Information Technology Security Procedures

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Information Technology Security Procedures"

Transcription

1 Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2

2 Contents 1. Policy Procedures... 3 Summary of Main Security Policies Virus Protection Physical and Environmental Security of the Data Center... 4 Physical Security... 4 Environmental Security Physical and Environmental Security of the user workspace... 5 Physical Security... 5 Environmental Security Access Control LAN Security... 7 Hubs and Switches... 7 Workstations... 7 Wiring... 7 Monitoring Software... 7 Servers... 7 Electrical Security Server Specific Security Wide Area Network Security TCP/IP & Internet Security Security Audit Voice System Security Mobile Devices Hardware and Software Acquisition Inventory Management Third Party Access Software Development and Maintenance Incident Handling and Escalation Glossary... 12

3 1. Policy Procedures Following are the detailed procedures for Information Technology Security and are to be used in conjunction with the Policy Direction Information Technology Security Policy, approved by the National Board on March 4, These procedures were approved by the Executive Team, March 4, 2011 Summary of Main Security Policies Confidentiality of all data is to be maintained through discretionary and mandatory access controls. Internet and other external service access are restricted to authorized personnel only. No Data should be stored in laptop computers to provide confidentiality of data in the event of loss or theft Only authorized and licensed software may be installed, and installation may only be performed by I.T. Department staff. The use of unauthorized software is prohibited. In the event of unauthorized software being discovered it will be removed from the workstation immediately. Passwords must consist of a mixture of at least 8 alphanumeric characters, and must be changed every 120 days and must be unique. Workstation configurations may only be changed by I.T. Department staff. The physical security of computer equipment will conform to recognized loss prevention guidelines. 2. Virus Protection The I.T. Department will have available up to date virus scanning software for the scanning and removal of suspected viruses.

4 Corporate file-servers will be protected with virus scanning software and will utilize live definition update technology. Workstations will be protected by virus scanning software and will utilize live definition update technology. All systems (workstations and servers) will be built from original, clean master copies whose write protection has always been in place. Only original master copies will be used until virus scanning has taken place. All demonstrations by vendors will be run on their machines and not the Organization s. Vendors will not be permitted connection to the Society s network. To enable data to be recovered in the event of a virus outbreak, regular backups will be scheduled and monitored by the I.T. Department. Users will be notified of virus incidents. Employees will be accountable for any breaches of the Organization s anti-virus policies. In the event of a possible virus infection the user must inform the I.T. Department immediately. The I.T. Department will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it. The I.T. Department will conduct an investigation with the employee to determine the root cause of the infection. 3. Physical and Environmental Security of the Data Center The I.T Department will provide a secure data center facility that will house the majority of all servers and networking equipment for our infrastructure to maximize security and uptime. The data center will have at minimum, the following characteristics: Physical Security 24x7 onsite security CCTV Cameras and patrols both inside and outside the facility Card and biometric identification are required to access the data center floor Fully enclosed racks with combination locks Access to be restricted to key personnel within the I.T. Department and any vendors that may be under contract to manage the infrastructure Environmental Security UPS and dual generator backup power Multi-stage dry pipe fire suppression system Multi-homed upstream internet connectivity

5 Redundant Cooling units Raised Floor 4. Physical and Environmental Security of the user workspace Each MS Society office will provide a secure office working environment that meets the following specifications: Physical Security Alarm systems with annual code changes and access review Locked server room with restricted access All small technology equipment such as laptops, netbooks, projectors must be securely fixed to furniture using cable locks Environmental Security workstation surge protectors if needed UPS for server and other network gear Separate HVAC for server room if existing system cannot maintain consistent temperature between 20C and 22C and relative humidity between 40% and 60% 5. Access Control Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times. Users requiring access to systems must make a written application on the forms provided by the I.T Department. Users will be required to sign the Information Technology Acceptable Use Procedures form on an annual basis. Failure to do so will result in removal of all network access. Users will be required to complete a Network Access form on an annual basis. Failure to do will result in removal of all network access. Where possible no one person will have full rights to any system. The I.T. Department will control network/server passwords and system passwords will be assigned by the system administrator in the end-user department. The system administrator will be responsible for the maintaining the data integrity of the end-user department s data and for determining end-user access rights.

