DIA Network Device Security Management Performance Audit

Save this PDF as:
Size: px
Start display at page:

Download "DIA Network Device Security Management Performance Audit"

Transcription

1 DIA Network Device Security Management Performance Audit June 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA, CGAP Robert Pierce, IT Audit Supervisor, CISA, CISSP Shannon Kuhn, Lead IT Auditor, CISA Nicholas Jimroglou, Senior IT Auditor Jacqueline Boline, Senior IT Auditor You can obtain copies of this report by contacting us at: 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at:

3 City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado FAX Dennis J. Gallagher Auditor June 19, 2014 Ms. Kim Day, Manager of Aviation Department of Aviation City and County of Denver Dear Ms. Day: Attached is the Auditor s Office Audit Services Division s report of the audit of DIA Network Device Security Management. The purpose of the audit was to assess network device management and gain assurance that the DIA network is secure, available, and configured to industry standards. The audit found that governance over the administration of network devices can be improved to increase the security and availability of DIA s network. Effective network device management helps minimize the risk of network disruptions that could impact business operations. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis J. Gallagher Auditor DJG/sk cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Janice Sinden, Chief of Staff Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Patrick Heck, Chief Financial Officer, Aviation To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation

4 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of network device management configuration and controls at Denver International Airport (DIA). The purpose of the audit was to examine and assess whether network access control devices and hardware were configured to industry standards and vendor recommendations. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit found that network devices were adequately secured, however, process improvements could be made to improve DIA s network security and help ensure network availability. We extend our appreciation to Chris Larivee, Director of Operations, Technologies Division, Denver International Airport, and the personnel who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation

5 DRAF T City and County of Denver Audit Services Division REPORT HIGHLIGHTS DIA Network Device Security Management June 2014 The audit focused on a review of the network infrastructure controls supporting the Denver International Airport (DIA), including network equipment performance and design standards, administration, management, and overall network device security. Background Airports Council International ranks DIA as the eighteenth busiest airport in the world. Managing day to day network operations for a busy airport such as DIA requires a stable and secure network environment. DIA Technologies is responsible for supporting the DIA network including managing hundreds of network devices such as routers, switches, and firewalls. The division also provides network services to merchants and passengers within the airport. Purpose The purpose of the audit was to assess network device management and gain assurance that the DIA network is secure, available, and configured to industry standards. We assessed the administration of network devices and reviewed network device configurations based on DIA and manufacturer standards for network device configuration. We also reviewed the individuals who had access to configure network devices to ensure that they were current employees with access commensurate to job duties. Highlights DIA Technologies should continually update and adhere to their network administration standards to improve the overall security and availability of the DIA network. Our audit highlights that: Firewall rule sets are not consistently backed up Changes to network device configurations may be made that circumvent the formal change management process Administrative access to the management tool used to configure firewalls included individuals who no longer require access Passwords for network devices are not changed within the time frame required by DIA policy DIA Technologies does however appear to have strong controls in the following areas: Well documented network device daily operation procedures Standardized configuration and hardening network device rules Layered internal controls that strengthen network device security For a complete copy of this report, visit Or Contact the Auditor s Office at

6 TABLE OF CONTENTS INTRODUCTION & BACKGROUND 1 Denver International Airport s Data Network 1 Network Devices 1 Defense in Depth 2 SCOPE 5 OBJECTIVE 5 METHODOLOGY 5 FINDING 6 Process Improvements Are Necessary to Further Strengthen DIA Network Device Security 6 RECOMMENDATIONS 8 APPENDIX 9 Glossary of Technical Terminology 9 AGENCY RESPONSE 10

