost due to one failure. We are responsible for managing change associated with our infrastructure and minimising the impact to yourself wherever possible. We manage these changes by: Utilising a Change Manager who is responsible for change management processes We are responsible for mitigating denial of service attacks from the Internet by Reserving the right to remove service for the duration of an attack, or until we can deploy a compensating control, if an attack threatens our wider infrastructure. We are responsible for initially configuring VPN concentrators and managed firewalls for customers. Our network engineers will initially configure systems for customers. This will meet the requirements defined by customers. Once complete, We will transfer responsibility for these to customers. Following ITIL-based change management processes Utilizing a change management team to authorize change requests based upon role, location and importance in our network Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. We are responsible for notifying customers of planned outages and endeavour to provide at least 24 hours notice of planned outages. In the majority of cases, we will provide notice earlier than this. P a g e 5
7 You are responsible for configuring servers to suit your requirements, including security policies. You can reset your servers to base configuration at any time. We provide our services with some elements pre-configured to enable them to work within our environment. Quick tip: You can find hardening best practice guides at We recommend that you: Apply hardening templates. Restrict access over unused ports. We recommend that you consider the following questions when configuring your servers: Disable unused features. How do you secure data at rest and in motion? Who has access to data? What is available to the outside world? What should be implemented to protect data held in your systems? What controls are necessary to uphold your information security policies? You are responsible for changing default system settings or operating-system passwords. We recommend you: Implement different user profiles for people who access the server directly. Use RBAC so that users can only access the services they need to do their jobs. You are responsible for managing, implementing and adding firewalls between off-premise and on-premise networks. We recommend that you: implement ingress and egress firewall policies at on-premise tunnel endpoints. Configure firewalls to only allow in and out bound ports and IP addresses for the services in the off-premise environment. You are responsible for hardening your servers. Implement strong password controls, such as a minimum length of eight characters for passwords, which must include at least one upper case, lower case and numeric character. Rename default administrator accounts, such as domain admin or root, with a meaningless value. Add a complex password and store this in a safe location. Create different accounts and apply limited privileges to these accounts for other users. Create specific accounts for third parties (including Fasthosts) that expire after a short time. If a third party has a shared privileged account, change the password or disable the account immediately after the third party completes their work. P a g e 6
8 You are responsible for applying and configuring service packs, security patches and software updates to your servers. We recommend you: Disable unused services, Configure a method to apply updates and security patches to servers. You are responsible for implementing any Operating system configuration changes recommended by ourselves to optimise or secure your server on our infrastructure. Best Practice: You should update your server configuration in line with any revised best practices as recommended by ourselves and your own change management process. You are responsible for monitoring the logs of systems, applications and servers. We recommend you: Set up event logging to move logs onto a different server and analyses them for security-related events. This will help define the correct defences for their services. Retain logs for a reasonable length of time i.e. minimum of one month but preferably a year. You are responsible for deploying and managing anti-virus and anti-malware for your servers. We recommend you: Install anti-malware software and configure it to auto update or comply with your corporate antivirus policies. You are responsible for conducting functionality testing and quality assurance of applications and services on your servers. We recommend that you: Ensure you have a good backup or snapshot of servers before deploying updates or patches. You are responsible for arranging backup for your servers. It is also your responsibility to back up your data and test your backup systems. We recommend you: Back up data and implement a regime that allows you to recover their business in the event of a disaster. Test your backup systems. Ensure your services have sufficient capacity to cope with peak loads. Deploy patches and updates regularly to minimize the impact if something goes wrong and make it easier to identify causes. Test your applications after patches and updates to check they aren t affected. You are responsible for managing servers and firewalls provided by us via remote access VPN portal. We recommend you: Conduct remote administration and maintenance securely. We can provide a secure P a g e 7
9 remote access VPN to maintain servers and firewalls. (Only available via our Sales department) Do not expose management interfaces to the Internet or allow weak authentication controls. You are responsible for managing passwords in line with your procedures. We recommend you: implement strong password-management policies, for example: Password length is set between eight and 15 characters. You are responsible for maintaining applications to support their servers and for ensuring you have licenses for your applications. We recommend you: Ensure you have sufficient processes in place to maintain your applications. Force password change at first logon. Enforce password expiry. Enforce password history; preventing users from reusing their previous n passwords, where n is between 0 and 9. Enforce password expiry- suggested maximum age is 45 days. You are responsible for managing change associated with their servers. We recommend you: Implement a change-management process. This will make it easier to identify reasons for a failure and restore systems. You are responsible for maintaining your operating systems. We recommend you: Employ appropriately skilled engineers to manage your servers. You are responsible for managing all first-line support issues. We recommend you: You are responsible for ensuring compliance with license requirements and legal and regulatory bodies. We recommend you: Provide first-line support and build processes to authenticate users who contact your service desks requesting access to your systems. Pay attention to local regulations that may affect you. You are responsible for managing user accounts in line with your procedures. We recommend you: Create individual accounts for users who access their systems. You are responsible for penetration testing. These responsibilities include: Obtaining authorization from ourselves and any other customers involved in testing. Customers MUST submit a request to test at least five working days before penetration testing or vulnerability scanning activity. P a g e 8
10 Important: We will suspend services of customers who do not comply with this. Ensuring that only experienced employees or professional third-party consultancies conduct penetration tests and vulnerability scans. Outlining details of penetration tests or vulnerability scans to ourselves. This must include: will deploy mitigating controls and blocks to stop the attack. Best practice: Conduct penetration tests or vulnerability scanning once Rise has deployed their services. This is to ensure that partners configurations follow best practice and don t have any security weaknesses o o o Time frame for the test. Testing scope. IP addresses involved. You are responsible for configuring your end of a VPN tunnel. We recommend you: o Key contacts. Getting third-party testing organizations to complete a Fasthosts non-disclosure agreement before testing or scanning. Informing the Fasthosts Service Desk of test results that may adversely affect Fasthosts, such as denial of service. Reporting vulnerabilities identified in the Fasthosts infrastructure. Lock down firewall configurations and only allow the in and out bound ports and IP addresses the application requires. Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. Please note that if our support teams aren t aware that you are testing, it is likely that they P a g e 9
CONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationCreated By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee
Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server
More informationTable of Contents. Page 1 of 6 (Last updated 30 July 2015)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationSecurity Whitepaper: ivvy Products
Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationInformation Technology Security Procedures
Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3
More informationMAXIMUM DATA SECURITY with ideals TM Virtual Data Room
MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for
More informationVendor Questionnaire
Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining
More informationSecurity. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9
Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationRL Solutions Hosting Service Level Agreement
RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The
More informationA Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER
A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control
More informationGuardian365. Managed IT Support Services Suite
Guardian365 Managed IT Support Services Suite What will you get from us? Award Winning Team Deloitte Best Managed Company in 2015. Ranked in the Top 3 globally for Best Managed Service Desk by the Service
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationKeyLock Solutions Security and Privacy Protection Practices
KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout
More informationSecure, Scalable and Reliable Cloud Analytics from FusionOps
White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationDATA SECURITY POLICY. Data Security Policy
Data Security Policy Contents 1. Introduction 3 2. Purpose 4 3. Data Protection 4 4. Customer Authentication 4 5. Physical Security 5 6. Access Control 6 7. Network Security 6 8. Software Security 7 9.
