1 Introduction 2. 2 Document Disclaimer 2

Size: px
Start display at page:

Download "1 Introduction 2. 2 Document Disclaimer 2"

Transcription

1 Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document highlights and identifies these responsibilities to help our customers operate in a defined and mutually understood environment. P a g e 0

2 1 Introduction 2 2 Document Disclaimer 2 3 Our Responsibilities Security of Data Centre s Hardware Maintenance Security Testing of Our Infrastructure Maintaining security best practices Confidentiality of Our Services and Infrastructure Integrity of Our Services and Infrastructure Availability of Our Services and Infrastructure Principal of Least Privilege Service Availability Secure Destruction of Data, Hardware, Removable Media Secure Data Communications on Our Networks Incident Management on Our Networks Internet Connections Change Management Notification of Planned Outages Denial of Service Attacks Managed Firewall and VPN Concentrator 5 4 Typical Infrastructure Management Responsibilities of Customers Software Installation and Build Firewall Between On-Premise and Off-Premise Networks Hardening of the Host Operating System Change Default System Settings, Usernames and Passwords Applying Service Packs, Security Patches and Software Updates Maintaining Infrastructure optimization Testing/Quality Assurance of Applications and Services Event Logging Anti-virus and Anti-Malware Protection Backup Remote Administration and Maintenance Application and License Management Change Management Compliance with License Agreements, Local Legal and Regulatory Bodies Managing User Accounts Managing Passwords Operating System Failure First Line Support Customer Initiated Penetration Testing Managed Firewalls and VPN Concentrator 9 P a g e 1

3 guidelines as examples and for indicative and understanding purposes only. Fasthosts is committed to building informationsecurity principles into everything it does and maintains or exceeds industry best practices. Fasthosts Dedicated and Virtual Servers are supplied on a Self-Managed basis. This document details the responsibilities of Fasthosts and its customers for infrastructure security within a Self-Managed service. It also offers recommendations on how customers can carry out these responsibilities. The customer using this document must be made aware that the contents of this document setting out the responsibilities of each party are shown as guidelines. This document is designed to demonstrate the typical and normal responsibilities of each party within an infrastructure-as-a-service (IaaS) or hosted environment to ensure there is a clear understanding of responsibilities. This document cannot cater for every eventuality so customers should use the Fasthosts wishes to ensure that the customer accepts and understands the variety and complexity of possible solutions and services that may be made available and that it is not feasible to provide comprehensive guidance for all circumstances and individual customer requirements. It is the customers responsibility to ensure that they seek clarity or additional advice before making any assumptions on the applicable responsibilities as each customers circumstances may be different. This may therefore necessitate a modified set of responsibility requirements to be specified depending on the technical and products / services proposed. Fasthosts shall accept no responsibility for reliance on the guidelines or misinterpretations and we recommend that the customer seeks prior clarification and advice from Fasthosts or an IaaS professional if they have queries or nontypical requirements or require clarification on any related responsibility concern. P a g e 2

4 Virtual Private Servers We are responsible for managing and protecting our Data Centres by: Conducting annual physical security reviews to ensure we adhere with policies and best practices Escorting visitors while they re in data centres and signing them in and out of facilities Restricting access to data centres with fences, gates, swipe-card-entry systems and role-based privileges Protecting facilities with out-of-hours security guards CCTV monitoring and a reception that s manned 24/7/365 Maintaining operations during short-term power fluctuations with reserve power supplies, backups (e.g. uninterrupted power supply) and redundant generators, which we test regularly. Maintaining optimum environmental conditions in our data centres with airconditioning systems, which we test regularly. Providing fire detection and suppression systems, which we test regularly. We are responsible for maintaining optimum system performance in our data centres. How we maintain this performance differs depending upon the type of server you are using: Dedicated Servers Providing hardware support and investigating issues at the request of customers Maintaining redundant hardware to transfer services to; in the unlikely event of an outage Monitoring business-critical hardware and resolving issues for customers We are responsible for testing the security of our infrastructure by: Conducting regular security tests on our infrastructure and managing the results of tests through incident/risk management processes to resolve issues quickly. We are responsible for maintaining security best practices by: Utilising an Information Security manager to manage and implement security standards and best practice. Regularly reviewing policy s and updating them to follow best practice Utilising an Information Security Steering committee to approve and govern changes to policy Clearly and comprehensively train all staff on current information policies. Maintain clear disciplinary policy s and procedures which it outlines during employee inductions. Identifying and replacing faulty hardware. We strive to protect, the confidentiality of customer data by preventing our employees P a g e 3

