Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard
|
|
- Corey Russell
- 8 years ago
- Views:
Transcription
1 Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard Corporate Policies & Procedures Section 1: General Administration Document CPP121e Principles Information Communication Technology Division Security Policy Security Standard, aligned with Security Standards Guidelines and Procedures AS/NZS ISO/IEC 27001: 2006 for Information Security Management
2 Contents 1 INTRODUCTION SYSTEMS DEVELOPMENT LIFECYCLE SECURITY STANDARDS SDLC: Design Standards SDLC: Development Standards SDLC: Test Standards SDLC: Implementation and Deployment Standards ACQUISITION OF SOFTWARE Security Assessment Software Purchasing and Licensing CRYPTOGRAPHY, CONFIDENTALITY AND COPYRIGHT SECURITY STANDARD Crpytography ICT Confidentiality and Copyright Standard Information Systems Acquisition, Development and Maintenance Standard Page 2 of 15
3 Information Systems Acquisition, Development and Maintenance Security Standard Purpose: This security standard defines the recommended security practices for designing, building, testing and implementing software applications through the Software Development Lifecycle (SDLC) process. This applies to developing new software, customising software and developing software that accessed or presented on a website. This document sets the benchmark for developing secure code and provides a clear indication of the processes to follow from design to implementation. In addition, this security standard recommends the security measures to be considered when acquiring new packaged software. Authorised: Document Owner ICT Director Information Systems Manager Date of Issue: 15 March 2012 Review Date: November 2014 Version: 2.3 References: This document should be read in conjunction with the ICT Security Policy. In addition it should be read in conjunction with the following ICT Security Standards: 1. ICT Asset and Media Management Standard 2. Human Resources ICT Security Standard 3. Physical and Environmental Security Standard 4. Access Control Security Standard 5. Communications and Operations Management Standard Information Systems Acquisition, Development and Maintenance Standard Page 3 of 15
4 1 INTRODUCTION Building security into systems during their development is more cost-effective and secure than applying it afterwards. Sound disciplines are required throughout the software development lifecycle process to ensure that information security is addressed at each stage. The principles of secure software development can also be applied when acquiring new packaged software to evaluate if third party suppliers apply appropriate security measures. Cryptography is a security control to protect the confidentiality and integrity of information and can be used to confirm the identity of the originator. This Security Standard recommends security measures that the Institution need to consider within the following software development processes: SDLC Design SDLC Development SDLC Testing SDLC Implementation Acquisition Cryptology Confidentiality and Copyright Standards used during the design stage of the SDLC. It is important that security is considered from the outset when designing a new software solution or web service. Standards used when developing software applications and web services including SharePoint. This includes defining the environments where software is developed and the tools used to develop new services. Standards used when testing new software or web services. Standards used when deploying new software into the Institution production environment. This includes a checklist to be followed. Standards for acquiring new software to minimise the introduction of new services that may compromise security Standards to be followed on cryptology and when to use cryptology, the benefits and best practices. Standards to safeguard information exchange and to prevent copyright infringements. Information Systems Acquisition, Development and Maintenance Standard Page 4 of 15
5 2 SYSTEMS DEVELOPMENT LIFECYCLE SECURITY STANDARDS The Systems Development Lifecycle (SDLC) is the process followed for developing and implementing software applications and includes the following stages: Design Stage Development Stage Test Stage Implementation and Deployment Stage Information Security needs to be considered across all stages of the SDLC to ensure appropriate protection for the information being collected, stored, transmitted or presented. It is important that security is considered from the outset when first designing new software or new services. Security standards for the SDLC are described within this document. 2.1 SDLC: Design Standards The objective of this stage is to ensure that security risks are considered when designing a software application, a new software service or a web service including those designed for SharePoint. Design Assessments The systems Design Stage should involve completing the following assessments: Data Flow Assessment to highlight the flow of information through the system to identify any potential security risks. This includes data inputs and connections to the system, transmission of data between the system components, storage of information, access to databases and other types of storage and connections to other systems or applications. In an agile development this may not be achievable up front but should be continually assessed and documented e.g. using a data flow diagram. Identification of specific security controls required by a particular activity at the Institute (for example linking an application to a human resources database may require a higher level of security control). Considering the ICT Security Policy and the requirements defined within this document. For example the password management standards. In addition, for new software development review the design principles checklist (shown below) and also prepare a design brief on the security architecture being used. This is to provide an explanation of any security measures being used; including details of the security risks, mitigating actions and any particular security risks not being addressed. Socialise the design brief with the Senior Solutions Architect and Information Systems Manager. Security Design Principles When designing a new software service the following Design Principles Checklist is to be used as the guiding principles for design. Information Systems Acquisition, Development and Maintenance Standard Page 5 of 15