More informationCONTENTS. Security Policy
CONTENTS PHYSICAL SECURITY (UK) PHYSICAL SECURITY (CHICAGO) PHYSICAL SECURITY (PHOENIX) PHYSICAL SECURITY (SINGAPORE) SYSTEM SECURITY INFRASTRUCTURE Vendor software updates Security first policy CUSTOMER
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationIT Security Standard: Computing Devices
IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:
More informationSECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
More informationA Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher
A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationSection 12 MUST BE COMPLETED BY: 4/22
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationNew Systems and Services Security Guidance
New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates
More informationTONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1
TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 Table of Contents 1. Operational Security 2. Physical Security 3. Network
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationmodules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:
SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,
More informationDiamondStream Data Security Policy Summary
DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationWindows Remote Access
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationWhite Paper. BD Assurity Linc Software Security. Overview
Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about
More informationOur Cloud Offers You a Brighter Future
Our Cloud Offers You a Brighter Future Qube Global Software Cloud Services are used by many diverse organisations including financial institutions, international service providers, property companies,
More informationHow To Protect Data From Attack On A Network From A Hacker (Cybersecurity)
PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationSecurity Whitepaper. NetTec NSI Philosophy. Best Practices
Security Whitepaper NetTec NSI provides a leading SaaS-based managed services platform that to efficiently backup, monitor, and troubleshoot desktops, servers and other endpoints for businesses. Our comprehensive
More informationTable of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.
FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer
More informationTEXAS AGRILIFE SERVER MANAGEMENT PROGRAM
TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM Policy Compliancy Checklist September 2014 The server management responsibilities described within are required to be performed per University, Agency or State
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationHosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com
Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationCLOUD SERVICES (INFRASTRUCTURE) SERVICE TERMS PART C - INFRASTRUCTURE CONTENTS
CONTENTS 1 ABOUT THIS PART... 2 2 GENERAL... 2 3 CLOUD INFRASTRUCTURE... 2 4 TAILORED INFRASTRUCTURE... 3 5 COMPUTE... 3 6 SECURITY... 9 TELSTRA GLOBAL. Cloud Services (Infrastructure) Part C updated as
More informationSecurity Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1
JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us
More informationAltus UC Security Overview
Altus UC Security Overview Description Document Version D2.3 TABLE OF CONTENTS Network and Services Security 1. OVERVIEW... 1 2. PHYSICAL SECURITY... 1 2.1 FACILITY... 1 ENVIRONMENTAL SAFEGUARDS... 1 ACCESS...
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationc) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.
Responsible Office: Chief Information Officer Pages of these Procedures 1 of 5 Procedures of Policy No. (2) - 1. User Access Management a) User Registration The User ID Registration Procedure governs the
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationSecurity Best Practice
Security Best Practice Presented by Muhibbul Muktadir Tanim mmtanim@gmail.com 1 Hardening Practice for Server Unix / Linux Windows Storage Cyber Awareness & take away Management Checklist 2 Hardening Server
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationGiftWrap 4.0 Security FAQ
GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationvcloud Director User's Guide
vcloud Director 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSophos Enterprise Console Help. Product version: 5.1 Document date: June 2012
Sophos Enterprise Console Help Product version: 5.1 Document date: June 2012 Contents 1 About Enterprise Console...3 2 Guide to the Enterprise Console interface...4 3 Getting started with Sophos Enterprise
More informationSetting Up Scan to SMB on TaskALFA series MFP s.
Setting Up Scan to SMB on TaskALFA series MFP s. There are three steps necessary to set up a new Scan to SMB function button on the TaskALFA series color MFP. 1. A folder must be created on the PC and
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationSummary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)
Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed
More informationWhy SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?
SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationBirst Security and Reliability
Birst Security and Reliability Birst is Dedicated to Safeguarding Your Information 2 Birst is Dedicated to Safeguarding Your Information To protect the privacy of its customers and the safety of their
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationNERC CIP Whitepaper How Endian Solutions Can Help With Compliance
NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in
More informationLevel I - Public. Technical Portfolio. Revised: July 2015
Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationCYBER SECURITY POLICY For Managers of Drinking Water Systems
CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More information