PART 2-A INTRODUCTION EDP AUDIT

Size: px
Start display at page:

Download "PART 2-A INTRODUCTION EDP AUDIT"

Transcription

1 PART 2-A INTRODUCTION EDP AUDIT Ronald Paans kpmg IRM vrije Universiteit amsterdam 2 & 9 September 2002 File 2-A 2002 Contents CONTENTS Information and business processes IT control and ITIL Quality aspects Corporate Information security Code of Practice Risk assessment Security layers Availability Effectiveness & efficiency Audit approach Types of audits Voorschrift Informatiebeveiliging Rijksoverheid (VIR) 2 Page 1 1

2 EDP auditing EDP AUDITING Independent, impartial judgment and advice on Information Technology (IT) Quality aspects Confidentiality, Integrity, Availability (CIA) and Auditability Effectiveness, Efficiency etc. Objects Information systems (Information Systems Auditor: ISA) Technical infrastructure and Organisation of IT (Technical Auditor: TA) IT contracts, Service Level Agreements etc. In the Netherlands: Professionals are registered: NOREA Post-graduate education at three universities Large EDP audit departments of major audit / assurance firms and other organisations EDP auditors have a short life time, they soon move to management positions 3 EDP auditing The two lies of the profession... I am here to help you You are welcome EDP AUDITOR AUDITEE (How can we show our added value?) 4 Page 2 2

3 Corporate governance Toezicht Aandeelhouders Raad van Commissarissen Ondernemingsraad Externe accountant Besturen Raad van Bestuur, directie Bewaken Interne accountants Controller Bedrijfsprocessen (( IT ITondersteunt de dezakelijke processen en endraagt zo zo bij bij aan aan hun hun kwaliteit )) Rapport van Commissie Peters, Vereniging voor de Effectenhandel Corporate Governance in Nederland 29 oktober Commissie Peters, Vereniging voor de Effectenhandel Het rapport Corporate Governance in Nederland bevat geen enkele directe verwijzing naar IT. Gerelateerde aanbevelingen zijn: 17. De RvC bepreekt tenminste éénmaal per jaar de strategie en risico s verbonden aan de onderneming en de uitkomsten van de beoordeling door de RvB van de opzet van de interne beheersingssystemen. 21. De RvB rapporteert schriftelijk aan de RvC over de ondernemingsdoelstellingen, de strategie, de daaraan verbonden risico s en de mechanismen tot beheersing van risico s van financiële aard. 36. De accountantscontrole van de jaarrekening vormt een van de hoekstenen van een goed systeem van Corporate Governance. IT is ondersteunend aan de bedrijfsprocessen en introduceert specifieke risico s. Daarom dient IT te worden beschouwd als onderdeel van deze drie aanbevelingen. 6 Page 3 3

4 Management control An effective management control system consists of Planning Execution Evaluation Three categories of business objectives a Effectiveness and efficiency of business processes (operational) b Reliability of financial information (reporting) c Compliance with laws and standards Participation of the EDP-auditor ad a Use of IT resources: incl. Confidentiality, Integrity, Availability and Auditability ad b General IT controls and programmed controls in applications ad c E.g., Wet Computer Criminaliteit (WCC), Wet Persoonsregistraties (WPR) 7 EDP auditor works for who? VOORBEELD Toezicht Besturen Bewaken Aandeelhouders Raad van Commissarissen Ondernemingsraad Raad van Bestuur Directie Interne accountants Interne EDP auditor Controller Opdrachten van management Outsourcing EDP audit Bijzondere opdrachten Externe accountant Ondersteuning jaarrekeningcontrole Bedrijfsprocessen (( IT ITondersteunt de dezakelijke processen en endraagt zo zo bij bij aan aan hun hun kwaliteit )) Bijzondere opdrachten Externe EDP auditor 8 Page 4 4

5 IT and business processes Central / decentral IT infrastructure Information / Control Information systems support the business functions, which in turn support the business processes Business processes: here they make their money 9 IT and military processes Central / decentral IT infrastructure Business processes: here they do their job Information systems support the business functions, which in turn support the military business processes and operations Information / Control 10 Page 5 5

6 Information handling Transfer / consolidate / distribute / transform / etc. Management Information Data IT Business processes Instructions / control Supporting the business / operations 11 Information INFORMATION Data at such an aggregation level that it can be understood by human beings and can be used to control CoP: The quality aspects apply to all forms of information : data stored on computers (data, text, video, speech), transmitted across networks, printed out or written down on paper, and spoken in conversations Data consolidation and transformation, making it interpretable and usable 12 Page 6 6

