Intel Enhanced Data Security Assessment Form
|
|
- Erica Dixon
- 8 years ago
- Views:
Transcription
1 Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized to agree on behalf of the Supplier named, and do agree to meet the requirements outlined. Any items that are out of scope or that the Supplier cannot meet are identified below. Areas that are out of scope or that are not met: Support Location: Contact Number: Name: Date: / Supplier Profile: What is your organizations main business function: What function(s) does your organization perform for Intel: What is your organizations maturity level in provision of this function: Is there anything you need from Intel Information Risk and Security organization: Is an industry standard accreditation issued by ISO27001, PCI DSS, or independent audit, SSAE-16 or ISAE-3402 audit report or equivalent available? Supplier Instructions: This document should be reviewed by the Corporate Chief Information Security Officer or the person responsible for Information Security for the organization. Intel's data protection strategy is to perform a due diligence assessment of data protection controls regardless of location. Your assistance to achieve this goal is greatly appreciated. In addition to meeting Intel Supplier and Security Requirements and Expectations (SSRE) your feedback will be used to assist in the assessment process. Intel requires all suppliers to identify any risk potential associated with this engagement. Therefore a response from your organization is required regarding the controls listed herein. Please provide feedback identifying which controls are comprehended within your environment by answering any questions related the controls listed below. In the comment section, please provide additional controls detail for items answered or NA, and include any compensating mitigation controls for items where requested. This includes changes requested by the Intel Business Contact you support. Additional reviews may be required if this is an Offsite Design Center (ODC) 1 Rev. 5.0
2 Once you have reviewed the completed document please send a copy to the Intel Business Contact working with you who will work with Intel Security to complete the assessment process. 1.0 Security Policy Do you have a documentation process for any out of policy exceptions which would affect or override your security policies and is it subject to management review? If or Please explain any mitigating controls: If - Is the process based on a formal risk assessment? (Y/N) Are all employees and 3 rd party sub-contractors who have access to Intel Information and assets trained in the appropriate policies related to the activities performed? If How often? If or Please explain any mitigating controls: 2.0 Organizing Information Security Do you have a n-disclosure agreement on file with Intel? If Which one: CNDA RSNDA RSNDA Special Purpose RUNDA IPL Other Please provide the NDA Agreement Number(S) if available: If or Other Please explain provide details: Are there any 3 rd party contractors who will have access to Intel information or assets? If Can you provide a list of those contractors if needed? If or Please explain provide details: 2 Rev. 5.0
3 3.0 Asset Management Do you have training and awareness programs for employees and contractors on data classification and acceptable use of assets? If How often is training refresh required? Is all Intel data, electronic and hard copy, labeled with its Intel data classification? If or Please explain provide details: Do you have a documented list of assets (with owners identified) used to manage Intel information? If - How often is access to information and information processing assets reviewed and updated? If or Please explain provide details: 4.0 Human Resources Security Does the supplier maintain a security standard which limits access control to company employees to the minimum necessary to perform their job? If - How often is access to information and information processing assets reviewed and updated? If or Please explain provide details: Do contracts with third parties include responsibilities for the appropriate handling of information, use of information assets and handling of information from other companies or external parties? 3 Rev. 5.0
4 Are security and privacy requirements included into sub-contractor agreements? If or Please explain provide details: Does the supplier have a last day office procedure which terminates all access to supplier systems when an employee or a contractor or subcontractor terminates its relationship? If or Please explain provide details: 5.0 Physical and Environmental Security Is the Data Center location identifiable by either building or room labeling signs or on evacuation maps? If or Please explain provide details: Please describe the security controls that have been implemented to control access to the data center where Intel information is managed? Do the walls extend true floor to ceiling or are there additional controls such as motion detectors? Are phone and power cables secured including tamper proof monitoring for intrusion and phone equipment housed in a secure room with managed access control? Are installation and default passwords removed from all equipment? 4 Rev. 5.0
5 Is equipment protected from power failures and other disruptions caused by failures in supporting utilities? If required, can you provide physical separation of any Intel assets to limit access to those who require it? If yes Please describe how this would be managed? Does the facility have 24x7 intrusion detection? If yes Do you respond to security alarm activation by following a documented response process that includes documenting the incident response? Are you willing to permit on-site risk assessments or site inspections if adequate notice is provided by Intel? If or Please explain provide details: Is the janitorial staff access governed by the visitor policy? If or Please explain provide details: 6.0 Communications and Operations Management Do the operating procedures specify the detailed instructions for each job including, processing and handling of information, backup, error handling, support contacts, system restart and recovery procedures for use in the event of system failure, the management of audit-trail and system log information? Are back-ups taken at prescribed intervals and stored in a remote location away from the main site? If - Are back-ups tested at regular intervals to insure integrity? 5 Rev. 5.0
