IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR
|
|
- Augustine Rose
- 8 years ago
- Views:
Transcription
1 O'Connor & Drew, P.C. 1 IT AUDIT AND SECURITY COMPLIANCE: WHERE TO FOCUS YOUR EFFORTS FOR IT Audit and Security O Connor & Drew, P.C. Jake March 2014
2 O'Connor & Drew, P.C. 2 Jake McAleer, CISA Professional Profile Senior IT Audit and Security Manager, O Connor & Drew, P.C. Director of Operations, Dyn Senior IT Auditor, State Street Bank Network and Systems Engineer, Raytheon Company Industry Expertise Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center) Financial Services Manufacturing Government Not-for-Profit Organizations Family-Owned Businesses
3 O'Connor & Drew, P.C. 3 INFORMATION SECURITY PROGRAM An Overview Of A Security Program and Review of IT Control Terminology
4
5
6 O'Connor & Drew, P.C. 6 Risk Rating Many people confuse the risk event for the risk rating Risk Event = The description of the risk Risk Rating = Likelihood + Impact Prioritizing your audit program by risk is called a Risk-Based Audit Approach
7
8 O'Connor & Drew, P.C. 8 Security Programs Vary By Business Every business is different No one framework or law will completely protect you Vendors can help, but don t rely entirely on them You know your business better than anyone, so your input is key! Internal owners manage and enforce the process Employees must be provided direction and training All programs need proper ownership, employee education, and enforcement
9
10
11 O'Connor & Drew, P.C. 11 The password must be exactly 8 characters long. It must contain at least one letter, one number, and one special character. The only special characters allowed # $ A special character must not be located in the first or last position. Two of the same characters sitting next to each other are considered to be a set. No sets are allowed. Avoid using names, such as your name, user ID, or the name of your company or employer. Other words that cannot be used are Texas, child, and the months of the year. A new password cannot be too similar to the previous password. Example: previous password - abc#1234, acceptable new password - acb$1243 Characters in the first, second, and third positions cannot be identical. (abc*****) Characters in the second, third, and fourth positions cannot be identical. (*bc#****) Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234) A password can be changed voluntarily (no Help Desk assistance needed) once in a 15-day period. If needed, the Help Desk can reset the password at any time. The previous 8 passwords cannot be reused.
12
13 O'Connor & Drew, P.C. 13 Focus On The Objective Prevent guessing 8+ Characters and some basic variation (upper and lower case, number, special character, etc.) to prevent just a word as the password Prevent brute force Lock out after 5-10 attempts and lock out across the organization! Protect the encrypted/hashed values Prevent reuse Check against DB of old passwords Prevent compromise User education (don t reuse passwords, don t write them on your laptop, etc.) Force a change every days Enforce use Automatic password/pin enforcement on devices Automatic screen locks after 10 minutes Review how password resets are managed
14
15 O'Connor & Drew, P.C. 15 IT AUDITING IN Focusing on the three inputs: Business Needs Legal and Regulatory Customers and Partners
16
17 O'Connor & Drew, P.C. 17 Legal And Regulatory Requirements Focuses on a specific: Industry Consumer Type of data Geographic region Often: Long and complex Cross-references other sections or laws Subjective and broadly worded Reference dated (now outdated) terms Intended to protect someone else, not your business
18 O'Connor & Drew, P.C. 18 Regulatory Examples Credit card account information Payment Card Industry (PCI) Electronic patient health information Health Insurance Portability and Accountability Act (HIPAA) Consumers private banking information Gramm Leach Bliley Act (GLBA) Government data and systems Federal Information Security Management Act (FISMA) Public company accounting Sarbanes-Oxley Act (SOX)
19 O'Connor & Drew, P.C. 19 Legal, Regulatory, Industry-Specific What laws must the business comply with? Is there a legal/compliance group to rely on? Do you have an international presence? International customers? What laws apply? Are these areas being reviewed for changes? Are there periodic requirements? Example: PCI Quarterly Scans, Yearly Attestation Can the work be done by another group or external resource?