7 Position of IT IT IT Position of IT: An island in the ocean? An empire within an empire? No, IT must closely interact with the business and provide the quality required by the business. Effective communication is of vital importance 13 Concerns for IT organisations CONCERNS, e.g. Costs too high Risks too high Slow response Wrong focuss Irrealistic expectations Insufficient management involvement Insufficient communication I T CONSEQUENCES, e.g. Failing projects No compliance with quality targets Conflicts: internal & external Dissatisfied customers Loss of imago Loss of skills Decreasing budgets Outsourcing 14 Page 7 7

8 Central versus decentral IT IT in historical perspective Quality aspects Distributed Client/Server Functionality Intra/Inter/Extranet Mobile commerce Electronic commerce Mainframe PC and PC/LAN Midrange Manageability Controllability Auditability Business systems Personal systems Network systems Operational improvements Strategic improvements? Kol. P.C.J. Boelee, Min. van Defensie, NIVRA/VERA Conference Update on IT and Control, Nov Legacy LEGACY PROBLEM IT today Functionality Mainframe Midrange PC and PC/LAN Distributed Client/Server Mobile commerce Electronic commerce Intra/Inter/Extranet Time Everything still exists, partly Legacy Kol. P.C.J. Boelee, Min. van Defensie, NIVRA/VERA Conference Update on IT and Control, Nov Page 8 8

9 Why do they hire you as EDP auditor? WHY DO THEY HIRE YOU AS EDP AUDITOR? You have experience and can judge and advise You understand the business the company / organisation the supporting role of IT the technical and organisational IT infrastructure You can set priorities for judging / advising on the quality aspects of the IT objects, based on the interest of stockholders, directors etc. You can translate the results of your work to text understandable to your principal You can assist to translate your recommendations into priorities and actions 17 EFFECTIVE IT CONTROL IT CONTROL Definition: Manage the IT IT resources and IT ITorganisation so so that it it provides benefits to to the business objectives with regard to to 1 continuity, effectiveness and efficiency 2 confidentiality and integrity Objects: Implement conflict of of interests between user organisations and IT ITorganisation (buyer // seller relationship) Clear requirements and cost // benefit assessments Obligation to to provide results Contracts and Service Level Agreements (SLAs) Well defined processes and disciplines (including ITIL) 18 Page 9 9

10 A professional interaction based on contracts/slas In charge, budgets Knowledge Use User organisation Requirement owner behoeftesteller IV/IM functions End user Requirement Obligation to provide results Contract / SLA Deliver services (verification of agreements) Feedback IV/IM = Informatie Voorziening / Information Management IT organisation Telematica architecture: Translation of functional and quality requirements System development Exploitation RUN BUILD DESIGN 19 The centralised approach Requirement owner IV/IM function Define functional and quality requirements Account managers Director IT Legend SDTV: - S(peech) - D(ata) -T(ext) -V(ideo) Telematica architecture S D T V Administration etc. System development feedback Exploitation S D T V S D T V End user council 20 Page 10 10

11 Outsourcing USER ORGANIZATION(S) CONTRACTS AND SERVICE LEVEL AGREEMENTS After the requirements are specified correctly, select on basis of costs and quality ( smart buyer ) One single counter SERVICE PROVIDER(S): Internal or External CONTRACTS AND SERVICE LEVEL AGREEMENTS (transparent to the users) CYCLE/TRANSPORT PROVIDER(S): Internal or External 21 IT services: (internal/external) outsourcing models User organisations Models, e.g. Users IT organisation(s) Technical and organisational infrastructure (including other hardware) Services Applications Operating systems Standard program products System development Hardware Data communication Every combination is possible 22 Page 11 11

12 Framework IT control Quality of service delivery must be described in a Service Level Agreement (SLA), which belongs to the IT organisation s Service Level Management (SLM) discipline User organisations Contract IT organisation Policy Control Execution SLA Policy Control SLM Execution 23 Model for IT control IT CONTROL Strategic Audit Policy IT policy and organisation Tactical Audit Execution of policy 11 IT disciplines Operational Execution Mainframe Subsystems Midrange Tools etc. Network 24 Page 12 12

13 Model of IT disciplines Service (e.g., SAP functions) Business functions (e.g., SAP applications) Sub systems (e.g., SAP base) Operating system Hardware Variable and fixed variable process parameters Application parameters Control Improvement System parameters End-User System development Policy Methods Technology IT infrastructure IT policy Service level Configuration Capacity Change Problem Quality Change Problem Security Availability Performance Operations Accounting Workload 25 Possible IT management disciplines IT MANAGEMENT DISCIPLINES ARE, E.G. IT Policy and organisation Security management Service Level management Availability management Configuration management Performance management Capacity management Operations management Change management Accounting management Problem management Workload management People management Quality management Note 1: For EDP audit of the technical and organisational infrastructure, we use 12 of them Note 2: IT disciplines are primarily used to group the control objectives in a structured and logical way 26 Page 13 13