6 Are back-up s encrypted during transit and storage to prevent unintended access? If yes Please describe the encryption method used? Are development and test systems isolated from production environment / network? Is production data isolated from the development and test systems? If or Please explain provide details: Do you maintain separation of duties, or implement alternate mitigating controls, between and within the following functional areas? Information Systems End-Users (Y/N) System (Platform) Administration (Y/N) Network Administration (Y/N) Application/Systems Development (Y/N) Production Support & Maintenance (Y/N) Security Administration (Y/N) Security Audit (Y/N) If or Please explain provide details: Do you have a procedure for the handling and storage of information to protect from unauthorized disclosure or misuse including the disposal of data and assets? If - Please describe your process for securely disposing of assets including Hard Drives, Tapes, writable media such as CD or DVD s, portable memory devices such as USB drives and memory sticks, and hand held computing devices, smart phones or mobile computing devices, when no longer required: 6 Rev. 5.0
7 Do you encrypt data in Storage using public / private key managed system with an industry recognized strong encryption algorithm? If - Please describe your encryption methodology. If - Please describe the mitigating controls that are deployed to address the risks? Do you have security controls that insure the data is encrypted at rest (in the database) inter-module (between software modules) and to the end-user (SSL) and that data access by the user can only be maintained via multifactor authentication. If - Please describe your encryption methodology. If Please describe the mitigating controls that are deployed to address the risks? Do you have security controls in place to prevent interception by sniffing or other detection methods? If Please describe the security controls? Are you providing E-commerce functionality (payment or debit card processing) for Intel or on behalf of Intel? If yes - Are you PCI Certified? If Please describe the controls used? If or Please explain provide details: How often do you review third party logs and processes? If or Please explain provide details: 7 Rev. 5.0
8 7.0 Access Control Does the password reset process have controls that ensure only the authorized user can request a password reset? If yes -Does the reset process verify the account holder by sending a confirming ? If yes Does the password communication contain the account name for the logon? If or Please explain provide details: Does your organization allow Tele-working? If Please describe the security controls required? Are laptops and mobile devices used for support? Is HDD password usage enforced? If Please describe how it is enforced? Do you have a clear desk / screen policy in place? If Please describe how it is enforced? If or Please explain provide details: Have you engaged with the Intel engineering services team? If or Please explain provide details: Are Intrusion Detection Systems in place and configured to provide data, on demand, to identify sources of what could be a potential attack/intrusion at the network perimeter? 8 Rev. 5.0
9 Does all equipment have the installation or default passwords removed? If or Please explain provide details: Is Intel data logically and physically separated from other data? If Please describe the mitigation in place to protect Intel data? If or Please explain provide details: Are all system security and event logs reviewed regularly for anomalies and in the event of an incident are audit trails available to assist investigations? If or Please explain provide details: Are processes in place to notify Intel of incidents and to manage the risks appropriately? If or Please explain provide details: 9 Rev. 5.0
10 8.0 Information Systems Acquisition, Development and Maintenance Are processes in place to protect data processed by an application, as well as the integrity and availability of services provided by the application including: live or production data used for testing? Use of built-in access controls, security auditing features, fail-over features, etc.? Authentication, encryption, etc.? Regulatory, legislative, privacy policies and procedures that the data owners and developers must comply with? Safeguards against attacks (e.g. sniffing, password cracking, defacing, back-door exploits)? Secured databases as well as the applications and servers on which they reside? Separation of databases and applications on different servers? Requiring secure interfaces between applications (Examples: HTTPS / SSL / SSH)? harvesting of account passwords by applications or allowing saving of passwords stored as cookies? If or Please explain provide details: 9.0 Information Security Incident Management Do you have a documented procedure for security incident management? If or Please explain provide details: 10 Rev. 5.0
11 10.0 Business Continuity Management In an event that is major and very disruptive does the disaster recovery plan include the following steps be taken: Identification of mission or business critical functions and recovery or continuity plans to match Intel's defined SLA? Identification of the resources that support these functions? Contingency and disaster planning strategies? Periodic testing and revision where necessary? Documentation and communication of ownership and responsibilities provided to Intel? If or Please explain provide details: 11.0 Compliance Do you have a Purpose of collection, tice, and Complaint Management: For applications where an individual enters Sensitive Personal Information (banking information, credit card information, government ID, health information, life style preferences). A supplemental privacy notice must exist on each page where that information is collected, and be easy to find, read, and understand by the individual using the application. It must clearly state the purpose of information collection, how it is protected, used and retained. It must also include the link to the Intel Online Privacy tice Summary ( It is available in many languages. The tice includes information in how to get in contact with Intel to submit a complaint. If handling credit card data - Is your system PCI DSS certified and will you provide the certification? If Please describe any alternate controls or mitigation available? Do you have any external accreditation or certification that can be shared with Intel (E.g.: ISO27001 or SSAE-16 Type II)? If What are they? 11 Rev. 5.0