6 Access to the network/servers and systems will be by individual username and password, and/or by RSA Token Usernames and passwords must not be shared by users. Usernames and passwords must not be written down. Usernames will consist of the user s first initial and last name. Passwords will expire every 120 days and must be unique. Passwords will meet Windows complexity requirements: o The password cannot contain the username o Passwords must contain characters from 3 of the 5 following categories Uppercase Letters Lowercase Letters Numbers Non alphanumeric characters Any Unicode character that is characterized as an alphabetic character but is not lowercase or uppercase. Intruder detection will be implemented where possible. The user account will be locked after 5 incorrect attempts. The I.T. Department will be notified by Human Resources of all employees leaving the Organization s employment. The I.T. Department will then remove the employees rights to all systems. accounts will remain active for 45 days. User files will remain online and accessible to the employee s supervisor for 45 days. After the 45 day period, the user account and files will be deleted. Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the Finance Department. Auditing will be implemented on all systems to record login attempts/failures, successful logins and changes made to all systems. Use of the Administrator username on Windows is to be kept to a minimum. Default passwords on all network gear and application systems (ie SQL Server) will be changed during installation. On UNIX and Linux systems, rights to rlogin, ftp, telnet, ssh will be restricted to I.T. Department staff only. File systems will have the maximum security implemented that is possible. Where possible users will only be given Read and File scan rights to directories, files will be flagged as read only to prevent accidental deletion. Vendors will have no access to the Production Network except in cases when they need to work on a specific application. In this case, access may be granted upon completion of the Non-Disclosure Agreement. This also applies to vendors accessing our systems remotely to perform work on production systems.

7 Internet Access may be granted to Vendors upon completion of the Business Partner Network Access Agreement 6. LAN Security Hubs and Switches LAN equipment, hubs, bridges, repeaters, routers, switches will be kept in secure hub rooms. Hub rooms will be kept locked at all times. Access to hub rooms will be restricted to I.T. Department staff only. Other staff and contractors requiring access to hub rooms will notify the I.T. Department in advance so that the necessary supervision can be arranged. Workstations Users must logout of their workstations when they leave their workstation for any length of time. Alternatively Windows workstations may be locked. Workstations will automatically lock after 30 minutes of inactivity. Wiring All network wiring will be fully documented. All unused network data jacks in open office or boardroom areas will be de-activated when not in use. All network cables will be periodically scanned and readings recorded for future reference. Users must not place or store any item on top of network cabling. Redundant cabling schemes will be used where possible. Monitoring Software The use of LAN analyzer and packet sniffing software is restricted to the I.T. Department. Servers All servers will be kept securely under lock and key. Access to the system console and server disk/tape drives will be restricted to authorized I.T. Department staff only. Electrical Security All servers will be fitted with UPS's that also condition the power supply.

8 All hubs, bridges, repeaters, routers, switches and other critical network equipment will also be fitted with UPS's. Software will be installed on all servers to implement an orderly shutdown in the event of a total power failure. All UPS's will be tested periodically. 7. Server Specific Security The operating system will be kept up to date and patched on a regular basis; at a minimum, every 6 months. Servers will be checked daily for viruses. Servers will be locked in a secure room. Remote management passwords will be different to the Admin/Administrator/root password. Users possessing Admin/Administrator/root rights will be limited to trained members of the I.T. Department staff only. Use of the Admin/Administrator/root accounts will be kept to a minimum. User s access to data and applications will be limited by the access control features. Intruder detection and lockout will be enabled. The system auditing facilities will be enabled. Servers will be set to auto lock after 30 minutes of inactivity 8. Wide Area Network Security Wireless LAN s are not permitted without prior approval from the I.T. Department o Approved wireless LAN's will make use of the most secure encryption and authentication facilities available. o Users will not install their own wireless equipment under any circumstances. Remote access is only permitted through Citrix or a secure VPN tunnel All bridges, routers and gateways will be kept locked up in secure areas. Unnecessary protocols will be removed from routers.

9 9. TCP/IP & Internet Security Permanent connections to the Internet will be via the means of a firewall to regulate network traffic. Permanent connections to other external networks, for offsite processing etc., will be via the means of a firewall to regulate network traffic. Where firewalls are used, a dual homed firewall (a device with more than one TCP/IP address) will be the preferred solution. Network equipment will be configured to close inactive sessions. Workstation access to the Internet will be via the Organization s website content scanner All incoming and outgoing will be scanned by the Organization s content scanner. 10. Security Audit The I.T. Department will engage a security consultant on an annual basis to perform a security review of our network perimeter. The I.T. Department will engage a security consultant every 2 years to perform a security review of our internal network 11. Voice System Security The MS Society is in the process of moving to a hosted Voice over IP Solution (VOIP) and this section refers to this new VOIP system Maintenance Ports and passwords for the VOIP system will be held and maintained by the vendor The I.T. Department only will have an account to perform Moves, Adds and Changes only and the password for this account will be a secure password Voice mail and Web Portal accounts will use a password with a minimum length of five digits. Telephone bills will be checked carefully to identify any misuse of the telephone system. 12. Mobile Devices