20 O'Connor & Drew, P.C. 20 PCI-DSS v3.0 Enforcement Date Version 3.0 will introduce more changes than Version 2.0. The core 12 security areas remain the same, but the updates will include several new sub-requirements that did not exist previously. Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council will introduce future implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be best practices only, to allow organizations more flexibility in planning for and adapting to these changes. Additionally, while entities are encouraged to begin implementation of the new version of the Standards as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31 December and PA-DSS Change Highlights.pdf
21 O'Connor & Drew, P.C. 21 Examples - PCI v3.0 Requirements New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination New requirement to implement a methodology for penetration testing Perhaps use a standard such as NIST SP New requirement for service providers to provide the written agreement/acknowledgment to their customers. DSS v3 Summary of Changes.pdf
22
23
24 O'Connor & Drew, P.C. 24 M.G.L. c. 93H and MA 201 CMR 17 Requires: Designated program owner/maintainer Identifying where PII might be within the organization Encryption Monitoring and effectiveness testing Anti-virus and patching Employee training 3 rd party service provider compliance Timely disclosure of a breach Written Information Security Program (WISP) Documents your methodologies, processes, procedures, technologies, PII data types, etc
25 O'Connor & Drew, P.C. 25 MA 201 CMR 17 Definition of PII Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information shall not include information that is lawfully obtained from publicly.
26 O'Connor & Drew, P.C. 26 HR Rep: Welcome To The Company! We need an ID for your I-9 Form. We need your routing number so we can pay you.
27
28 O'Connor & Drew, P.C. 28 Computer Access Nearly every employee has access to a PC at work Lawyer s Office Doctor s Office Accountant Car Repair Shop Retail Banks Restaurants Grocery Store Non-profit Call Center
29 O'Connor & Drew, P.C. 29 Access To A Computer At Work Are employees surfing the web on business critical systems? If so, is it necessary? Can you provide them alternatives such as a virtual machine or protected area of the system or limit user privileges? Anti-malware/virus software? Are you segregating general PCs from sensitive networks? Do you have open network shares? Are you blocking the right websites? Social Media Cloud Storage Known malicious sites TOR, P2P, anonymous browsing sites Google Drive
30 O'Connor & Drew, P.C. 30 End User Systems - Internet Access Do users have Java installed? Do they NEED it? First half of 2013, Java was the most common zero-day focus for attackers. Internet Explorer (IE) vs. Firefox or Chrome? Second half of 2013, observed a burst of IE zero-days. Still using Windows XP? General support and updates discontinued April of 2014 A wave of attacks is rumored to be coming
31
32 To The Cloud! O'Connor & Drew, P.C. 32
33 O'Connor & Drew, P.C. 33 Cloud Service Providers (SaaS, PaaS, ) Is the provider responsible for safeguarding your information or simply providing software/hardware? If so, how are they safeguarding it? Who is reviewing/approving contracts with providers? What SLAs and other commitments are they agreeing to? Who in the organization has access to these resources? Are they being used to circumvent traditional IT groups? Is your business able (legal, regulatory, etc) to use them? Who (if anyone) is managing them? Firewall rules Patching Testing
34
35
36
37 O'Connor & Drew, P.C. 37 SOC 2 and 3 Reports AICPA - Service Organization Control (SOC) Started in the 1990s as a SAS70 report SOC 1 (SSAE 16) Internal Financial Reporting SOC 2 Service Provider Detailed Report SOC 3 Service Provider Summary Report SOC 2 report may be shared under NDA SOC 3 report is for public release, put right on the website Ask for a SOC 2 or 3 report from your service providers Cloud/Hosting SaaS
38 O'Connor & Drew, P.C. 38 IMPORTANT SECURITY TOPICS FOR Timely topics to investigate
39
40
41 O'Connor & Drew, P.C. 41 Egress Filtering Simply blocking by ports isn t enough Deep packet inspection HTTP DNS SSH/FTP Encryption complicates the topic Malicious URL/destination filtering Different rules for different systems Block all external traffic to/from PCI and other protected systems Whitelist updates/patching
42 O'Connor & Drew, P.C. 42 Event Monitoring and Alerting IDS/IPS Monitors can block suspicious traffic Where are these devices? What are they monitoring? Are they up-to-date? SIEM - Real-time collection and analysis of security alerts generated by network hardware and applications What devices are reporting to it? Who is monitoring it? What activities are being logged and analyzed? How does the system correlate activities? Are employees able to take corrective action in a timely manner? Are different teams using different SIEMs? Are they sharing info? How often are they truly tested to ensure effectiveness?
