About This Document. Response to Questions. Security Sytems Assessment RFQ
|
|
- Alban Buck Short
- 8 years ago
- Views:
Transcription
1 Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and deliverables which can each be substantive, individual projects on their own. [Name redacted] is capable of providing all of the services described below, but we want to be sure that [name redacted] proposes an approach that meets PCORI s objectives. Risk Assessments identify whether required security controls are in place, and whether they provide a reasonable and appropriate or acceptable risk to the public, to PCORI and to PCORI s constituency. Risk assessments are a required basis for compliance and security management by government agencies, and nongovernment agencies alike. Risk assessments are a type of analysis that are commonly run within a project with planned interviews, evidence gathering, analysis and reporting. Risk assessments are often a discrete effort from other security analyses that are stated in the RFQ (as listed below). Vulnerability Assessments are scans of technical systems, applications, and devices that reveal a set of weaknesses in systems that lead to potential exploits. These are very useful in identifying opportunities for breaches and hack attacks, and for analyzing vulnerabilities in Risk Assessments. They can be run independent of Risk Assessments. About This Document This document answers all of the questions received as of September 15, Questions received after that date will not be answered. Questions are listed exactly as they were received. Language that includes personal or organization identifiers has been redacted. General terms (underlined) have been substituted to protect privacy. The Patient-Centered Outcomes Research Institute (PCORI) is an independent organization created to help people make informed healthcare decisions L St., NW, Suite 900 Washington, DC Phone: (202) Fax: (202) info@pcori.org Follow us on RFQ # PCO-SSA2015 Responses to Questions 1
2 Penetration Testing (of which Social Engineering is a part) is also run as a discrete project, but that creates valuable information that can be analyzed and prioritized in a risk assessment, or addressed and repaired independent of a risk assessment. Penetration tests are efforts by technicians to (safely) determine to what degree systems and information can be compromised. Penetration test reports can be analyzed in a risk assessment for prioritization of repair, or can be used directly to repair any flaws that led to demonstrated compromise. Disaster Recovery / Business Continuity Planning can be cursory or in-depth. A cursory review can be an explicit focus of a risk assessment that determines whether the classic parts of a business continuity disaster recovery plan is in place, and appears well designed. A more substantive review can provide you with a substantive, tested plan with assurances of appropriate detail and accuracy of the plan. Security Architecture Design can also be cursory or in-depth, depending on the challenges and risks that are identified during Risk Assessments and Penetration Tests. Incident Response Plan is another process or item that can be handled to a cursory or indepth degree. Security Policy Design is a process that can take considerable or little effort, depending on the current state of PCORI policies, and the complexity of the environment. A: The following processes (referenced above) are sought after as part of this engagement: Risk Assessments, Penetration Testing, Incident Response Plan, and Security Policy Design. Q: How flexible is PCORI s described timeline? We understand the timing that is described in the RFQ, but the actual time it would take to conduct the described work is typically significantly more than what is stated. As we come to understand PCORI s objectives as a result of discussing Item 1, we can help plan a project that meets your objectives for Item 2. A: Yes, we are flexible. Q: How complex and broad is the environment that will be assessed? This is an important element in our understanding of your objectives so that [name redacted] can appropriately estimate the time and skills our team would require in order to properly assess your environment. A: We are percent cloud-based and also have two physical sites in Washington, D.C. Q: How deep should the risk analysis be? [Name redacted] is capable of conducting risk assessments that are based on policy reviews and interviews, or additionally, the effectiveness of the controls after reviewing evidence. A: The analysis should encompass a deep analysis of our environment. Q: What is the scope of the investigation? For example, does it include PCORnet? A: No, it doesn t include PCORnet, it includes PCORI main systems. RFQ # PCO-SSA2015 Responses to Questions 2
3 Q: Does it include the security practices of contractors, such as implementers and developers? A: Yes. Q: Does it include the use of information by review boards or other groups external to PCORI s staff? A: No, it does not. Q: What is the basis of your distinction between an internal and an external system? A: Internal PCORI staff facing External Non-PCORI staff Q: While PII and PHI is emphasized, the security of other information, such as financial information, should also be considered. Is this correct? A: Yes. Q: What is scope of the PCORI network? For example, does it include PCORnet? A: It is local to two PCORI sites and all the applications in the cloud (i.e., SharePoint, Fluxx, Salesforce, etc.) Q: We are concerned that PCORI may be expecting that the contractor can conduct an in-depth examination (e.g., to the hardware or operating system level) for Software as a Service applications such as Salesforce and Foundation Connect, as well as for Platform as a Service solutions such as Amazon Web Services. Can you please comment on your expectations for security examination, for services that are managed and delivered by third-party service providers? A: Our expectation is that the vendor uses industry best practices. Q: Has any IT risk assessment already been performed, such as identifying strategic assets and the cost of their being compromised? Did executive management participate in the risk assessment? If so, how? A: No, there have not been any already performed. Q: Is executive management expected to participate in the risk assessment associated with this study? A: This is dependent upon the depth of the study. Q: How are you defining Social Engineering in the proposal? A: Unauthorized person using PCORI staff to gain access to PCORI Data. Q: Are information owners expected to participate in the Information Asset Profiling process? A: TBD RFQ # PCO-SSA2015 Responses to Questions 3