5 from accessing data unless customers provide them with root / admin access. We also use the following to ensure confidentiality: Reliable and interoperable security processes and network security mechanisms. Network security protocols Network authentication services Data encryption services Physical entry controls Additional hardening of internal operating systems depending upon their role, importance and location within our network. We ensure that only engineers who need access to servers, infrastructure and networks get it. Employees who don t have a business requirement to access these can t do so without authorized personnel. We strive to protect, the integrity of customer data by preventing our employees from accessing it and using the following to ensure integrity: Multiple level Firewall services and network segmentation. Access depends upon business requirements and the services being accessed. Communications security management We strive to maintain the availability of customer data by implementing redundant internet connections, power supplies, generators, network infrastructure and storage area network (SAN) disks. We will also use the following to ensure availability: Role Based Access Control (RBAC) Redundant disk systems and internet connections Acceptable logins and operating process performance We are responsible for maintaining 99.99% availability for virtual private servers and 99.99% availability for dedicated servers. We are responsible for securely destroying our data, hardware and removable media and use accredited partners to securely destroy hardware such as hard disk drives and backup media. Cleanse hard disks before reusing them and test samples to ensure data can t be recovered. The company does this with software that adheres to HMG CESG standards. We are responsible for maintaining secure communications in our private network by: Segmenting customers networks to prevent unauthorized access. Encrypting virtual private network (VPN) tunnels with IPsec to protect traffic to customers sites. (VPN Tunnelling and Managed firewalls only available via our sales department) P a g e 4

6 We are responsible for managing incidents on our network by: Note: We may give less notice for emergency maintenance needed to resolve high-risk security incidents that affect multiple customers. Following ITIL-based management processes to deal with incidents. Providing an on duty incident manager, who is on duty 24/7/365. We are responsible for maintaining internet connections for servers by using multiple 10Gb/s connections to the Internet and diverse routing to ensure that connectivity is not lost due to one failure. We are responsible for managing change associated with our infrastructure and minimising the impact to yourself wherever possible. We manage these changes by: Utilising a Change Manager who is responsible for change management processes We are responsible for mitigating denial of service attacks from the Internet by Reserving the right to remove service for the duration of an attack, or until we can deploy a compensating control, if an attack threatens our wider infrastructure. We are responsible for initially configuring VPN concentrators and managed firewalls for customers. Our network engineers will initially configure systems for customers. This will meet the requirements defined by customers. Once complete, We will transfer responsibility for these to customers. Following ITIL-based change management processes Utilizing a change management team to authorize change requests based upon role, location and importance in our network Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. We are responsible for notifying customers of planned outages and endeavour to provide at least 24 hours notice of planned outages. In the majority of cases, we will provide notice earlier than this. P a g e 5

7 You are responsible for configuring servers to suit your requirements, including security policies. You can reset your servers to base configuration at any time. We provide our services with some elements pre-configured to enable them to work within our environment. Quick tip: You can find hardening best practice guides at We recommend that you: Apply hardening templates. Restrict access over unused ports. We recommend that you consider the following questions when configuring your servers: Disable unused features. How do you secure data at rest and in motion? Who has access to data? What is available to the outside world? What should be implemented to protect data held in your systems? What controls are necessary to uphold your information security policies? You are responsible for changing default system settings or operating-system passwords. We recommend you: Implement different user profiles for people who access the server directly. Use RBAC so that users can only access the services they need to do their jobs. You are responsible for managing, implementing and adding firewalls between off-premise and on-premise networks. We recommend that you: implement ingress and egress firewall policies at on-premise tunnel endpoints. Configure firewalls to only allow in and out bound ports and IP addresses for the services in the off-premise environment. You are responsible for hardening your servers. Implement strong password controls, such as a minimum length of eight characters for passwords, which must include at least one upper case, lower case and numeric character. Rename default administrator accounts, such as domain admin or root, with a meaningless value. Add a complex password and store this in a safe location. Create different accounts and apply limited privileges to these accounts for other users. Create specific accounts for third parties (including Fasthosts) that expire after a short time. If a third party has a shared privileged account, change the password or disable the account immediately after the third party completes their work. P a g e 6