10 The MS Society has the ability to allow all staff to connect mobile devices (personal or corporate owned) to the Society network in a secure manner allowing us the ability to remote wipe these devices in the event they are lost/stolen or an employee leaves the Society. All users are required to sign off on the Mobile Device Management Agreement on an annual basis if they wish to continue to have their devices connected to the MS Society network. 13. Hardware and Software Acquisition All technology related items must be purchased through the National Office Desktops, laptops and Netbook specifications are set by the I.T. Department and are available to be ordered through the IT Order form located in Mercury. o Any order placed through the IT order form is managed through an automated process and approved by the ordering user s manager or department head. o The I.T. Department is responsible for the ordering process and orders once approved are sent directly to the vendor for fulfillment. o Invoices will be sent directly to the ordering department who are responsible for review, coding and approval. Failure to pay invoices in a timely manner could affect future orders for all staff. Any technology related items that are not on this list must first be approved by the I.T. Department in order to ensure that they are compatible with our systems and are able to be supported When placing orders over $10,000 for servers and infrastructure related items, the I.T. Department will source 3 quotes to ensure the organization is getting the best possible price 14. Inventory Management The I.T. Department will keep a full inventory of all server and networking equipment Individual departments will keep a full inventory of all Desktops, Laptops and printers 15. Third Party Access Any third party vendor that requires access to MS Society systems or data must sign the following documents before access will be granted Non-Disclosure Agreement (NDA) Business Partner Network Access Agreement

11 16. Software Development and Maintenance Applies to all 3 rd party software used by our business units Standard software development lifecycle (SDLC) processes will be followed at all times for both new and existing systems o Project planning and feasibility Study o Systems analysis, requirements definition o Systems design o Implementation o Integration and Testing o Acceptance, installation, deployment o Maintenance 17. Incident Handling and Escalation In the event of a security breach, the I.T. Department will immediately take steps to isolate the breach and inform the infected parties. Users are responsible for immediately notifying the I.T. Department of suspected security breaches. All security breaches will be investigated by the I.T. Department. 3 rd party vendors may be called in to assist The entity responsible for the support of the systems in all cases is expected to o Report the attack to the Manager, I.T. Operations and/or Vice President, Information Technology o Block or prevent escalation of the attack if possible o Repair the resulting damage o Restore service to its former level o Preserve evidence where appropriate o Conduct a post-mortem to determine root cause o Prepare a list of recommendations to prevent future breaches of a similar nature o Conduct a final follow up review within 3 months Modifications will be avoided to any systems/equipment involved (or suspected of involvement) in criminal activity until receiving instruction from the Vice President, Information Technology

12 Glossary Access Control Authenticate Authorization Discretionary Access Control Firewall Ftp Hub Identification Internet LAN Analyzer Laptop Mandatory Access Control The process of limiting access to the resources of a system only to authorized programs, processes, or other systems. To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. The granting of access rights to a user, program, or process. A means of restricting access to objects based upon the identity and need to know of the user, process, and/or groups to which they belong. A device and/or software that prevents unauthorized and improper transit of access and information from one network to another. File transfer protocol. Protocol that allows files to be transferred using TCP/IP. Network device for repeating network packets of information around the network. The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names. Worldwide information service, consisting of computers around the globe linked together by telephone cables. Device for monitoring and analyzing network traffic. Typically used to monitor network traffic levels. Sophisticated analyzers can decode network packets to see what information has been sent. Small portable computer. A means of restricting access to objects based upon the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of

13 such sensitivity. Password Telnet UPS Username Virus Voice Mail A protected, private character string used to authenticate an identity. Protocol that allows a device to login in to a UNIX host using a terminal session. Uninterruptable power supply. Device containing batteries that protects electrical equipment from surges in the mains power and acts as a temporary source of power in the event of a mains failure. A unique symbol or character string that is used by a system to identify a specific user. Computer software that replicates itself and often corrupts computer programs and data. Facility which allows callers to leave voice messages for

I.T. SECURITY POLICY

I.T. SECURITY POLICY I.T. SECURITY POLICY Copyright Ruskwig Ruskwig provides you with the right to copy and amend this document for your own use You may not resell, ask for donations for, or otherwise transfer for value the

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

NETWORK SECURITY GUIDELINES

NETWORK SECURITY GUIDELINES NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