4 Q: How many locations are subject to vulnerability assessment, attack and penetration testing and application security testing? A: 2 Q: Is PCORI s system within the scope of the investigation? A: Yes Q: Security Assessment/Penetration Test Scoping questions for PCORI: How many data centers are there? 0 How many physical locations are there? 2 Are all Security Procedures and Policies centrally managed? Yes How many individuals will need to be interviewed in order to collect relevant Policy and Procedure Information? All SME RFP identifies ISO27001 as a reference model. Is PCORI sensitive to HIPAA and/or PCI control requirements? Yes A: See above Q: External Test: Will you provide address ranges? If not would you like a Black Hat Test sequence executed? What are the Number of IP's owned / in scope? What are the Number of IP s managed by another party? 10 What is the Number of separate DMZs? 2 What are the Number of IP's active within the scope? 254 What Number of Web Applications and description (approx # of pages, components)? Is there a Mobile Device Management Solution in place? How many PDAs? Etc are in scope? Yes, 100 PDA s Are there any Modems in scope? No How many external WIFI environments exist? 1 A: Should they be selected as a vendor this information will be provided. Q: Internal Test: What is Number of IP's owned. How many subnets? What is the Number of Servers, Desktops What are the Number of IP's active Wireless Testing: RFQ # PCO-SSA2015 Responses to Questions 4
5 What is the # SSID's & physical location (s) Social Engineering: What is the # of phishing targets? A: Should they be selected as a vendor this information will be provided. Q: External Network Penetration Testing Total number of *active* IP s (external): Number of servers: Number of network devices (est.): Is the environment hosted internally or by a third party? A: Should they be selected as a vendor this information will be provided. Q: Internal Network Penetration Testing Total number of *active* IP s (internal): Servers: o Total Server Count: 4 physical, others virtual o Breakdown of Windows: 4 o Breakdown of Linux: 0 o Breakdown of Other: 0 Workstations: o Total workstation count: 250 o How many standard builds or images are you using to deploy these workstations (this is to see how much we will be able to take advantage of sampling)? 1 Number of network devices (est.): 1 Q: Application Penetration Testing: For the application penetration testing, the most important information for scoping purposes is to get an estimate of size of the application. This includes number of pages, number of user level roles (ie. Admin, User, etc.), whether the pages are mostly comprised of static or dynamic content, and how many unique input fields are being used across all pages. This information will provide a good understanding of how long and complex the testing of the application will be. With that in mind, please address the following questions to the best of your ability. Application Penetration Testing Questions How many applications are in scope for this security assessment? RFQ # PCO-SSA2015 Responses to Questions 5
6 Is the application internal, or public facing? Both o If public facing, please provide a URL for each app in scope: 1. App1: TBD 2. App2: TBD 3. App3: TBD Application No. 1: (repeat for each application) Sizing: How many web pages comprise the application? How many of those web pages are static? How many of those web pages are dynamic? How many total input parameters are used (input fields across all pages)? How many unique input parameters are used (input parameters reused on several pages)? How many user levels/roles are defined within the application (ie Admin, User, Customer)? o How many user roles are in scope for the testing? A: This information will be provided to the winning bidder. Q: Wireless Assessment: Number of wireless networks in scope: 5 Number of wireless access points: Give or take 10 Number of controllers: 2 Number of locations (unique cities or geographical locations.): 2 Q: Social Engineering Electronic: o For each building: 1. Number of floors: 6 2. Approximate square footage: This information will be provided to the winning bidder. What types of attacks are desired? RFQ # PCO-SSA2015 Responses to Questions 6
7 o Phishing (if so, how many users are in scope)? Yes o Pre-Text Calling (if so, how many users are in scope)? Yes o Vishing? Yes Will we enumerate/identify the targets via reconnaissance or will targets be identified? TBD If attacks are successful is data compromise or exploitation desired, or simply notating the success/failure of the attacks? TBD What is the ultimate objective (access to data, a particular system, etc.)? Find our weakness and determine solutions. Q: Physical: What types of attacks are desired? o Dumpster Diving? TBD o USB Drops? TBD o Server room infiltration? TBD How many locations and users are in scope? All staff (250) Will any information be shared prior to attacks (whitebox/blackbox)? TBD What is the ultimate objective (access to a particular area, etc.)? Find our weak access points. Q: Risk Assessments 1. How many total employees does PCORI have? How many employees are in the IT, Operations, and Security teams? IT 26 Operation 75 Security none 3. How many locations does PCORI have? 2 4. What types of systems are used in the environment? (eg. Windows Desktops, Windows Servers, Linus, Apple, ICS, Mainframe, etc.) Information will be provided at a later point in the process if you have been identified to advance. RFQ # PCO-SSA2015 Responses to Questions 7
