IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
|
|
- Jacob McKenzie
- 8 years ago
- Views:
Transcription
1 IT Security and Compliance Program Plan for Maxistar Medical Supplies Company IT Security and Compliance Program Plan for Maxistar Medical Supplies Company IT Security and Compliance Program for PCI, HIPAA and NIST standards as applicable to the Maxistar Medical Supplies Company s IT operations. This paper was created as part of a case study for CYBS 6355 in the spring 2015 semester at the University of Dallas. James Konderla 3/18/ P age
2 Table of Contents Executive Summary... 1 Known Risks and Priorities... 2 Risk 1: Flat Network Topology... 2 Risk 2: Consolidated Server Functions... 3 Risk 3: Database Encryption... 5 Implementing a Risk Management Framework... 6 The New Security Program... 8 Conclusion References Table of Figures Figure 1, Bedford Site Topology... 2 Figure 2, Proposed Network Topology for Bedford Site... 3 Figure 3, Current Server Layout... 4 Figure 4, Virtualized Server Layout... 4 Figure 5, PCI Data Storage Guidelines (PCI, 2008)... 5 Figure 6, NIST Risk Management Approach... 6 Figure 7, Security Life Cycle... 7
3 IT Security and Compliance Program Plan for Maxistar Medical Supplies Company Executive Summary As Maxistar Medical Supplies Company grows and expands operations it becomes increasingly important to keep IT operations secure while also enabling the business to quickly and effectively meet customer needs. During a recent assessment Maxistar identified several changes that needed to be implemented to their IT operations to secure their business to align with regulatory and legal compliance for the Payment Card Industry (PCI), HIPAA, and NIST standards. As part of this assessment, several known risks were identified and 5 areas specifically were targeted as the beginning of Maxistar s Security and Compliance program. This document will outline those risks as well as the guidelines for our plan to bring Maxistar into compliance with these three key standards. We will do this by addressing the following topics: List of Known risks and Major Priorities Implementation of a Risk Management Framework Overview of the new IT Security Strategy Overview and guidelines of the IT Compliance Strategy 1 P age
4 Known Risks and Priorities As part of our initial assessment of Maxistar s current IT Security state we were given exclusive access to the entire IT Operation. Due to this access we were able to determine that there are 3 major risk areas that Maxistar must initially address to both align with PCI, HIPAA and NIST standards and to secure their network in the interim as the compliance program rolls out. Risk 1: Flat Network Topology As seen below, Maxistar has a somewhat flat network architecture with only 1 firewall (per site) protecting the network from external environments. This architecture is not just seen at the Bedford site, but is repeated at every site and presents an easy target for external entities, allowing them to traverse the network as easy as the IT group. Figure 1, Bedford Site Topology Due to this, we suggest that Maxistar implement a layered topology, also known as Defense in Depth. As seen below, this topology places a secondary firewall between the central network and the
5 externally-exposed machines. This approach allows the IT assets that need to be accessed externally to still be accessed but keeps attackers from traversing the corporate network as well, effectively segregating the systems that should not be accessed externally. Figure 2, Proposed Network Topology for Bedford Site As each firewall acts as a router, it is suggested that the Demilitarized Zone (DMZ) between the 2 firewalls be separated from the internal network by a separate Virtual LAN (VLAN) to further complicate any attempts by external entities to traverse beyond the DMZ. The performance decreases by implementing this topology should be minimal, if they are even noticed. Risk 2: Consolidated Server Functions Maxistar s current network infrastructure has functioned for many years using a consolidated roles type infrastructure for their servers, as seen below.
6 Physical Server First Role Second Role Figure 3, Current Server Layout While this consolidation worked well in the past it presents many potential dangers to the enterprise: if a server sharing a customer database role and a web server role, for example, is compromised then a customer s data may be exposed. Our proposal is to separate the server functions through virtualization, such as the same physical server represented below: Physical Server Virtual Machine Virtual Machine First Role Second Role Figure 4, Virtualized Server Layout By separating server functions and limiting them to 1 per machine (or virtual machine) Maxistar can negate these risks while also coming closer to compliance with PCI, HIPAA and NIST standards, as each of these standards defines a separation of duties per server.