7 INTRODUCTION & BACKGROUND This audit of Denver International Airport s (DIA s) network device security management was performed as a subsequent audit to our DIA Network Security Management Performance Audit published in September The first audit focused on the physical security and environmental controls around storage of network equipment, whereas this audit focused on the internal controls and administration of the network devices themselves. Denver International Airport s Data Network The City and County of Denver operates a large and complex Metropolitan Area Network that supports City services throughout Denver, including the Denver International Airport (DIA). 2 Due to the diverse purposes and physical make-up of the City s networks, some portions of the network are managed by different agencies or departments. This audit focused on the portion of the network managed by the Technologies Department (Technologies) at DIA. DIA Technologies supports the data network infrastructure used by DIA business and security systems, such as, financial accounting, parking fees, access control and alarm monitoring, video surveillance, and emergency response. They also provide network services to some merchants, and facilitate, but do not manage, infrastructure used by other concessionaires, airlines, and Federal agencies, such as the Federal Aviation Administration (FAA) and the Transportation Security Administration (TSA). Network Devices Network devices are hardware components, including routers, switches, and firewalls, that are used to connect computers or other electronic devices to a network and control the flow of data on a network. 3 Device configurations within each network device are designed to distinguish authorized traffic from unauthorized traffic, as well as prevent unauthorized access to or from other networks or the Internet. Network devices can also be configured to allow or prevent certain Internet Protocol (IP) addresses and connection types from accessing the network. 4 In 2013, DIA Technologies provided data network and infrastructure services to more than 140 merchants 5 and 54 million passengers. 6 The DIA network infrastructure A Metropolitan Area Network connects offices distributed throughout the area of a large city. 3 This report contains a number of technical terms, which are described in the Appendix. 4 See additional technical definitions within the Appendix. 5 Denver International Airport Business Center website: accessed 5/8/ DIA, CM Mayor s Budget, pg. 684, accessed 5/8/2014. Page 1

8 supporting the network is stored in more than 150 locations throughout the airport. DIA s network environment has a complex architecture, in which hundreds of components are communicating and exchanging information twenty-four hours a day, seven days a week. Securing a large and complex network such as DIA s involves configuring devices based on agreed-upon hardening standards as well as a sound overall network governance strategy. 7 Defense in Depth One network security approach that is designed to help ensure network availability and manage security risks comes from a military strategy known as defense in depth. 8 A defense-in-depth approach to security spreads out defenses over a large area, rather than putting them all in one place. The concept of defense in depth applied to network security provides layers of security for a network environment so that if any one layer fails, there is another layer of security still in place to prevent unauthorized access. For example, sub-networks can be created within larger networks with their own unique security configurations that go above and beyond the normal network security. Any user or computer accessing the higher risk sub-network must comply with all of the security configurations of the larger network in addition to the security configurations of the subnetwork. This helps achieve the goal that if there is a security vulnerability with one area of the network, it does not lead to business interruption or widespread exposure to vulnerabilities throughout the rest of the network. Defense in Depth: A Layered Security Model Perimeter Network Secure Configuration Settings Monitoring and Blocking Auditing Authorization Authentication Source: Created by Audit Services Division Staff Organizations face both internal and external threats related to network security. As a result, Network Administrators have an enormous responsibility to stay up to date on 7 See additional technical definitions within the Appendix. 8 Ibid. City and County of Denver Page 2

9 emerging security vulnerabilities and attempt to stay ahead of attackers. Some network administration tasks related to security include keeping system software up to date, ensuring high availability, and detecting and responding to vulnerabilities or risks introduced into the environment. Leading industry breach analysis reports published by Verizon and the Ponemon Institute highlight a number of areas as having considerable risk associated with network device security and availability. The Verizon Data Breach Investigations Report (DBIR) is a comprehensive list of information technology threats facing global organizations. The report analyzes commonly observed incident patterns, as well as which industries face the biggest risk in particular areas. 9 Privileged access misuse was reported by the 2014 Verizon DBIR as one of the leading attack patterns for the transportation industry, specifically air transportation. Privileged access is elevated access that allows administrators to manage network devices, systems, applications, and network resources that require more permission than a typical user on a network. Authentication credentials, especially privileged credentials, can easily be exploited, if an employee s access remains active after employment has ended. The Verizon report illustrates how often privileged access was used to commit egregious acts against the global organizations polled by Verizon in As shown in Figure 1, out of 153 total incidents of insider misuse, 88% or 135 were found to be tied to privileged abuse. Figure 1: Top 10 threat action varieties within Insider Misuse for 2013 Embezzlement Unapproved software Theft Unapproved workaround Use of stolen creds Data mishandling misuse Bribery Unapproved hardware Privilege abuse Figure 1: Top 10 threat action varieties within Insider Misuse 0% 20% 40% 60% 80% 100% Source: Created by Audit Services Division Staff Recommended actions for minimizing privileged access misuse include regularly reviewing accounts that have privileged access and disabling network accounts when the account is no longer needed to perform job functions Data Breach Investigations Report, Verizon Website, accessed April 22, 2014, Page 3