8 5. Please provide more information regarding the scope and outcome of the information asset profiling request. Does an asset inventory exist today and if so, is this request to review and assess current state? Yes, we have an asset inventory solution in place today, but we are currently consolidating asset inventory solutions. This is not in the scope of this RFP. 6. Please provide more information regarding the scope and outcome for the request to review and define security policies. Are security policies in place today and if so, approximately how many? Do additional policies need to be developed? Yes, there are some generic security policies in place. However, part of the assessment would be to recommend additional policies to meet industry standards. 7. Please provide more information regarding the scope and outcome of the request to define a disaster recovery plan. Does a business continuity or disaster recovery plan exist today, either formal or informal? Yes, we have a basic disaster recovery plan, but disaster recovery is not included in the scope of this RFP. 8. Is this a strict deadline? Is there any flexibility to it? The deadline is dependent upon the recommendation and the final statement of work agreed upon. Q: Phase I Information Risk Assessment o Current Systems Review o Review of existing procedures and policies to highlight gaps and threats (compare to standards such as ISO27001 controls) 1. Vulnerability assessment: How many systems in scope and how many internal vs external 2. Attack and penetration testing: How many systems in scope and how many internal vs external 3. Application security testing: How many systems in scope and how many internal vs external 4. Review existing disaster recovery plan/business continuity plan 5. Network risk analysis 6. Review physical security 7. Prepare Risk Matrix (using confidentiality, integrity, and availability as parameters) 8. Information Asset Profiling 9. Social Engineering How many users in scope? Onsite vs. remote or both? A: All staff 250. RFQ # PCO-SSA2015 Responses to Questions 8
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST Questions and Answers Notice: Questions may have been edited for clarity and relevance. 1. How many desktops,
More informationQ&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015
Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/2015 10/30/2015 11/5/2015 Questions submitted by Proposers All proposers should reference the following
More informationPHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015
QUESTIONS ANSWERS Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best practices and ensure our security posture is as it should be. Q2 No of active IP s (internal):
More informationAfter reviewing all the questions, the most common and relevant questions were chosen and the answers are below:
2015 007 After reviewing all the questions, the most common and relevant questions were chosen and the answers are below: 1. Is there a proposed budget for this RFP? No 2. What is the expect duration for
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationDepartment of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions
Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review s to Vendor Questions Questions as Submitted by Vendors (Duplicates omitted) 1. Have controls
More informationADDENDUM #1 REQUEST FOR PROPOSALS 2015-151
ADDENDUM #1 REQUEST FOR PROPOSALS 2015-151 HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24,
More informationREQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014
REQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014 Q1) Page 2, Section A and Page 5, Section H --- Does the County desire only an assessment of compliance
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationHIPAA SECURITY RISK ANALYSIS FORMAL RFP
HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,
More informationPenetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010
Penetration Testing Getting the Most out of Your Assessment Chris Wilkinson Crowe Horwath LLP September 22, 2010 Introduction Chris Wilkinson, CISSP Crowe Horwath LLP Product Manager - Penetration Testing
More informationRFP # 15-74 Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)
August 6, 2015 McHenry County Government Center Purchasing Department Donald Gray, CPPB, Director of Purchasing 2200 N Seminary Avenue Administration Building Room 200 Woodstock, IL 60098 Phone: 815-334-4818
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationInformation Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014
QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationEnterprise Information Technology Security Assessment RFP Answers to Questions
Enterprise Information Technology Security Assessment RFP Answers to Questions GENERAL QUESTIONS Q: How do the goals of the security assessment relate to improving the way VEIC does business? A: Security
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationQUESTIONS & RESPONSES #2
QUESTIONS & RESPONSES #2 RFP / TITLE 070076 IT Cybersecurity Assessment and Plan CONTACT Michael Keim, CPPB, Sr. Contract Adminstrator EMAIL procurement@portoftacoma.com PHONE NUMBER 253-428-8608 SUBMITTAL
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationJumpstarting Your Security Awareness Program
Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More informationLunch & Learn Series Subscribe!