6 Design Principles Checklist Ref Security Design Principles Considered in Design 1 Defence in Depth. Follow a design approach of 'defence in depth' with multiple layers of protection incorporated into the design. Defence in Depth methodology supports the use of multiple security measures in place rather than a single control (reliance on a single security control increases the security risk). The layers may be encrypted when transmitting data externally or may involve restricting transmission during an agreed period of time or to an identified internal address. 2 Design to leverage a minimum set of well-established development frameworks which implement good security frameworks. Consider more intensive security assessment and testing if a framework is not used. 3 Design with the assumption that all connections that originate from the Internet or other external sources (external companies, overseas connections, partners) are insecure and malicious. 4 Design with security defaults enabled. Reducing the 'out of the box' security controls in place will increase security risk. This is particularly important when using SharePoint or other web services that are accessed through the Internet. 5 Design to operate with least number of privileges; only the minimum account privileges are granted to a user or a process when accessing an application and not a high privileged account (like Windows Administrator, SA in SQL). 6 Only designed with dependence on components of externally acquired software, utilities or libraries which have been thoroughly assessed for security risks, and only with agreement by the Senior Solutions Architect or the Information Systems Manager. It is recommended that the information gathered in the design principles checklist is used as part of the design brief. Externally Acquired Software, Utilities and Libraries The design principles checklist (point 6) raises that designing with the use of externally acquired software, utilities and libraries requires careful analysis. The recommendation is that all components are evaluated and the security risks considered before deciding to use them within a design. Particular attention may be given to shareware and free or open source components. Note: This includes the many downloadable SharePoint utilities which can be added to a SharePoint library and provide useful services to CPIT staff without the need to develop new code. Component Evaluation The evaluation process should determine that good documentation and training material is available, technical support can be obtained, access rights meet the ICT Security Policy, updates are provided and the source is reputable. Information Systems Acquisition, Development and Maintenance Standard Page 6 of 15
7 Security Controls The Design Stage should include an assessment of the possible security controls that can be included within the design of the software application or service. It is important to consider these controls before finalising the software development. Security Controls to be considered are listed below in a table tick-box format which may be used when assessing the design process to be followed. Checklist of security controls to be considered when designing a new software service: Ref Security Control Applied 1 Information entered is validated to include: range checks, check digits, making any key fields mandatory and unaccepted key strokes enforced. 2 Information integrity is checked for accuracy, completeness, validity of information entered and if possible reconciled against authoritative information. 3 Detection of unauthorised or incorrect changes to information (use of checksum tools, reconciliation back to original source). 4 Protection of information being accidently overwritten, for example defining write-protected fields or locations. 5 Prevent internal information being disclosed to unauthorised individuals through application error messages or web server error messages. (For example errors not displaying the software used to develop the service). 6 Establish error logs, exception reports and event logs (automated as much as possible to reduce administration). 2.2 SDLC: Development Standards Developing software applications or customising software applications should follow industry best practice and consider security as part of the build process. This stage includes recommending standards on the: Application Build Process Standards Web Development Security Standards Development Environment Standards Application Build Process Standards The Applications Build Process, including coding and customisation, should be completed to follow best practice standards. Software builds should comply with good standards on system coding including: structured programming techniques, secure code and documenting code as advised within this standard. When coding systems, insecure process such as: using hard-coded passwords, insecure database lookups should be avoided. Externally acquired libraries or code examples are to be treated with caution and approval to use from the Senior Systems Architect. Information Systems Acquisition, Development and Maintenance Standard Page 7 of 15