On-Site Computer Solutions values these technologies as part of an overall security plan:

On-Site Computer Solutions values these technologies as part of an overall security plan: Network Security Best Practices On-Site Computer Solutions Brian McMurtry Version 1.2 Revised June 23, 2008 In a business world where data privacy, integrity, and security are paramount, the small and

More information

IT Security Procedure

IT Security Procedure IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

CONTENTS. Security Policy

CONTENTS. Security Policy CONTENTS PHYSICAL SECURITY (UK) PHYSICAL SECURITY (CHICAGO) PHYSICAL SECURITY (PHOENIX) PHYSICAL SECURITY (SINGAPORE) SYSTEM SECURITY INFRASTRUCTURE Vendor software updates Security first policy CUSTOMER

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014 The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

More information

WORKSTATION SECURITY STANDARD

WORKSTATION SECURITY STANDARD WORKSTATION SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Standard Improperly configured computer systems

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

Network Documentation Checklist

Network Documentation Checklist Network Documentation Checklist Don Krause, Creator of NetworkDNA This list has been created to provide the most elaborate overview of elements in a network that should be documented. Network Documentation

More information

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2 RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks

More information

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009 Systems Development Proposal Scott Klarman March 15, 2009 Systems Development Proposal Page 2 Planning Objective: RAS Associates will be working to acquire a second location in Detroit to add to their

More information

MSP Service Matrix. Servers

MSP Service Matrix. Servers Servers MSP Service Matrix Microsoft Windows O/S Patching - Patches automatically updated on a regular basis to the customer's servers and desktops. MS Baseline Analyzer and MS WSUS Server used Server

More information

NETWORK INFRASTRUCTURE USE

NETWORK INFRASTRUCTURE USE NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

(i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials.

(i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials. 1. Credential Policy General In order to maintain the security of MOD Mission Critical internal databases, access by software programs must be granted only after authentication with credentials. The credentials

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1 JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

RSA Authentication Agents Security Best Practices Guide. Version 3

RSA Authentication Agents Security Best Practices Guide. Version 3 RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

A Systems Approach to HVAC Contractor Security

A Systems Approach to HVAC Contractor Security LLNL-JRNL-653695 A Systems Approach to HVAC Contractor Security K. M. Masica April 24, 2014 A Systems Approach to HVAC Contractor Security Disclaimer This document was prepared as an account of work sponsored

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM Policy Compliancy Checklist September 2014 The server management responsibilities described within are required to be performed per University, Agency or State

More information

SECURITY MANAGEMENT IT Security Policy (ITSP- 1)

SECURITY MANAGEMENT IT Security Policy (ITSP- 1) SECURITY MANAGEMENT IT Security Policy (ITSP- 1) 1A Policy Statement District management and IT staff will plan, deploy, and monitor IT security mechanisms, policies, procedures, and technologies necessary

More information

Remote Deposit Terms of Use and Procedures

Remote Deposit Terms of Use and Procedures Remote Deposit Terms of Use and Procedures Use of American National Bank Fox Cities (Bank) Remote Deposit service is subject to the following Terms of Use and Procedures. Bank reserves the right to update

More information

IT Security Standard: Computing Devices

IT Security Standard: Computing Devices IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:

More information

ADM:49 DPS POLICY MANUAL Page 1 of 5

ADM:49 DPS POLICY MANUAL Page 1 of 5 DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The

More information

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Date: Completed By: Name: Department: Position: Phone: Email Address: Section 1: Security Education and Awareness

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Storage Guardian Remote Backup Restore and Archive Services

Storage Guardian Remote Backup Restore and Archive Services Storage Guardian Remote Backup Restore and Archive Services Storage Guardian is the unique alternative to traditional backup methods, replacing conventional tapebased backup systems with a fully automated,

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate

More information

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2 Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

I.T. CHAPTER 9. A fingerprint reader is an example of which security technology? authorization. biometric. keylogging. secureware.