7 Risk 3: Database Encryption One of the most noticeable shortcomings in Maxistar s current infrastructure is the lack of encryption on databases. While some databases, such as product information, are unencrypted with good reason, others such as sales information, customer data or billing information should be encrypted immediately. This is also one of the core components of PCI, HIPAA and NIST standards and should be the primary focus as Maxistar begins converting to their new Security and Compliance program. We recommend a minimum of 128-bit encryption on systems that contain any Personally Identifiable Information, store sales or company-sensitive data, or contain payment information. The base guidelines for which systems require encryption can be found in the chart below, provided by PCI (2008). Figure 5, PCI Data Storage Guidelines (PCI, 2008) Of course this table also provides the guidelines for what data should and should not be stored for PCI purposes but as PCI is the most strenuous on data storage requirements we recommend that Maxistar follow their guidelines on both storing and encrypting data.
8 Implementing a Risk Management Framework A key factor of success for any Security and Compliance program is a risk management framework, as risks to a business cannot be properly mitigated without first being defined. A risk management framework will enable Maxistar to combine their IT security and risk management programs in a way that aligns to the business needs of the company while also protecting the company s IT infrastructure by defining the risks facing Maxistar and standardizing how those risks will be handled. Due to the continuous changing nature of cyber threats, establishing such a framework as part of the new security and compliance program now will save time, money and resources for current and future threats. We have selected the NIST framework (NIST, 2014), which was created for Federal Information Systems, as it is flexible while also providing a strong foundation for Maxistar s new program. This framework has a three-tiered approach to risk management, as seen below. Figure 6, NIST Risk Management Approach As can be seen in Figure 4, the NIST framework begins with the organization in mind. Only by understanding and aligning IT with the business can risks fully be identified and addressed. Once IT has
9 aligned themselves with the business they can identify the mission and business processes involved with keeping the business running efficiently and safely before, finally, moving on to securing the information systems and architecture of the company. Seen below, the 3 rd Tier of the NIST framework focuses on the Security Life Cycle, which guides organizations by using Architecture and Organizational inputs and implementing a continuous feedback cycle. Figure 7, Security Life Cycle Continuous feedback becomes very important, allowing the continuous improvement of the company s risk management policies as business or architecture needs change. NIST is a very robust framework but allows a lot of flexibility for different kinds of businesses and industries and is a perfect choice for Maxistar.
10 The New Security Program By implementing a risk management framework with a company first mindset we can see that Maxistar has many steps on the way to PCI, HIPAA and NIST compliance. To aid in this journey two security plans were proposed and the Maxistar board decided on the later plan, outlined below. Phase 1 Need: Eventual / Time Length: 1 Months Overview: This phase has Maxistar's IT Group immediately establish Encryption and Database security controls on their databases. This phase also sees the overhaul of access control for software and hardware systems to match employee job roles. Steps and Requirements 1.) Immediately implement data encryption to all databases containing customer or payment information 2.) Conduct an overhaul of access controls and limit the use of equipment, software and systems to employees on a "least privileged" basis. 3.) Implement Emergency Access Controls to give elevated access in the event of technical or incidentdriven emergencies. 4.) Implement workstation security by increasing patching of business-critical systems to every 2 months and non business-critical systems to once a quarter. Overview: Phase 2 Need: Eventual / Time Length: 2 Months This phase sees the creation of Maxistar's Security and Compliance team, a subset of the IT Group governed by the Chief Security Officer and responsible for auditing and securing Maxistar's IT systems in compliance with company policies, industry regulations and international standards in all countries and markets Maxistar operates in. Steps and Requirements 1.) Create the IT Security and Compliance team with a minimum of 4 employees (2 domestic and 2 international) with 2 supervisory positions and 2 analyst positions. 2.) Create a standards document for Device and Media Controls with a focus on the disposal, re-use and resell of retired technologies and media. 3.) Create a security management process with a focus on risk analysis, risk management, system activity review and a sanction policy. 4.) Create an incident response and reporting program (may require additional employees) that focuses on security incident response, reporting and disaster recovery procedures. Phase 3