10 Research performed by the Ponemon Institute on a sample of sixty U.S.-based organizations found that the three most costly cybercrimes that organizations deal with are denial of service attacks, malicious insiders, and web-based attacks. 10 Some risk associated with all three types of attacks can be mitigated through effective network device security governance. Figure 2 shows the cost associated with different types of cybercrime from 2010 through $250,000 Figure 2: Average annualized cybercrime cost weighted by attack frequency *The FY 2010 sample did not contain a company experiencing a DoS attack. $200,000 $150,000 $100,000 FY 2013 FY 2012 FY 2011 FY 2010 $50,000 $0 Denial of service* Malicious insiders Web-based attacks Source: Created by Audit Services division based on 2013 Ponemon Institute Report Network security and effective management of network devices is critical to protecting the infrastructure of an organization. As demonstrated by Figures 1 and 2, threats related to network attacks are a growing concern to organizations and can be costly. Good practices for ensuring overall network security and availability begin with strong network security governance and include hardening network devices, blocking unauthorized traffic, and validating that changes to network devices are documented and authorized. 10 See additional technical definitions within the Appendix. City and County of Denver Page 4

11 SCOPE This audit focused on the Denver International Airport (DIA) network segment managed by the DIA Technologies division, and excludes the portion of the DIA network that is partitioned to handle credit card payments. 11 In accordance with Generally Accepted Government Auditing Standards (GAGAS) the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings have been presented to the DIA Technologies Division Director of Operations. OBJECTIVE The objective of this audit was to evaluate whether network devices are protected and managed according to internal procedural standards, industry best practices, and vendor recommendations to ensure continued and secure operations. METHODOLOGY We used the following methodologies to meet our audit objective: Interviewing personnel on the responsibilities for supporting and managing network devices and firewalls Reviewing DIA policies pertaining to firewall hardening standards Reviewing documentation related to DIA s Information Security Monthly Backup Guide and Information Systems Security Operations Center Guide Evaluating a selected sample of critical network device configuration standards to equipment manufacturer configuration standards 12 Directly observing how DIA Technologies administrators log into network devices to manage and support the devices and firewalls Verifying the list of users who have administrative access to firewalls, switches and routers Determining whether network devices and firewalls have had updates installed Conducting interviews with DIA Technologies personnel to understand the network device security processes 11 See additional technical definitions within the Appendix. 12 Ibid. Page 5

12 Reviewing DIA Technologies organizational charts to determine whether administrative network management access is restricted to the appropriate personnel Performing tests of critical firewall, switch, and router security settings with a configuration analysis tool Interviewing DIA Technologies personnel to verify whether essential network device and firewall duties are being performed FINDING Process Improvements Are Necessary to Further Strengthen DIA Network Device Security The Denver International Airport (DIA) network is composed of hundreds of network devices, which are architected to allow computers and devices to pass data over data connections. Network devices, such as firewalls, routers, and switches, are used as the basic building blocks that connect computers together and restrict network access to authorized individuals only. We found that although DIA does have strong controls in a number of areas, DIA Technologies should continually update and adhere to its network administration standards to improve the overall security and availability of the DIA network. DIA has an effective defense-in-depth approach to securing the airport s network. The risk of any issues found during this audit was mitigated by other compensating controls that were operating effectively. Administrative Access to Configure Firewalls Should Be Further Restricted DIA Technologies uses two methods for restricting access to configure firewalls. Access is restricted with local user accounts on the devices themselves or through a centralized network device administration management server. Auditors tested both the network device administration management server and a central password repository, which contains the local user account credentials, to determine whether access to configure network devices was appropriately restricted. Two former employees and one employee who changed roles in IT Security retained accounts to configure firewalls through the management server. Additional audit work confirmed that compensating controls prevented these individuals from actually modifying firewalls settings. However, had those compensating controls failed as well, it is possible that the individuals could have configured firewalls when they were no longer authorized to do so. Inappropriate access to manage firewalls may result in unauthorized changes, which could impact the security and availability of DIA s network. A prolonged DIA network outage could impact internal DIA operations as well as cause flight information boards to not display or accurately reflect plane arrival and departure information. City and County of Denver Page 6