12 Will you permit Intel to perform on-site risk assessments if adequate notice is provided? If Please describe why they are not permitted? Does the supplier / vendor selection and management program include a vendor certification for data protection that meets regulatory controls (based on industry standards), regulatory and legislative requirements? If Please describe your vendor selection process? If or Please explain provide details: 12.0 Virtualization and Cloud Services Can your Cloud Service provide dedicated hardware or instances for Intel usage? If or Please explain provide details: Where physical and logical separation of data greater than Intel Confidential is not possible, strong storage encryption must be used. Encryption keys must be managed separately from the cloud service platform in which the data is stored and must be controlled by the Intel tenant and procedures must be in place to ensure against insider privileged abuse or enable the tenant to exclusively manage the keys. Are encryption keys used in Cloud Services physically separate from the data and capable of being controlled by Intel? If or Please explain provide details: 12 Rev. 5.0
13 Do you provide a dashboard of showing the compliance status of the cloud service provider s security compliance and status (Demonstrating compliance with industry security standards and agreed upon security service level agreements)? If or Please explain provide details: 13 Rev. 5.0
University of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationMSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data
Supplier Security Requirements & Expectations for Web Applications: Externally Facing Data Modified Date: August 2013 Copyright 2013, Inc., All Rights Reserved. MSSTAN 1504: Supplier Security Requirements
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationHow To Ensure Your Supplier Is Secure
Supplier Security Requirements and Expectations Supplier Name: Address: Respondent Name & Role: Baseline Requirements for all Suppliers Support Location: Contact Number: Supplier Profile: What is your
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationThe Second National HIPAA Summit
HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationDraft Information Technology Policy
Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software
More informationACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire
ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire Overview This pre-implementation questionnaire is designed to provide the Boston College Internal Audit Department with a general understanding
More informationADEC GROUP INFORMaTiON SecURiTY AND CONTROLS
ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS Rising To Global Information Challenges Information is your most valuable commodity today. As a global enterprise servicing a wide range of businesses, ADEC
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSummary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)
Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationKeyLock Solutions Security and Privacy Protection Practices
KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout
More informationINFORMATION SYSTEMS. Revised: August 2013
Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationInformation Security Policy
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationSecurity Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT / FIPS 199 Compliant
Brochure More information from http://www.researchandmarkets.com/reports/3302152/ Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT /
More informationGeorgia Institute of Technology Data Protection Safeguards Version: 2.0
Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationFederal Trade Commission Privacy Impact Assessment
Federal Trade Commission Privacy Impact Assessment for the: W120023 ONLINE FAX SERVICE December 2012 1 System Overview The Federal Trade Commission (FTC, Commission or the agency) is an independent federal
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationWhite Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationLauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationCONTENTS. Security Policy
CONTENTS PHYSICAL SECURITY (UK) PHYSICAL SECURITY (CHICAGO) PHYSICAL SECURITY (PHOENIX) PHYSICAL SECURITY (SINGAPORE) SYSTEM SECURITY INFRASTRUCTURE Vendor software updates Security first policy CUSTOMER
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationPROTECTING YOUR VOICE SYSTEM IN THE CLOUD
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationAn Introduction to HIPAA and how it relates to docstar
Disclaimer An Introduction to HIPAA and how it relates to docstar This document is provided by docstar to our partners and customers in an attempt to answer some of the questions and clear up some of the
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationNETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.
NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL. Your Credit Union information is irreplaceable. Data loss can result
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationInformation Security Policy
Information Security Policy Contents Version: 1 Contents... 1 Introduction... 2 Anti-Virus Software... 3 Media Classification... 4 Media Handling... 5 Media Retention... 6 Media Disposal... 7 Service Providers...
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationWHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
More informationPrivacy + Security + Integrity
Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationMemorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000.
U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationSecuring Personal Information: A Self-Assessment Tool for Organizations
March, 2012 Securing Personal Information: A Self-Assessment Tool for Organizations Office of the Information & Privacy Commissioner for British Columbia Protecting privacy. Promoting transparency. Introduction
More information