14 Relations between IT disciplines (as used by Leen van Rij) Information Technologie Policy Configuration Change Problem Performance Operations Availability Security Service Level USERS Capacity Workload Accounting These are the 12 IT management disciplines relevant to EDP auditors 27 Relations between IT disciplines (simplified view) Information Technology policy Change Problem Configuration Availability Security USERS Accounting Service Level Management is the pivot Service Level Operations Performance // Workload Capacity 28 Page 14 14

15 World Class IT model Maturity Technologie gedreven Service gericht Beheerst Business gericht Klant gericht Productie Incidenten & problemen operationeel technisch re-actief informeel logistieke planning & control registratie en control kennis opbouw gefragmenteerd partieel geïntegreerd service basic control Wijzigingen & configuratie Service level management Ontwikkeling & onderhoud pro-actief partnership integraal, verbijzonderd level service management agreement stabiel proces ad-hoc informeel klant level management methoden en technieken produkt flexibiliteit kosten/ baten; volume flexibiliteit preventief prioriteitsstelling kwaliteitsparameter en proces metingen 29 ITIL A standard for control ITIL Information Technology Infrastructure Library 30 Page 15 15

16 Management of IT, using ITIL Management of IT - ITIL Past Present Future Public infrastructure (KPN etc.) GROWING COMPLEXITY ITIL foils: written by Paul Overbeek and Gerben Nelemans 31 Growing complexity GROWING COMPLEXITY Technique More types and more complex datacommunications More types and more complex operating systems More types and more complex middleware More types and more complex applications Organisations New organisational structures, switching between central and decentral Changing dependencies Trends Single Sign On Repositories Authorisation Services Decentral security and Client/Server security Public Key Infrastructures (PKIs) and Trusted Third Parties (TTPs) Internet and firewalls 32 Page 16 16

17 ITIL SECURITY AND CONTROL REQUIRES UNIFORMITY OF IT MANAGEMENT Due to the growing complexity Uniformity of management is a prerequisite to have a controlled IT environment ITIL is a means for uniformity of IT management ITIL = IT Infrastructure Library 60 books 30 processes in some 9 sets for security management, 12 processes in 2 sets are relevant Best practice for exploitation and control of IT Written by CCTA (former Central Computer and Telecommunications Agency) Also contains ITIL Security Management (since 1998) 33 What is infrastructure in ITIL? WHAT IS INFRASTRUCTURE IN ITIL? Focused upon control and exploitation of IT Infrastructure What is included software (applications) hardware documentation procedures information system (combination hardware, software and procedures) What is not included individual files, queues, messages people for security aspects, see environment } Code of Practice physical aspects Note for EDP auditor: ITIL has no knowledge of business processes 34 Page 17 17

18 ITIL layers There are 9 ITIL sets, among which: Strategy Tactic Operations Managers set Service Delivery Set tactical control, usage of IT resources Service Support Set operational control, the resources themself 35 ITIL service delivery set ITIL SERVICE DELIVERY SET Focused on tactical control (usage of the IT resources) Processes Service level management Availability management Capacity management Strategy Tactic Workload management Performance management (tuning) Delivery management Contingency management (in the past: Disaster planning) Accounting management Security management Operations 36 Page 18 18

19 ITIL service support set ITIL SERVICE SUPPORT SET Focused on operational control (the IT resources themself) Processes Configuration management Incident management / Help desk Problem management Change management Software control & distribution Strategy Tactic Operations 37 ITIL management processes ELEMENTARY VIEW ON A PROCESS input Process Purpose Activities output Relations with other processes 38 Page 19 19

20 ITIL security management ITIL PROCESS SECURITY MANAGEMENT Process Purpose: comply with objectives + baseline SLA with security objectives Activities output Relations with other processes 39 Relations between ITIL processes Security Management Relations with: Service Level Management Availability Management Capacity Management Contingency Planning Relations with: Configuration Management Incident Management / Helpdesk Problem Management Change Management Software Control & Distribution 40 Page 20 20

21 ITIL security management SECURITY MANAGEMENT The Three Challenges Process the Security Management Process itself Relationships between Security Management and the other processes External relationships managing the SLA requirements for security 41 ITIL security management... SECURITY: managing the SLA requirements for security REPORT SLA CUSTOMER MAINTAIN EVALUATE CONTROL PLAN IMPLEMENT IT Service Provider 42 Page 21 21