13 In addition to limiting firewall configuration to authorized users only, DIA further restricts access to the management server tool to explicitly authorized Internet Protocol (IP) addresses. Auditors inspected the IP addresses and determined that one IP address was no longer in use. Invalid IP addresses should be removed from the management tool to reduce the risk of unauthorized device configurations occurring from IP addresses that are no longer authorized. Auditors also reviewed the DIA IT Acceptable Use Policy and determined that the policy requires that passwords on all devices are changed a minimum of every ninety days. Through interviews with network services staff, auditors found that network device passwords had not been changed in accordance with the password expiration requirement outlined in the policy. Passwords that are not changed frequently increase the risk that passwords may be compromised over time. Accordingly, DIA should change passwords for network devices at least every ninety days as defined by the DIA Acceptable Use Policy. We also recommend that DIA Technologies implement a compensating control, such as a periodic password change alert, that is closed following completion of the password changes. Changes to Network Devices Are Not Consistently Monitored to Ensure that They Follow the Formal Change Management Process DIA Technologies has developed a formal change management process to help ensure that changes to network device configurations are documented, reviewed, tested, and approved prior to implementation. 13 The process is in place to require that changes are made in a controlled manner, and risks related to changes impacting DIA operations are limited. Auditors noted that although the formal change process exists, there are no controls in place to prevent an administrator from circumventing the change process. Auditors also noted that DIA Technologies has a process for tracing configuration changes to network devices in the Payment Card Industry (PCI) environment back to documented tickets, thus ensuring device configuration changes followed the formal process. 14 However, Auditor s were told there is no process to ensure that all changes to non PCI network devices have a corresponding change ticket. Monitoring changes and ensuring that they comply with the change management process helps ensure that no unauthorized changes are made. Modifications to devices implemented outside of the change management process may not be appropriately tested and could result in the introduction of security vulnerabilities impacting DIA operations. Emergency Backups for Network Device Configurations Were Not Performed Consistently Network devices at DIA have running configuration files that control who has access to configure the devices as well as what network traffic is allowed to pass through the devices. Backups of network configuration files should be made prior to making any changes to device configurations. If a backup occurs prior to a change being made 13 See additional technical definitions within the Appendix. 14 Ibid. Page 7

14 and that change causes a network outage, the change can be backed out and the prior running configuration can be used reducing the length of the network outage. Auditors reviewed the firewall backup directory which stores device backups to determine whether backups were being performed regularly and found that backups were not performed for firewalls for three months, although changes to the running configuration occurred during that time. Backups should be performed prior to making any configuration change to reduce the risk of prolonged network outages. RECOMMENDATIONS Audit work identified several process improvement recommendations that should be implemented to increase DIA s defense-in-depth posture and improve network availability, helping to ensure that the DIA network is secure and available. 1.1 The Director of Operations for the DIA Technologies division should ensure removal of the accounts for the individuals who are no longer authorized to configure firewalls and implement a periodic review process to ensure that unauthorized accounts are removed timely on an employee s last day or when an employee transfers to a new position. 1.2 The Director of Operations for the DIA Technologies division should ensure removal of the IP address that is no longer in use from the firewall management tool and implement a periodic review process to assess the IP addresses that are allowed to configure firewalls, removing any that are no longer needed. 1.3 The Director of Operations for the DIA Technologies division should ensure that passwords are changed for network devices at least every ninety days as required by the DIA IT Acceptable Use Policy and implement a compensating control such as a recurring notification that alerts administrators that passwords need to be changed. 1.4 The Director of Operations for the DIA Technologies division should ensure changes to network devices are periodically reviewed using a monitoring tool and that the changes correspond with an approved change ticket. 1.5 The Director of Operations for the DIA Technologies division should ensure that firewall backups are performed prior to every configuration change or at a minimum every 30 days. In the event that a previous configuration restoration point is needed to ensure continued operations. City and County of Denver Page 8