8 Any defects or bugs are recorded within a defect log or similar system to record the issue and mitigating action. All software, new or customised, needs to be approved and signed-off before moving into the Test Stage. Development Environment Standards Software development should be performed in a secure environment. Ideally this environment will be isolated as much as possible from the live and testing environments and protected against unauthorised access. The objective is to provide a secure development environment to support software development and avoid the potential for disruption to the production business activities. Standards to be followed here are as follows: Software development environments should be separated from the production environment as much as possible to avoid the potential of a production service being impacted by malicious code or an inappropriate change. Software development computers should be suitably protected (for example using a firewall on a desktop computer and virus protection) dependent upon the level of confidentiality or sensitivity of the application being developed. Source code should be protected from unauthorised access and tampering using GIT or other industrystandard tools to check-in and check-out software applications. Why keep software development computers isolated? It is best practice to isolate computers that are used to develop software applications. This is to prevent malicious mobile code, for example executable code in the form of java applets, Microsoft Active X, JavaScript or VBScript that is untrusted, from being downloaded into the software development environment and then infecting production systems. Solutions include web filtering software on the desktop or a firewall or physical isolation. Web Development Security Standards Increased security risks are associated with the development of web-enabled applications like those that are used on www websites, extranets and SharePoint. External web servers hosting web applications should meet the following standards: Based on documented and approved application programming interfaces (API). Sensitive information in transit should be protected against disclosure by using encryption for example Secure Sockets Layer (SSL), and by using HTTP PUT operations rather than GET operations. Web Application sessions should be protected against session hijack or cloning by using SessionIDs that are randomly generated and by configuring the security parameters in cookies used to hold session information (session ID cookies are to be expired once an agreed parameter has been met or time period exceeded). Suppressing or modifying the server field in HTTP headers that identify the web server's brand and version. Ensuring that source code HTML, JavaScript and other client-side scripting languages do not contain unnecessary information. Server side executables and scripts (CGI, ISAPI) should not be configured to record actions performed. Information Systems Acquisition, Development and Maintenance Standard Page 8 of 15
9 2.3 SDLC: Test Standards Testing is a fundamental element of good practice in systems development. Planned well and performed correctly, it provides assurance that systems function as intended and reduces the likelihood of systems malfunctioning or introducing a security vulnerability. The following standards should be observed: A test environment should be created independently of the software development and live production environments. Hardware and Operating Systems and supporting software components, currently in use are to be used to test the software application. Similarly different web browsers in use are to be used to test web applications if the application is accessible through multiple browsers. Systems should be tested in accordance with predefined, documented test plans. Acceptance Testing should: o o o Include end users, students, academics or process owners Simulate the production environment Typically require sign-off to acknowledge the system performs as expected Security Acceptance Testing should: o o o o Be reviewed against the security controls agreed during design to assess compliance Assess the need for stress testing under high data loads or transactions Assess the need for sociability testing in deployment environment where appropriate. As necessary, and dependent upon the service being implemented, consider penetration testing either through third party engagements or software penetration tools, specifically designed running against abnormal datasets Dependent upon the software applications role and the agreed security risk, additional security reviews can include third parties to conduct code assessment reviews to detect vulnerabilities. Software development code should be sanitised prior to moving to production environments. The following checklist should be used before agreeing to move software to a production environment. Ref Sanitise Code Checklist Applied 1 Remove any authentication details used in the test environment 2 Remove any test accounts or passwords used 3 Remove any test organisational details or academic groups 4 Remove any test data 5 Follow appropriate Release and the Change Management Processes. 6 Design Stage (2.1) security standards have been followed Software development staff should be prevented from making unauthorised changes to live environments. Information Systems Acquisition, Development and Maintenance Standard Page 9 of 15