43
44 O'Connor & Drew, P.C. 44 Encryption and DLP Encryption is a must! Laptops and desktops USB thumb drives Backup media and hard drives Passwords and other sensitive data Data Loss Prevention Monitoring of USB thumb drives and removable media Files being ed in and out of the company Files being uploaded to 3 rd party systems
45 O'Connor & Drew, P.C. 45 MDM Mobile Device Management Do you allow personal phones to connect to your network or s servers? Are you able to remotely check settings and wipe data in the event of a loss or employee termination? PIN and encryption enforcement Do you limit what applications can be installed? Do you limit what websites employees can go to on their phones? Would an employee know who to report a loss to?
46
47 O'Connor & Drew, P.C. 47 DDoS Mitigation Excess bandwidth ISP filters Dedicated and specialized equipment Customer and server segregation DNS and low TTLs 3 rd Party Protection CloudFlare Prolexic (now part of Akamai)
48 O'Connor & Drew, P.C. 48 SCADA Controls Supervisory Control And Data Acquisition Monitor and control heating, ventilation, and air conditioning systems (HVAC), physical access, and energy consumption Many Fortune1000 companies have these somewhere (data center, facilities, etc) Specialized hardware that often runs small, dedicated software/web servers Some tips: Separate with VLANs, firewalls/routers, MPLS Limit access to necessary personnel only Have maintenance work with IT staff to ensure proper configuration Investigate how to keep system up-to-date
49 O'Connor & Drew, P.C. 49 Policies and Procedures AUP (Acceptable Use Policy) Users understand potentially everything they do is monitored No outside software may be installed Limited personal use Consequences for not following policies Don t leave laptops in plain view or unlocked vehicles Example Template: Use Policy.pdf Written Information Security Program - WISP Legally required document for businesses with Massachusetts customers
50
51 O'Connor & Drew, P.C. 51 SECURITY CONTROLS BASELINE General IT Controls any business should have in place.
52 O'Connor & Drew, P.C. 52 Frameworks ITIL COBIT ISO 27001, 27002, etc NIST COSO Others They can be long, complex, generic (too high-level), industry specific, etc In other words: Many have similar pitfalls as legal and regulatory compliance!
53 O'Connor & Drew, P.C. 53 SANS 20 Critical Security Controls A list of the top 20 critical security controls (CSCs) were agreed upon and outlined, taking risk into consideration. Collaborative work across various governmental, public, and private organizations U.S. Department of Homeland Security U.S. Department of State, Office of the CISO MITRE Corporation SANS Institute A great foundation for any security program Tangible, measurable, free advice that includes examples of processes and technologies to implement
54 O'Connor & Drew, P.C. 54 SANS CSCs Numbers : Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training 10: Secure Configurations for Network Devices Wording shortened to fit on slide, full text available at
55 O'Connor & Drew, P.C. 55 SANS CSCs Numbers : Limitation and Control of Network Ports, Protocols, Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises Wording shortened to fit on slide, full text available at
56 O'Connor & Drew, P.C. 56 Example: 1 - Inventory Devices Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
57 O'Connor & Drew, P.C. 57 Why Do We Care About Inventory? Helps understand what s out there Are rogue devices on your network? Is old hardware still online that shouldn t be? Are people bringing in personal devices? Are there DR systems? Are they being backed up? Are departments buying equipment outside of supply chain process? Did equipment suddenly go missing? Helps to track down devices quickly in the event of a breach or security incident.
58 O'Connor & Drew, P.C. 58 How To Implement Inventory Control CSC 1-1 Deploy an automated asset inventory discovery tool CSC 1-2 Deploy dynamic host configuration protocol (DHCP) server logging CSC 1-3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network CSC 1-4 Maintain an asset inventory Easy Win More Effort
59 O'Connor & Drew, P.C. 59 How To Implement Inventory Control CSC 1-5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network CSC 1-6 Deploy network access control (NAC) to monitor authorized systems CSC 1-7 Utilize client certificates to validate and authenticate systems prior to connecting to the private network More Effort Advanced
60 O'Connor & Drew, P.C. 60 Some Final Thoughts 1/3 Social media Who manages your social media pages? Are they taking precautions to secure your brand? If you don t have a twitter feed, what s to stop me from pretending to be you? Are they available in an emergency? Are you monitoring the web for your company name/files? pastebin.com Google Forums Mobile tethering/hotspots to circumvent internal protections DNS service: Who manages the account? How is that account protected?