15 APPENDIX Glossary of Technical Terminology Change Management A method by which changes made to a computer system are formally defined, evaluated, and approved prior to implementation. Configuration Standards A process for establishing consistency, implementing security requirements, and ensuring systems work as intended when configuration takes place. Denial of service - An interruption in an authorized user s access to a computer network, typically one caused with malicious intent. Firewall - A software or hardware device that enforces security policies for traffic traversing to and from different network segments. Hardening - The process of securing a computer system by reducing its surface of vulnerability. Reducing the surface of vulnerability for network devices includes disabling unnecessary services and removing unnecessary usernames or logins. High Availability - The ability to define, achieve, and sustain target availability objectives across services and/or technologies supported in the network that align with the objectives of the business. Internet Protocol Address A numerical identifier assigned to each machine in a network used to send data to a specific computer. Network Segment Separates networks containing sensitive information from those that do not contain sensitive information. Network Switch Computer hardware that is used to connect devices together on a network. Payment Card Industry (PCI) - Compliance with the PCI DSS is required for all merchants who accept credit cards, online or offline, due to the sensitivity of payment card data and the risks associated with credit card fraud. Router - A networking device that can send (route) data between computer networks. Web based attack - An attack on a website or network that originates from the Internet or World Wide Web. Page 9

16 AGENCY RESPONSE City and County of Denver Page 10

17 Page 11

18 City and County of Denver Page 12

19 Page 13

DIA Network Security Management Follow up Report

DIA Network Security Management Follow up Report DIA Network Security Management Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Citywide Identity Management Follow up Report

Citywide Identity Management Follow up Report Citywide Identity Management Follow up Report July 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Network Security Management Phases 1 and 2 Follow up Report

Network Security Management Phases 1 and 2 Follow up Report Network Security Management Phases 1 and 2 Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

Citywide Social Media Usage Follow-up Report

Citywide Social Media Usage Follow-up Report Citywide Social Media Usage Follow-up Report May 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

City Attorney s Office: Litigation and Claims Management Follow-up Report

City Attorney s Office: Litigation and Claims Management Follow-up Report City Attorney s Office: Litigation and Claims Management Follow-up Report April 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

The Department of General Services Contract Administration Follow up Report

The Department of General Services Contract Administration Follow up Report The Department of General Services Contract Administration Follow up Report June 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of

More information

Denver 311 Follow up Report

Denver 311 Follow up Report Denver 311 Follow up Report December 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

FOLLOW-UP REPORT Change Management Practices

FOLLOW-UP REPORT Change Management Practices FOLLOW-UP REPORT Change Management Practices May 2016 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver is independently

More information

911 Data Center Operations Performance Audit

911 Data Center Operations Performance Audit 911 Data Center Operations Performance Audit June 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

Police Records Management System IT General Controls Follow up Report

Police Records Management System IT General Controls Follow up Report Police Records Management System IT General Controls Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City

More information

PeopleSoft IT General Controls

PeopleSoft IT General Controls PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

Assessor s Office Performance Audit

Assessor s Office Performance Audit Assessor s Office Performance Audit June 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

DIA Information Security Management Performance Audit

DIA Information Security Management Performance Audit DIA Information Security Management Performance Audit November 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

Citywide Identity Management Performance Audit

Citywide Identity Management Performance Audit Citywide Identity Management Performance Audit March 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Network Security Management Phase 2 Performance Audit

Network Security Management Phase 2 Performance Audit Network Security Management Phase 2 Performance Audit July 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