Lunch & Learn Series Noon on the 3 rd Tuesday of each month Security.uconn.edu for detailed information L&L RFC Subscribe! Presentation schedule is still being worked out Contact Jason Pufahl (jason.pufahl@uconn.edu)
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationInformation Security for the Rest of Us
Secure Your Way Forward. AuditWest.com Information Security for the Rest of Us Practical Advice for Small Businesses Brian Morkert President and Chief Consultant 1 Introduction President Audit West IT
More informationRFQ No. 1-13-B134 Payment Card Industry (PCI) Scanning Services for the Metropolitan Washington Airports Authority
Questions and Answers RFQ No. 1-13-B134 Payment Card Industry (PCI) Scanning Services for the Metropolitan Washington Airports Authority Notice: Questions may have been edited for clarity and relevance.
More informationPenetration Testing and Vulnerability Scanning
Penetration Testing and Vulnerability Scanning Presented by Steve Spearman VP of HIPAA Compliance Services, Healthicity 20 years in Health Information Technology HIPAA Expert and Speaker Disclaimer: Nothing
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationChapter 6: Fundamental Cloud Security
Chapter 6: Fundamental Cloud Security Nora Almezeini MIS Department, CBA, KSU From Cloud Computing by Thomas Erl, Zaigham Mahmood, and Ricardo Puttini(ISBN: 0133387526) Copyright 2013 Arcitura Education,
More informationResponse to Questions CML 15-018 Managed Information Security
Response to Questions CML 15-018 Managed Information Security 1. What are the most critical aspects that need to be provided for this RFP, in light of the comment that multiple awards might be provided?
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationPenetration Testing. I.T. Security Specialists. Penetration Testing 1
Penetration I.T. Security Specialists ing 1 about us At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches
More informationRFP IT002PACE. Questions & Answers
RFP IT002PACE Questions & Answers 1. Please provide the total number of devices at each campus required for the assessment i.e. inventory at the higher level along with its brief description. 2. Approximately
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationData Security Best Practices & Reasonable Methods
Data Security Best Practices & Reasonable Methods September 2013 Mike Tassey Technical Security Advisor Privacy Technical Assistance Center (PTAC) http://ptac.ed.gov/ E-mail: PrivacyTA@ed.gov Phone: 855-249-3072
More information5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT
5 5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT 1 Anatomy of a Security Assessment With data breaches making regular headlines, it s easy to understand why information security is critical.
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationSecurity Systems Assessment
Security Systems Assessment REQUEST FOR QUOTE RFQ # PCO-SSA2015 August 28, 2015 KEY DATES Request for Quote Released August 28, 2015 Deadline for Questions September 15, 2015 Deadline for Quotes September
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationCase Study: Security Implementation for a Non-Profit Hospital
Case Study: Security Implementation for a Non-Profit Hospital The Story Security Challenges and Analysis The Case The Clone Solution The Results The Story About the hospital A private, not-for-profit hospital
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationInformation Security Organizations trends are becoming increasingly reliant upon information technology in
DATASHEET PENETRATION TESTING SERVICE Sales Inquiries: sales@spentera.com Visit us: http://www.spentera.com Protect Your Business. Get Your Service Quotations Today! Copyright 2011. PT. Spentera. All Rights
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More information11th AMC Conference on Securely Connecting Communities for Improved Health
11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett
More informationHealthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security
Healthcare Security Vulnerabilities Adam Goslin Chief Operations Officer High Bit Security Webinar Overview IT Security and Data Loss Breach Sources / Additional Information Recent Medical Breach / Loss
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
More informationNetwork Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients
Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com
More informationAgenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree
Cyber Security: Potential Threats Impacting Organizations January 10, 2015 Scott Petree Agenda 2 Data Security Trends Root Causes of Cyber Attacks How Can We Fix This? Secure Infrastructure User Awareness
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationTechnical Testing. Network Testing DATA SHEET
DATA SHEET Technical Testing Network Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance your security posture, reduce
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationSECURITY 2.0 LUNCHEON
PROTECTING YOUR ORGANIZATION SECURITY 2.0 LUNCHEON AGAINST CYBER THREATS Tommy Montgomery, Principal Consultant Viral Dhimar, Consultant Adam Ferguson, VP October 22, 2014 #SWCEvents Security 2.0: Next
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationINDUSTRY OVERVIEW: HEALTHCARE
ii IBM MSS INDUSTRY OVERVIEW: HEALTHCARE RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: OCTOBER 7, 2014 BY: JOHN KUHN, SENIOR THREAT RESEARCHER iii TABLE OF CONTENTS EXECUTIVE OVERVIEW/KEY FINDINGS...