11 Need: Eventual / Time Length: 1 Months Overview: This phase sees the education of Maxistar employees on the new standards and access controls, as well as compliance and punishments for non-compliance, of the new IT security program. Steps and Requirements 1.) Create a training program and implement training classes for the new program. This step includes the publishing of documents on the company's intranet or in easily-accessible locations for all employees' review. 2.) Provide notification to customers and any other required entities (state, federal or regulatory) of the new security program. 3.) Establish a continued audit program and set schedule for the audit to occur through the new Security and Compliance team. Phase 4 Need: Eventual / Time Length: 2 Months Overview: For the software group, this phase sees the introduction of code revision and quality control to the group. For the hardware group this phase sees a change in the network topology to account for an additional firewall layer and a small testing infrastructure for both groups. Steps and Requirements 1.) SOFTWARE - Implement version control standards through GitHub Enterprise to allow easier backout of errors and expedited documentation of changes between software patches and revisions. 2.) SOFTWARE - Implement a code review internal to the company prior to implementing code changes to existing products or publishing new products. 3.) HARDWARE - Implement a secondary firewall with the current remaining at the perimiter (internetfacing) infrastructure. Move the web and (optional) servers to the zone between the two firewalls, creating a demilitarized zone for internet-facing traffic. 4.) HARDWARE - Implement a testing infrastructure that shares access controls and a baseline with the current infrastructure. Phase 5 Overview: Need: Eventual / Time Length: 3-4 Months This phase will see the implementation of a shared knowledgebase, service catalog and ticket tracking system in accordance with ITIL and ITSM standards. Steps and Requirements 1.) Implement a service management solution (for example HP Service Management) to allow the access of a shared knowledgebase, service catalog and trouble/issue tracking system. 2.) Create a service catalog and corresponding website for the ordering and cataloging of IT Assets and services. As can be seen, this plan is aggressive and will take 10 months to roll out. This plan will focus mainly on the implementation of the new security group, which will establish the security standards and
12 policies for Maxistar using the NIST risk management framework for guidance. Once this program rolls out, the new security team will focus first on PCI compliance with HIPAA and NIST compliance also in mind. To aide in this endeavor the security group s first major task will be to take a baseline of Maxistar s current security using the PCI DSS D questionnaire for Merchants to assess how close Maxistar is to PCI compliance. Using the answers to the questionnaire, the security group will then move on to actually developing the new policies using the Common Authorities on Information Assurance (CAIA) spreadsheet (Cloud Audit Controls, 2012). By using this spreadsheet we can see that there are many common elements to each program and, as Maxistar moves closer to PCI compliance these common elements can be assessed as well. Here are a few examples of how these standards can be assessed using the CAIA to note the corresponding HIPAA and NIST standards. Assessment Procedure ASSESSMENT OBJECTIVE: Pertaining to firewalls and routers: Restrict Inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Examine Firewall Configurations To verify that all inbound and outbound traffic necessary for the cardholder agreement is identifiable, that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, that all non-necessary inbound and outbound traffic is specifically denied either by an explicit "deny all" rule or implicit deny after allow statement] Compliance Elements: NIST : SC-7 PCI DSS: ASSESSMENT OBJECTIVE: Verify that file-integrity monitoring or change-detection software has been implemented on system logs to ensure that existing log data cannot be changed without generating alerts. POTENTIAL ASSESSMENT METHODS AND OBJECTS:
13 Examine: [SELECT FROM: system settings, monitored files, results from file monitoring/change-detection activies/applications] Compliance Elements: NIST : AU-9, AU-11, AU-14 PCI DSS: ASSESSMENT OBJECTIVE: Verify that quarterly internal vulnerability scans have been performed by qualified personnel. This includes rescans performed until all "high-risk" vulnerabilities are resolved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT ALL: review scan reports and verify that four quarterly internal scans occurred in the most recent 12-month periods; Review scan reports and verify that scan process includes rescans until all "high-risk" vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.] Compliance Elements: NIST : CM-3, CM-4, CP-10, RA-5, SA-7, SI-1, SI-2, SI-5 PCI DSS: HIPAA: (A)(1)(I)(II)(A), (a)(1)(i)(ii)(B), (a)(5)(i)(ii)(B) ASSESSMENT OBJECTIVE: Verify that security alerts and information are monitored, analyzed and distributed to appropriate personnel. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that responsibility for monitoring and analyzing security alerts and distributing information to appriate information security and business unit management personnel is formally assigned.] Compliance Elements: NIST : IR-2, IR-6, IR-7 PCI DSS: HIPAA: (a)(6)(ii), 318.3(a)(New), 318.5(a)(New)