8 You are responsible for applying and configuring service packs, security patches and software updates to your servers. We recommend you: Disable unused services, Configure a method to apply updates and security patches to servers. You are responsible for implementing any Operating system configuration changes recommended by ourselves to optimise or secure your server on our infrastructure. Best Practice: You should update your server configuration in line with any revised best practices as recommended by ourselves and your own change management process. You are responsible for monitoring the logs of systems, applications and servers. We recommend you: Set up event logging to move logs onto a different server and analyses them for security-related events. This will help define the correct defences for their services. Retain logs for a reasonable length of time i.e. minimum of one month but preferably a year. You are responsible for deploying and managing anti-virus and anti-malware for your servers. We recommend you: Install anti-malware software and configure it to auto update or comply with your corporate antivirus policies. You are responsible for conducting functionality testing and quality assurance of applications and services on your servers. We recommend that you: Ensure you have a good backup or snapshot of servers before deploying updates or patches. You are responsible for arranging backup for your servers. It is also your responsibility to back up your data and test your backup systems. We recommend you: Back up data and implement a regime that allows you to recover their business in the event of a disaster. Test your backup systems. Ensure your services have sufficient capacity to cope with peak loads. Deploy patches and updates regularly to minimize the impact if something goes wrong and make it easier to identify causes. Test your applications after patches and updates to check they aren t affected. You are responsible for managing servers and firewalls provided by us via remote access VPN portal. We recommend you: Conduct remote administration and maintenance securely. We can provide a secure P a g e 7

9 remote access VPN to maintain servers and firewalls. (Only available via our Sales department) Do not expose management interfaces to the Internet or allow weak authentication controls. You are responsible for managing passwords in line with your procedures. We recommend you: implement strong password-management policies, for example: Password length is set between eight and 15 characters. You are responsible for maintaining applications to support their servers and for ensuring you have licenses for your applications. We recommend you: Ensure you have sufficient processes in place to maintain your applications. Force password change at first logon. Enforce password expiry. Enforce password history; preventing users from reusing their previous n passwords, where n is between 0 and 9. Enforce password expiry- suggested maximum age is 45 days. You are responsible for managing change associated with their servers. We recommend you: Implement a change-management process. This will make it easier to identify reasons for a failure and restore systems. You are responsible for maintaining your operating systems. We recommend you: Employ appropriately skilled engineers to manage your servers. You are responsible for managing all first-line support issues. We recommend you: You are responsible for ensuring compliance with license requirements and legal and regulatory bodies. We recommend you: Provide first-line support and build processes to authenticate users who contact your service desks requesting access to your systems. Pay attention to local regulations that may affect you. You are responsible for managing user accounts in line with your procedures. We recommend you: Create individual accounts for users who access their systems. You are responsible for penetration testing. These responsibilities include: Obtaining authorization from ourselves and any other customers involved in testing. Customers MUST submit a request to test at least five working days before penetration testing or vulnerability scanning activity. P a g e 8

10 Important: We will suspend services of customers who do not comply with this. Ensuring that only experienced employees or professional third-party consultancies conduct penetration tests and vulnerability scans. Outlining details of penetration tests or vulnerability scans to ourselves. This must include: will deploy mitigating controls and blocks to stop the attack. Best practice: Conduct penetration tests or vulnerability scanning once Rise has deployed their services. This is to ensure that partners configurations follow best practice and don t have any security weaknesses o o o Time frame for the test. Testing scope. IP addresses involved. You are responsible for configuring your end of a VPN tunnel. We recommend you: o Key contacts. Getting third-party testing organizations to complete a Fasthosts non-disclosure agreement before testing or scanning. Informing the Fasthosts Service Desk of test results that may adversely affect Fasthosts, such as denial of service. Reporting vulnerabilities identified in the Fasthosts infrastructure. Lock down firewall configurations and only allow the in and out bound ports and IP addresses the application requires. Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. Please note that if our support teams aren t aware that you are testing, it is likely that they P a g e 9

CONTENTS. PCI DSS Compliance Guide

CONTENTS. PCI DSS Compliance Guide CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Table of Contents. Page 1 of 6 (Last updated 30 July 2015) Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Security Whitepaper: ivvy Products

Security Whitepaper: ivvy Products Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

How To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)

How To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud) SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for

More information

Vendor Questionnaire

Vendor Questionnaire Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining

More information

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9 Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

RL Solutions Hosting Service Level Agreement

RL Solutions Hosting Service Level Agreement RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

Guardian365. Managed IT Support Services Suite

Guardian365. Managed IT Support Services Suite Guardian365 Managed IT Support Services Suite What will you get from us? Award Winning Team Deloitte Best Managed Company in 2015. Ranked in the Top 3 globally for Best Managed Service Desk by the Service

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Secure, Scalable and Reliable Cloud Analytics from FusionOps White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

DATA SECURITY POLICY. Data Security Policy

DATA SECURITY POLICY. Data Security Policy Data Security Policy Contents 1. Introduction 3 2. Purpose 4 3. Data Protection 4 4. Customer Authentication 4 5. Physical Security 5 6. Access Control 6 7. Network Security 6 8. Software Security 7 9.