10 Information Systems Acquisition, Development and Maintenance Standard Page 10 of 15
11 2.4 SDLC: Implementation and Deployment Standards Before deploying software applications into a production environment, final checks are required to ensure that all security risks have been addressed. The objective is to ensure that only tested and approved versions of software are promoted into a live environment. The following check-list needs to be followed before agreeing to implement a software application. Implementation Check List: Ref Implementation Security Control Checklist Checked 1 Review that the security controls agreed in the Design have been undertaken or there is approval for not completing these steps.. 2 All necessary software patches or updates are applied before updating the software within a production environment. 3 All development issues/bugs have been closed off (defect logs are typically used to record issues). 4 Any legal requirements (like copyright/disclaimers) are added to the footer (this includes web pages). 5 Test data, test accounts or test messaging have been removed. 6 Any agreements with third parties have been finalised. 7 Appropriate Release and Change management processes have been followed. Information Systems Acquisition, Development and Maintenance Standard Page 11 of 15
12 3 ACQUISITION OF SOFTWARE Acquiring new software should be made with consideration to the ICT Security Policy, the security architecture in place and licensing. The objective is to ensure that any new software acquired from a third party does not compromise security, impact production services at the Institution and is legal. When acquiring software the following best practices are recommended: Software should be selected from a list of approved suppliers and if not, the supplier and software should be fully assessed for security compliance. Security requirements form part of any acceptance process like a Request For Information (RFI) or Request For Proposal (RFP). Software needs to be appropriately licensed for its intended use at CPIT. Perform a security check-list exercise to ascertain security awareness and any risks. 3.1 Security Assessment A security assessment check-list should be used to review supplier's security awareness, understand security requirements and recommended security practices. An assessment typically includes interviewing the supplier and asking them to reply to the questions you raise. Security Assessment Check-list: Ref Software Acquisition Security Checklist Checked 1 Assess ease of use to implement the solution, the greater the complexity the greater the increases in security risk. 2 Assess the level of privileges that are required to install and operate the software. The product should not require high privileged accounts to operate. 3 Identify interoperability and information flow to identify any security risks. 4 Review the security statement for the product and the recommended security settings. It is expected that the product will operate out of the box securely and that the company have made it clear what security controls have been followed. 5 Assess the product against the principle of defence in depth ; more than one security control in place the better the level of security. 6 Check that the product authenticates and is integrated to Active Directory or LDAP to minimise the need for a second authentication process. In addition, dependent upon the software product being purchased, it may be prudent to ask the supplier questions on the security controls within their product. The following are examples of questions that are recommended: Assess the supplier s experience, viability and support arrangements; review example SLA agreements to determine if they meet expectations. Information Systems Acquisition, Development and Maintenance Standard Page 12 of 15
13 Assess the supplier s ability to patch security issues and the process it will take to write and distribute updates. It is expected that a critical update will be available in hours, not days. Review supplier s history of identifying security issues and time to release patches. Assess the supplier s technical road-map to develop the application and support new systems (like upgrades to operating systems). Ask the same question to the supplier s technical staff (not sales staff) to see if you get the same response. 3.2 Software Purchasing and Licensing Software license agreements vary. Some licenses allow for use by one individual but can be installed on multiple computers. Other licenses stipulate a single machine. In addition, CPIT has software that is licensed for teaching purposes only and may not be used for any other purposes. Compliance is mandatory as defined within the ICT Policy. The following standards are to be observed: All software should be purchased through the ICT division who will record license agreement details and keep copies of the ICT media. All freeware software needs to be registered to CPIT and details passed to ICT for recording within the appropriate asset registers. Staff are to inform ICT when new software is under evaluation and follow the agreed practices within ICT for evaluating the software whilst noting the security assessment in section 3.1 Information Systems Acquisition, Development and Maintenance Standard Page 13 of 15