Mobile Devices Performance Audit

Mobile Devices Performance Audit Mobile Devices Performance Audit August 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Network Security Management Phase 1 Performance Audit

Network Security Management Phase 1 Performance Audit Network Security Management Phase 1 Performance Audit March 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

Denver International Airport Airport Legal Services Section Performance Audit

Denver International Airport Airport Legal Services Section Performance Audit Denver International Airport Airport Legal Services Section Performance Audit July 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

The Department of General Services Contract Administration Performance Audit

The Department of General Services Contract Administration Performance Audit The Department of General Services Contract Administration Performance Audit August 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Denver International Airport Planning and Development Division Performance Audit

Denver International Airport Planning and Development Division Performance Audit Denver International Airport Planning and Development Division Performance Audit June 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor

More information

Fixed Assets Management Performance Audit

Fixed Assets Management Performance Audit Fixed Assets Management Performance Audit May 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

City Attorney s Office: Litigation and Claims Management Performance Audit

City Attorney s Office: Litigation and Claims Management Performance Audit City Attorney s Office: Litigation and Claims Management Performance Audit June 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

Audit Committee. Audit Staff

Audit Committee. Audit Staff The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

Police Records Management System IT General Controls Performance Audit

Police Records Management System IT General Controls Performance Audit Police Records Management System IT General Controls Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Department of Agriculture. Network Security Controls. Information Technology Audit

Department of Agriculture. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

Workers Compensation Program Performance Audit

Workers Compensation Program Performance Audit Workers Compensation Program Performance Audit February 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Denver International Airport Emergency Preparedness Program Performance Audit

Denver International Airport Emergency Preparedness Program Performance Audit Denver International Airport Emergency Preparedness Program Performance Audit November 2015 Audit Services Division City and County of Denver Timothy M. O Brien, CPA Auditor The Auditor of the City and

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR

More information

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Department of Education. Network Security Controls. Information Technology Audit

Department of Education. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL

More information

Denver 311 Performance Audit

Denver 311 Performance Audit Denver 311 Performance Audit August 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Denver International Airport Fleet Management Program Performance Audit

Denver International Airport Fleet Management Program Performance Audit Denver International Airport Fleet Management Program Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR

More information

OFFICE OF THE AUDITOR

OFFICE OF THE AUDITOR OFFICE OF THE AUDITOR DEPARTMENT OF AVIATION INTERNAL CONTROL REVIEW AND CONTRACT COMPLIANCE AUDIT NOVEMBER 2007 Dennis J. Gallagher Auditor Dennis J. Gallagher Auditor Mr. Turner West, Manager Department

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR

More information

FairWarning Mapping to PCI DSS 3.0, Requirement 10

FairWarning Mapping to PCI DSS 3.0, Requirement 10 FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa. Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Department of Human Services Performance Audit

Department of Human Services Performance Audit Department of Human Services Performance Audit October 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

Smithsonian Enterprises

Smithsonian Enterprises Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3. PR11 - Log Review Procedure Document Reference PR11 - Log Review Procedure Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 12 January 2010 - Initial release. 1.1 14 September

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011 REPORT # 2012-10 AUDIT Of the TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction.......... 1 Background........ 2 Conclusion........ 3 Recommendations........

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Server Management-Scans & Patches

Server Management-Scans & Patches THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Server Management-Scans & Patches Report No. 14-11 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

Secure networks are crucial for IT systems and their

Secure networks are crucial for IT systems and their ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management Log Management How to Develop the Right Strategy for Business and Compliance An Allstream / Dell SecureWorks White Paper 1 Table of contents Executive Summary 1 Current State of Log Monitoring 2 Five Steps

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Enhanced Configuration Controls and Management Policies Can Improve USCG Network Security (Redacted) Notice: The Department of Homeland Security,

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0 Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator

More information

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks WHITE PAPER The Need for Wireless Intrusion Prevention in Retail Networks The Need for Wireless Intrusion Prevention in Retail Networks Firewalls and VPNs are well-established perimeter security solutions.

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

Overcoming PCI Compliance Challenges

Overcoming PCI Compliance Challenges Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the

More information