More information

CONTENTS. Security Policy

CONTENTS. Security Policy CONTENTS PHYSICAL SECURITY (UK) PHYSICAL SECURITY (CHICAGO) PHYSICAL SECURITY (PHOENIX) PHYSICAL SECURITY (SINGAPORE) SYSTEM SECURITY INFRASTRUCTURE Vendor software updates Security first policy CUSTOMER

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

IT Security Standard: Computing Devices

IT Security Standard: Computing Devices IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:

More information

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term

More information

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

New Systems and Services Security Guidance

New Systems and Services Security Guidance New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates

More information

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 Table of Contents 1. Operational Security 2. Physical Security 3. Network

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

DiamondStream Data Security Policy Summary

DiamondStream Data Security Policy Summary DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Windows Remote Access

Windows Remote Access Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

White Paper. BD Assurity Linc Software Security. Overview

White Paper. BD Assurity Linc Software Security. Overview Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about

More information

Our Cloud Offers You a Brighter Future

Our Cloud Offers You a Brighter Future Our Cloud Offers You a Brighter Future Qube Global Software Cloud Services are used by many diverse organisations including financial institutions, international service providers, property companies,

More information

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity) PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Security Whitepaper. NetTec NSI Philosophy. Best Practices Security Whitepaper NetTec NSI provides a leading SaaS-based managed services platform that to efficiently backup, monitor, and troubleshoot desktops, servers and other endpoints for businesses. Our comprehensive

More information

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility. FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer

More information

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM Policy Compliancy Checklist September 2014 The server management responsibilities described within are required to be performed per University, Agency or State

More information

How To Protect Research Data From Being Compromised

How To Protect Research Data From Being Compromised University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2 RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

CLOUD SERVICES (INFRASTRUCTURE) SERVICE TERMS PART C - INFRASTRUCTURE CONTENTS

CLOUD SERVICES (INFRASTRUCTURE) SERVICE TERMS PART C - INFRASTRUCTURE CONTENTS CONTENTS 1 ABOUT THIS PART... 2 2 GENERAL... 2 3 CLOUD INFRASTRUCTURE... 2 4 TAILORED INFRASTRUCTURE... 3 5 COMPUTE... 3 6 SECURITY... 9 TELSTRA GLOBAL. Cloud Services (Infrastructure) Part C updated as

More information

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1 JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us

More information

Altus UC Security Overview

Altus UC Security Overview Altus UC Security Overview Description Document Version D2.3 TABLE OF CONTENTS Network and Services Security 1. OVERVIEW... 1 2. PHYSICAL SECURITY... 1 2.1 FACILITY... 1 ENVIRONMENTAL SAFEGUARDS... 1 ACCESS...

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy. Responsible Office: Chief Information Officer Pages of these Procedures 1 of 5 Procedures of Policy No. (2) - 1. User Access Management a) User Registration The User ID Registration Procedure governs the

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

Security Best Practice

Security Best Practice Security Best Practice Presented by Muhibbul Muktadir Tanim mmtanim@gmail.com 1 Hardening Practice for Server Unix / Linux Windows Storage Cyber Awareness & take away Management Checklist 2 Hardening Server

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

GiftWrap 4.0 Security FAQ

GiftWrap 4.0 Security FAQ GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Chapter 1 The Principles of Auditing 1

Chapter 1 The Principles of Auditing 1 Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls

More information

vcloud Director User's Guide

vcloud Director User's Guide vcloud Director 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012 Sophos Enterprise Console Help Product version: 5.1 Document date: June 2012 Contents 1 About Enterprise Console...3 2 Guide to the Enterprise Console interface...4 3 Getting started with Sophos Enterprise

More information

Setting Up Scan to SMB on TaskALFA series MFP s.

Setting Up Scan to SMB on TaskALFA series MFP s. Setting Up Scan to SMB on TaskALFA series MFP s. There are three steps necessary to set up a new Scan to SMB function button on the TaskALFA series color MFP. 1. A folder must be created on the PC and

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service) Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed

More information

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Birst Security and Reliability

Birst Security and Reliability Birst Security and Reliability Birst is Dedicated to Safeguarding Your Information 2 Birst is Dedicated to Safeguarding Your Information To protect the privacy of its customers and the safety of their

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in

More information

Level I - Public. Technical Portfolio. Revised: July 2015

Level I - Public. Technical Portfolio. Revised: July 2015 Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

CYBER SECURITY POLICY For Managers of Drinking Water Systems

CYBER SECURITY POLICY For Managers of Drinking Water Systems CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan

More information

e-governance Password Management Guidelines Draft 0.1

e-governance Password Management Guidelines Draft 0.1 e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information