14 4 CRYPTOGRAPHY, CONFIDENTALITY AND COPYRIGHT SECURITY STANDARD Cryptography is an important aspect of information security. Cryptography can help enforce the confidentiality and integrity of information and provide a means to verify the individual or organisation. This section also recommends standards on copyright security for software. 4.1 Cryptography Encryption To protect the confidentiality of sensitive information encryption is to be used when necessary. The following standards are recommended: All internet facing services that contain restricted information. This includes: personal information, authentication details or require a higher degree of privacy should be accessed through a HTTPS connection. This also includes any financial services which involve payment across the internet or processing of payment details. Connections between applications that access private information or financial information, which are not physically or logically protected, are to be encrypted; this includes connections on a local area network. What is restricted information? Reference Data Governance Standards Note that restricted information is any data or material that if compromised could have a material adverse effect on Institute interests, the operations of the Institute or the privacy to which individuals are entitled. The appropriate encryption is to be reviewed each time a major software application is being developed. The current standard (December 2010) recommended is Advanced Encryption Standard (AES). Digital Signatures and Certificates Digital signatures protect the authenticity and integrity of the electronic information being transferred. The digital signature verifies who signed the document and whether the document has been altered. The key to digital signatures is maintaining the secrecy of the private key. The following standards apply: Access to encryption keys must be strictly limited to staff requiring access. Keys are not to be made available to third parties and remain the property of CPIT. If encryption keys are transmitted over the network, this is to be done securely. Hash Algorithm To maintain the integrity of information and to complete additional security checks against data manipulation, buffer overruns or tampering of information then Hash Algorithms can be included with the software development. 4.2 ICT Confidentiality and Copyright Standard The confidentiality of Institute information is a concern when the Internet presents the opportunity to freely contribute and share information. To safeguard CPIT information a copyright statement has been implemented. Information Systems Acquisition, Development and Maintenance Standard Page 14 of 15
15 The following information supplements the information within the CPIT copyright statement. Employees should not transmit sensitive Institute information through the Internet. If there is no alternative communication method available and all parties agree to information being transmitted through the Internet, then secure procedures are to be followed to confirm, receipt and encrypt contents. ICT can advise on a secure transmission process. Why worry about copyright? It is too easy to download copyrighted material from the Internet, on-line databases and other public sources without the regard that copying is unauthorised and a violation of copyright laws. This could lead to an embarrassing court action or internet access being restricted. Published Institute Internet content, on Internet web pages, collaboration extranets or download sites, should also be protected with a copyright notice. This is required to stipulate that the site is legally protected through copyright and that redistribution or reproduction is an illegal offense. This is the end of the Information Systems Acquisition, Development and Maintenance Security Standard. This standard is one of six standards that provide advice and guidance on the best practices to follow when using and accessing ICT services. The other standards are available on the Christchurch Polytechnic ICT intranet. Information Systems Acquisition, Development and Maintenance Standard Page 15 of 15
How To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationSECURITY ORGANISATION Security Awareness and the Five Aspects of Security
SECURITY ORGANISATION Security Awareness and the Five Aspects of Security Shift Security simply used to protect information vs. Enabling business initiatives with security Bolt-on/add-on structure to business
More informationManaging internet security
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationThe Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency
logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011
More informationE-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationSecurity aspects of e-tailing. Chapter 7
Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationEA-ISP-012-Network Management Policy
Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationDesigning and Coding Secure Systems
Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can
More informationSection 1 CREDIT UNION Member Information Security Due Diligence Questionnaire
SAMPLE CREDIT UNION INFORMATION SECURITY DUE DILIGENCE QUESTIONNAIRE FOR POTENTIAL VENDORS Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire 1. Physical security o Where is
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationBrainloop Cloud Security
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
More informationElectronic business conditions of use
Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users
More informationBusiness Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:
Module Db Technical Solution Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Cost is reduced through greater economies of scale, removal of duplication
More informationSECURITY DOCUMENT. BetterTranslationTechnology
SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of
More informationOnline Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice
Online Data Services Security Guidelines Online Data Services by Esri UK Security Best Practice 28 November 2014 Contents Contents... 1 1. Introduction... 2 2. Data Service Accounts, Security and Fair