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationHOSTING. Managed Security Solutions. Managed Security. ECSC Solutions
Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT
More informationEast African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?
East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management
More informationPut into test the security of an environment and qualify its resistance to a certain level of attack.
Penetration Testing: Comprehensively Assessing Risk What is a penetration test? Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques.
More informationSysAid Cloud Architecture Including Security and Disaster Recovery Plan
SysAid Cloud Architecture Including Security and Disaster Recovery Plan This document covers three aspects of SysAid Cloud: Datacenters Network, Hardware, and Software Components Disaster Recovery Plan
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationChecklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security
Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the
More informationUniversity of Central Florida Class Specification Administrative and Professional. Information Security Officer
Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationIndependent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN
Independent Security Operations Oversight and Assessment Captain Timothy Holland PM NGEN 23 June 2010 Independent Security Operations Oversight and Assessment Will Jordan NGEN Cyber Security 23 June 2010
More informationSecurity-as-a-Service (Sec-aaS) Framework. Service Introduction
Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationINFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationINFORMATION S ECURI T Y
INFORMATION S ECURI T Y T U R N KEY IN FORM ATION SECU RITY SO L U TION S A G L O B A L R I S K M A N A G E M E N T C O M P A N Y PRESENCE PROWESS PARTNERSHIP PERFORMANCE Effective IT security requires
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationDisaster Recovery Plan (Business Continuity) Template
Brochure More information from http://www.researchandmarkets.com/reports/2786932/ Disaster Recovery Plan (Business Continuity) Template Description: The Disaster Planning Template is over 200 pages and
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationEvolution of Penetration Testing
Alexander Polyakov, QSA,PA-QSA CTO Digital Security (dsec.ru) Head of DSecRG (dsecrg.com) ERPSCAN Architect (erpscan.com) Head of OWASP-EAS Pentests? Again? Why? Many companies are doing this Many companies
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationNetwork Marketing Strategy - Overview of the Colorado Cyber Security Program
COLORADO S CYBERSECURITY ASSESSMENT APPROACH Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014 Overview Colorado OSA and IT Audit Background State of Colorado IT and InfoSec Organizational
More informationSAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT
SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT Issued By: Angeline C. Peralez Date Issued: July 24, 2014 BID NO.: 14-6077 FORMAL INVITATION FOR BEST VALUE BID (BVB) FOR THE ONE TIME PURCHASE OF NETWORK
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationHobbled Penetration Testing: The Disconnect Between Testing and Real Attacks
Hobbled Penetration Testing: The Disconnect Between Testing and Real Attacks Jason Wood Principal Security Consultant Secure Ideas Background Info Principal Security Consultant at Secure Ideas Penetration
More information[Insert Company Logo]
[Insert Company Logo] Business Continuity and Disaster Recovery Planning (BCDRP) Manual 1 Table of Contents Critical Business Information 4 Business Continuity and Disaster Recover Planning (BCDRP) Personnel
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationagenda 5 IBM ISS security consulting solutions 6 Reduzca costos y la complejidad de la seguridad en su negocio
Reduzca costos y la complejidad de la seguridad en su negocio Juan Carlos Carrillo Security Sales Leader Viernes, 11 de Septiembre de 2009 agenda 1 2 3 X-Force 2008 Trend & Risk Report Highlights IBM Security
More information