14 ASSESSMENT OBJECTIVE: Verify that all personnel are trained in a security awareness program upon hire and at least once annually. POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Verify that the program provides multiple methods of communicating awareness and educating personnel; verify that personnel attend security awareness training upon hire and at least once annually] Interview: [SELECT FROM: randomly sample personnel to verify they have completed awareness training and are aware of the importance of cardholder security.] Compliance Elements: NIST : AT-1, AT-2, AT-3, AT-4 PCI DSS: HIPAA: 164,308(a)(5)(i), (a)(5)(ii)(A) By using this same technique we can match the compliance elements for all 3 frameworks (PCI, NIST and HIPAA) into a common framework to make implementation easier. Once PCI compliance has been achieved we should have a better security posture and also be closer to meeting HIPAA and NIST compliance as well. By using the HIPAA security risk assessment tool (HHS, 2014) we can more onto meeting HIPAA compliance first and then finish the implementation of our security and compliance program by qualifying for NIST certification as our last step. We plan on dedicating 1 person as the lead on this project, who will work full time and lead the compliance efforts with the remaining security and IT staff dedicating 20% of their time to the program with the remaining 80% focused on their normal jobs.
15 Conclusion As can be seen, Maxistar has a ways to go before they are PCI, HIPAA and NIST compliant. This road, however, will be shorter by relying on NIST as the risk management framework for Maxistar s new Security and Compliance Program. After the initial 10 month rollout Maxistar s infrastructure will run smoother and more secure for the remaining rollout. Over the course of the final rollout, which should take an estimated year, Maxistar will see themselves moved completely into compliance with all 3 standards. Although ideally compliance would be done at a faster rate, we must keep in mind that Maxistar has limited resources, like every other company, and the main resources, people, will be devoted to their own jobs. With 1 person leading the efforts and an 80/20 split between their normal jobs and work on the compliance program Maxistar s journey towards compliance should be smoother than many other companies but, unlike most other companies, Maxistar will be in complete alignment with PCI, HIPAA and NIST standards.
16 IT Security and Compliance Program Plan for Maxistar Medical Supplies Company References Data Security Standard - Requirements and Security Assessment Procedures. (2013, November 1). Retrieved March 19, 2015, from Guide for Assessing the Security Controls in Federal Information Systems and Organizations. (2010, June 1). Retrieved March 19, 2015, from PCI Data Storage Do s and Don'ts. (2008). Retrieved April 9, 2015, from NIST SP R3. (2014). Retrieved April 9, 2015, from Cloud Audit Controls. (2012). Retrieved April 9, 2015, from News. (2014). Retrieved April 9, 2015, from 14 P age
IT Assessment Procedures for Maxistar Medical Supplies Company. IT Assessment Procedures for Maxistar Medical Supplies Company
IT Assessment Procedures for Maxistar Medical Supplies Company IT Assessment Procedures for Maxistar Medical Supplies Company Compliance Assessment Procedures for PCI standards as applicable to the Maxistar
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationMONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014
MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014 COMPLIANCE SCHEDULE REQUIREMENT PERIOD DESCRIPTION REQUIREMENT PERIOD DESCRIPTION 8.5.6 As Needed 11.1 Monthly 1.3 Quarterly 1.1.6 Semi-Annually
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationUsing Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes
Using Skybox Solutions to Ensure PCI Compliance Achieve efficient and effective PCI compliance by automating many required controls and processes WHITEPAPER Executive Summary The Payment Card Industry
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationUsing Skybox Solutions to Achieve PCI Compliance
Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationCaretower s SIEM Managed Security Services
Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationREDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance
REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,
More informationInformation Security @ Blue Valley Schools FEBRUARY 2015
Information Security @ Blue Valley Schools FEBRUARY 2015 Student Data Privacy & Security Blue Valley is committed to providing an education beyond expectations to each of our students. To support that
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationPCI v2.0 Compliance for Wireless LAN
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
More informationSession 2: Self Assessment Questionnaire
Session 2: Self Assessment Questionnaire and Network Scans Kurt Hagerman CISSP, QSA Director of IT Governance and Compliance Services Agenda Session 1: An Overview of the Payment Card Industry Session