61 O'Connor & Drew, P.C. 61 Some Final Thoughts 2/3 Declaring a digital emergency Who would be involved? Who makes the final call? How is communication managed within the organization? BC/DR site? Mass notification during an emergency Employee call list addresses of all customers in the event of a breach Honeypots and Open Source/Cheap Scanning Software Metasploit, Nexpose, Nessus, owasp.org (Open Web Application Security Project)
62 O'Connor & Drew, P.C. 62 Some Final Thoughts 3/3 Code scanning software Known poor coding standards Copy/paste of OSS code The insider threat Users with elevated privileges Who s watching the watchers? What happens when an IT administrator leaves? Get rid of old devices (securely) Printers, ancient servers, hard drives Recycle and make some money!
63 O'Connor & Drew, P.C. 63 Statistics About Data Breaches Two-thirds of the breaches took months or more to discover. 69% of all breaches were discovered by someone outside the affected organization. German and US companies had the most costly data breaches ($199 and $188 per record, respectively). GL NA WP Ponemon-2013-Cost-of-a-Data-Breach- Report daina cta72382.pdf
64 O'Connor & Drew, P.C. 64 Questions? Jake McAleer Senior IT Security and Audit Manager O Connor & Drew, P.C.
65 O'Connor & Drew, P.C. 65 Download Link Please visit the following link to download a digital copy of the presentation:
PCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationProtecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
More informationManaging Business Risk
Managing Business Risk With Assurance Report Cards April 7, 2015 Table of Contents Introduction... 3 Cybersecurity is a Business Issue... 3 Standards, Control Objectives and Controls... 5 Standards and
More informationSecurely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com
Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationPractical Guidance for Auditing IT General Controls. September 2, 2009
Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income
More informationwhitepaper The Benefits of Integrating File Integrity Monitoring with SIEM
The Benefits of Integrating File Integrity Monitoring with SIEM Security Information and Event Management (SIEM) is designed to provide continuous IT monitoring, actionable intelligence, incident response,
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationEmpowering Your Business in the Cloud Without Compromising Security
Empowering Your Business in the Cloud Without Compromising Security Cloud Security Fabric CloudLock offers the cloud security fabric for the enterprise that helps organizations protect their sensitive
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationHow Much Do I Need To Do to Comply? Vice president SystemExperts Corporation
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
More informationEnterprise Security Solutions
Enterprise Security Solutions World-class technical solutions, professional services and training from experts you can trust ISOCORP is a Value-Added Reseller (VAR) and services provider for best in class
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationSenaca Shield Presents 10 Top Tip For Small Business Cyber Security
Senaca Shield Presents 10 Top Tip For Small Business Cyber Security Presented by Liam O Connor www.senacashield.com info@senacashield.com #Senacashield Small businesses need cyber security too. This slide
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationData Security in a Mobile, Cloud-Based World
Data Security in a Mobile, Cloud-Based World Jacob Buckley-Fortin CEO ehana What we ll cover Trends Risks Recommendations 1 Trends Mobile Has Taken Over Trend #1 2 3 450 million users worldwide Adopted
More informationwhitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance
Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance Table of Contents 3 10 Essential Steps 3 Understand the Requirements 4 Implement IT Controls that Affect your
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationWe are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review
We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review The security threat landscape is constantly changing and it is important to periodically review a business
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationI n f o r m a t i o n S e c u r i t y
We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments.
More informationSecurity, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32
Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization
More informationAssessing the Effectiveness of a Cybersecurity Program
Assessing the Effectiveness of a Cybersecurity Program Lynn D. Shiang Delta Risk LLC, A Chertoff Group Company Objectives Understand control frameworks, assessment structures and scoping of detailed reviews
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationHow a Company s IT Systems Can Be Breached Despite Strict Security Protocols
How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationCloudCheck Compliance Certification Program
CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationJumpstarting Your Security Awareness Program
Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationUnderstanding Vulnerability Management Life Cycle Functions
Research Publication Date: 24 January 2011 ID Number: G00210104 Understanding Vulnerability Management Life Cycle Functions Mark Nicolett We provide guidance on the elements of an effective vulnerability
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More information