I.T. CHAPTER 9. A fingerprint reader is an example of which security technology? authorization. biometric. keylogging. secureware. I.T. CHAPTER 9 A fingerprint reader is an example of which security technology? authorization biometric keylogging secureware smartcard Which wireless security technology is a good choice when using Cisco

More information

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL ARCHITECTURE & APPLICATION CONTROL A technical overview of BoldChat s security. INTRODUCTION LogMeIn offers consistently reliable service to its BoldChat customers and is vigilant in efforts to provide

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Exhibit B5b South Dakota. Vendor Questions COTS Software Set Appendix C Vendor Questions Anything t Applicable should be marked NA. Vendor Questions COTS Software Set Infrastructure 1. Typically the State of South Dakota prefers to host all systems. In the event

More information

Level I - Public. Technical Portfolio. Revised: July 2015

Level I - Public. Technical Portfolio. Revised: July 2015 Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Catapult PCI Compliance

Catapult PCI Compliance Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication

More information

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY ASSESSABLE UNIT: ENTER THE NAME OF YOUR ASSESSABLE UNIT HERE BUSINESS PROCESS: ENTER YOUR BUSINESS PROCESS HERE BANNER INDEX CODE: ENTER YOUR BANNER INDEX CODE HERE Risk: If you monitor the activity and

More information

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

ICAB4236B Build security into a virtual private network

ICAB4236B Build security into a virtual private network ICAB4236B Build security into a virtual private network Release: 1 ICAB4236B Build security into a virtual private network Modification History Not Applicable Unit Descriptor Unit descriptor This unit

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Data Network Security Policy

Data Network Security Policy Authors: Mike Smith Rod Makosch Network Manager Data Security Officer IM&T IM&T Version No : 1 Approval Date: March 2005 Approved by : John Aird Director of IM&T Review Date : 1 April 2006 Trust Ref: C7/2005

More information

HIPAA Privacy and Security Risk Assessment and Action Planning

HIPAA Privacy and Security Risk Assessment and Action Planning HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account

More information

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure PA-DSS Implementation Guide: Steps to ensure that your POS system is secure About the PCI Security Standards The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible

More information

Computer Security Policy (Interim)

Computer Security Policy (Interim) Computer Security Policy (Interim) Updated May, 2001 Department of Information Systems & Telecommunications Table of Contents 1. SCOPE...1 2. OVERVIEW...1 3. RESPONSIBILITIES...3 4. PHYSICAL SECURITY...4

More information

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Table of Contents. Page 1 of 6 (Last updated 30 July 2015) Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational

More information

Service Level Agreement (SLA) Arcplace Backup Enterprise Service

Service Level Agreement (SLA) Arcplace Backup Enterprise Service (SLA) Arcplace Backup Enterprise Service 1. Introduction This Service Level Agreement ( SLA ) forms an integral part of the Agreement between Arcplace and Customer. This SLA describes the Backup Enterprise

More information

Controls for the Credit Card Environment Edit Date: May 17, 2007

Controls for the Credit Card Environment Edit Date: May 17, 2007 Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

1B1 SECURITY RESPONSIBILITY

1B1 SECURITY RESPONSIBILITY (ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,

More information

Auburn Montgomery. Registration and Security Policy for AUM Servers

Auburn Montgomery. Registration and Security Policy for AUM Servers Auburn Montgomery Title: Responsible Office: Registration and Security Policy for AUM Servers Information Technology Services I. PURPOSE To outline the steps required to register and maintain departmental

More information

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN FEBRUARY 2011 TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 INTRODUCTION... 4 SECTION 1: IT Security Policy... 5 SECTION 2: Risk Management

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

SNAP WEBHOST SECURITY POLICY

SNAP WEBHOST SECURITY POLICY SNAP WEBHOST SECURITY POLICY Should you require any technical support for the Snap survey software or any assistance with software licenses, training and Snap research services please contact us at one

More information

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.

More information

Industrial Security for Process Automation

Industrial Security for Process Automation Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

IT Security Standard: Network Device Configuration and Management

IT Security Standard: Network Device Configuration and Management IT Security Standard: Network Device Configuration and Management Introduction This standard defines the steps needed to implement Bellevue College policy # 5250: Information Technology (IT) Security regarding

More information

Data Center Infrastructure & Managed Services Outline

Data Center Infrastructure & Managed Services Outline Data Center Infrastructure & Managed Services Outline The 360 Technology Center Solutions Data Center is located in Lombard, IL, USA. We are 20 minutes outside of downtown Chicago. The 360TCS staff consists

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service This document describes the benefits of the NEWT Digital PBX solution with respect to features, hardware partners, architecture,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Security Policy for External Customers

Security Policy for External Customers 1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:bhu261@gmail.com Outline of Information Security Introduction Impact of information Need

More information

TECHNICAL SECURITY AND DATA BACKUP POLICY

TECHNICAL SECURITY AND DATA BACKUP POLICY TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.

More information

Agency Pre Migration Tasks

Agency Pre Migration Tasks Agency Pre Migration Tasks This document is to be provided to the agency and will be reviewed during the Migration Technical Kickoff meeting between the ICS Technical Team and the agency. Network: Required

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information