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures Version 1.1 Release: September 2006 Table of Contents Purpose...1 Introduction...1 Scope of PCI Security Scanning...1 Scanning
More informationThree Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010
Three Critical Success Factors for PCI Assessment Seth Peter NetSPI April 21, 2010 Introduction Seth Peter NetSPI Chief Technology Officer and Founder 15 year history of application, system, and network
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationMaximizing Configuration Management IT Security Benefits with Puppet
White Paper Maximizing Configuration Management IT Security Benefits with Puppet OVERVIEW No matter what industry your organization is in or whether your role is concerned with managing employee desktops
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationOvercoming Security Challenges to Virtualize Internet-facing Applications
Intel IT IT Best Practices Cloud Security and Secure ization November 2011 Overcoming Security Challenges to ize Internet-facing Applications Executive Overview To enable virtualization of Internet-facing
More informationSystem Security Certification and Accreditation (C&A) Framework
System Security Certification and Accreditation (C&A) Framework Dave Dickinson, IOAT ISSO Chris Tillison, RPMS ISSO Indian Health Service 5300 Homestead Road, NE Albuquerque, NM 87110 (505) 248-4500 fax:
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationEcom Infotech. Page 1 of 6
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationSan Jose Airport PCI@SJC. Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011
San Jose Airport PCI@SJC Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011 Why PCI-DSS at SJC? SJC as a Service Provider Definition: Business entity that is not a
More informationDIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationPierianDx - Clinical Genomicist Workstation Software as a Service FAQ s
PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More information8. Firewall Design & Implementation
DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or
More informationComputer System Security Updates
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
More informationLot 1 Service Specification MANAGED SECURITY SERVICES
Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationDMZ Gateways: Secret Weapons for Data Security
A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationWhen it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs
White Paper Meeting PCI Data Security Standards with Juniper Networks SECURE ANALYTICS When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright 2013, Juniper Networks,
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationFirewall Security. Presented by: Daminda Perera
Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationProtecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems
Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationThe Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation
The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation Copyright, AlgoSec Inc. All rights reserved The Need to Ensure Continuous Compliance Regulations
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationSecurity Compliance In a Post-ACA World
1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationPCI DSS Top 10 Reports March 2011
PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationCyber Security RFP Template
About this document This RFP template was created to help IT security personnel make an informed decision when choosing a cyber security solution. In this template you will find categories for initial
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationWHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationSecurity Control Standard
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationSecurity Considerations
Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationFirewall Environments. Name
Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationPCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationHosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth)
Hosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth) March 2014 Premier Provider of egov Services to the Commonwealth of Virginia Virginia
More informationRealities of Private Cloud Security
SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationYou Can Survive a PCI-DSS Assessment
WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationFirewall and Router Policy
Firewall and Router Policy Approved By: \S\ James Palmer CSC Loss Prevention Director PCI Policy # 1600 Version # 1.1 Effective Date: 12/31/2011 Revision Date: 12/31/2014 December 31, 2011 Date 1.0 Purpose:
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationSecurity Policy for External Customers
1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration
More informationPlease note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).
Introduction This document serves as a guide for TCS Retail users who are credit card merchants. It is written to help them become compliant with the PCI (payment card industry) security requirements.
More informationCompliance Overview: FISMA / NIST SP800 53
Compliance Overview: FISMA / NIST SP800 53 FISMA / NIST SP800 53: Compliance Overview With Huntsman SIEM The US Federal Information Security Management Act (FISMA) is now a key element of the US Government
More information