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationRAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER
RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationMUNICIPAL WIRELESS NETWORK
MUNICIPAL WIRELESS NETWORK May 2009 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationCloudDesk - Security in the Cloud INFORMATION
CloudDesk - Security in the Cloud INFORMATION INFORMATION CloudDesk SECURITY IN THE CLOUD 3 GOVERNANCE AND INFORMATION SECURITY 3 DATA CENTRES 3 DATA RESILIENCE 3 DATA BACKUP 4 ELECTRONIC ACCESS TO SERVICES
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationEmail Management and Security Good Practice Guide. August 2009
Email Management and Security Good Practice Guide August 2009 contents 1 Introduction to Good Practice Guides 3 2 Email Management and Security Overview 3 2.1 Understanding Good and Better Practice 4 3
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationWhite Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationHow To Secure Your Data Center From Hackers
Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard
More informationAcceptable Use of ICT Policy For Staff
Policy Document Acceptable Use of ICT Policy For Staff Acceptable Use of ICT Policy For Staff Policy Implementation Date Review Date and Frequency January 2012 Every two Years Rev 1: 26 January 2014 Policy
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationApplication Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag
Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationBodywhys Privacy Policy
Bodywhys Privacy Policy Website Bodywhys respects the privacy of all visitors to our website. This website privacy statement outlines our policy concerning the use and collection of personal information
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationBANKING SECURITY and COMPLIANCE
BANKING SECURITY and COMPLIANCE Cashing In On Banking Security and Compliance With awareness of data breaches at an all-time high, banking institutions are working hard to implement policies and solutions
More informationXerox DocuShare Security Features. Security White Paper
Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a
More informationGuidance for Data Users on the Collection and Use of Personal Data through the Internet 1
Guidance for Data Users on the Collection and Use of Personal Data through the Internet Introduction Operating online businesses or services, whether by commercial enterprises, non-government organisations
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationChapter 8 A secure virtual web database environment
Chapter 8 Information security with special reference to database interconnectivity Page 146 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationHyde School Student Computer Systems Acceptable Use Policy
Hyde School Student Computer Systems Acceptable Use Policy A. Hyde School Computer Systems and Internet Access Please read the following carefully before signing this document. This is a legally binding
More informationVoltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationThe Office of the Government Chief Information Officer INTERNET GATEWAY SECURITY GUIDELINES [G50]
The Office of the Government Chief Information Officer INTERNET GATEWAY SECURITY GUIDELINES [G50] Version : 5.0 September 2012 The Government of the Hong Kong Special Administrative Region COPYRIGHT NOTICE
More informationG- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview
Description C Service Overview G- Cloud Specialist Cloud Services Security and Penetration Testing This document provides a description of TVS s Security and Penetration Testing Service offered under the
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationSecuring your Online Data Transfer with SSL
Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does
More informationHow Managed File Transfer Addresses HIPAA Requirements for ephi
How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationHow Reflection Software Facilitates PCI DSS Compliance
Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationSplunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
More informationOur Key Security Features Are:
September 2014 Version v1.8" Thank you for your interest in PasswordBox. On the following pages, you ll find a technical overview of the comprehensive security measures PasswordBox uses to protect your
More informationAlice. Software as a Service(SaaS) Delivery Platform. innovation is simplicity
Ekartha, Inc. 63 Cutter Mill Road Great Neck, N.Y. 11021 Tel.: (516) 773-3533 Ekartha India Pvt. Ltd. 814/B Law College Road Demech House, 4th Floor Erandwane, Pune, India Email: info@ekartha.com Web:
More informationSecurity Features: Lettings & Property Management Software
Security Features: Lettings & Property Management Software V 2.0 (23/02/2015) Table of Contents Introduction to Web Application Security... 2 Potential Security Vulnerabilities for Web Applications...
More informationPrivyLink Internet Application Security Environment *
WHITE PAPER PrivyLink Internet Application Security Environment * The End-to-end Security Solution for Internet Applications September 2003 The potential business advantages of the Internet are immense.
More informationSecuring your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationHIPAA Compliance and Wireless Networks
HIPAA Compliance and Wireless Networks White Paper 2004 Cranite Systems, Inc. All Rights Reserved. All materials contained in this document are the copyrighted property of Cranite Systems, Inc. and/or
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More information