22 ITIL security management... CUSTOMER defines requirements based on business needs REPORT REPORT conform conform SLA SLA SECURITY Service Service Level Level Agreement Agreement // Security Security section section agreed agreed between between customer customer and and provider provider IT SERVICE PROVIDER implements, SLA by ITIL Security Management MAINTENANCE: MAINTENANCE: Learn Learn Improve Improve plan plan implementation implementation EVALUATE: EVALUATE: Internal Internal audits audits External External audits audits Self Self assessments assessments Security Security incidents incidents CONTROL: CONTROL: Get Getorganised Establish Establish management management framework framework Allocate Allocate responsibilities responsibilities PLAN: PLAN: Service Service level level agreement agreement Underpinning Underpinning contracts contracts Operational Operational Level Level agreements agreements Policy Policy statements statements IMPLEMENT: IMPLEMENT: Create Create awareness awareness Classification Classification & registration registration Personnel Personnel security security Physical Physical security security Security Security management management computers, computers, networks, networks, applications applications Control Control & management management of of access access rights rights Security Security incident incident handling, handling, registration registration 43 ITIL configuration management Configuration Management Configuration Management 44 Page 22 22

23 ITIL configuration management... CONFIGURATION MANAGEMENT The foundation for control / use it to control the changes Know what you have version management Names CI : Configuration Item CMDB : Configuration Management Data Base EDP audit questions, e.g. verify whether there is configuration management who is reponsible, how is the process organised? which CIs are included (which level of detail?) is the input to the process reliable? how is the completeness guaranteed and is it up to date? Configuration management CMDB are there cross references, e.g., with the license administration and maintenance contracts? Etc. 45 Scope process Configuration management SCOPE OF CONFIGURATION MANAGEMENT Granularity of control determined by choice of configuration items - CIs very important!! Per CI attributes and classification status relations with other CIs CIs, e.g. Configuration management CMDB software (applications) - packages, licensed programs, home spun programs, at which level of detail? hardware - boxes, patch panels, cables, at which level of detail for peripherals? documentation - which books and CD-roms at which location? information system - or are the components included in the items above? 46 Page 23 23

24 Support of Security management CONFIGURATION MANAGEMENT SUPPORT OF SECURITY MANAGEMENT Classification system availability integrity / reliability availability / continuity Classification connects CI to activities, to be understood as» instructions for how to handle, or» procedures!» documentation» or Manuals / Implementation Guidelines 47 Classification of sensitivity CLASSIFICATION OF SENSITIVITY A dedicated classification system tailor cut to the organisation Availability / Continuity Confidentiality / Exclusivity Integrity Class no criterion desirable important essential Description / objective 48 Page 24 24

25 ITIL incident management, help desk Incident management Help desk Incident Management, Help Desk An incident is an occurrence of a problem 49 ITIL incident management, Help Desk process INCIDENT MANAGEMENT, HELP DESK PROCESS Purpose: incident control one desk for first line support - the Help Desk or IT Call Center Activities registration and monitoring the progress of incident handling incident control deals with symptoms Input complaints and questions by users Output solutions, workarounds etc. problem description 50 Page 25 25

26 ITIL incident management, Help Desk process 51 ITIL incident management, Help Desk proces... EDP audit questions, e.g. Is there an effective incident management process? Are all incidents documented? How long are the records retained? Are the Help Desk employess well trained, also for security aspects? When is an incident called a security incident? CI classified? Verify handling security incidents is a normal procedure how is the contact with or reporting to the security officer are there additional security measures» e.g., security incident reporting and alarm» reporting Consider classification scheme for incidents Verify the completeness and accessibility of the records, reports etc. 52 Page 26 26

27 ITIL problem management Problem management Incident Management, Help Desk Problem Management A problem may cause multiple incidents 53 ITIL problem management proces PROBLEM MANAGEMENT PROCESS Purpose problem control solving problems or identifying known errors recording problems and monitoring the progress of solving them Input incidents which cannot be solved (input from Help Desk, but also from system owners, programmers etc.) Activities using organisation scheme procedures (incl. registration and monitoring) some security measures Help Desk reporting status and progress Output solution related to known error Problem Management 54 Page 27 27

28 Kwaliteitsprocedure Standaard flowchart voor het oplossen van technische problemen Afblijven dan dan ja Probleem Functioneert het het? nee Stommeling Hebje Hebje er er aan aan gezeten? ja nee Pand Pand verlaten nee Weet Weet iemand iemand ervan ervan? ja KLUNS!!!!!! nee Kan Kanje je iemand iemand anders andersde deschuld geven geven? ja Probleem opgelost ja Krijg Krijg je jeop opje je donder donder? nee Naar Naar huis huis gaan gaan 55 ITIL change management Change management Change Management 56 Page 28 28

29 ITIL change management process CHANGE MANAGEMENT PROCESS Purpose assure that all changes of CIs are controlled and documented Input known errors from Problem management Requests for Changes (RFCs), e.g., from system owners etc. Activities supported by organisation structure execute procedures (incl. registration and monitoring) RFCs: define, handle and (let) implement monitor and warrant security level Output controlled changes of the IT infrastructure ditto in the CMDB 57 A change RFC = Request for Change, change proposal on CI(s) Assign status: Urgent / not Determine impact on security Reviewed / authorised by CAB Implementation Tests Acceptance or Restore old situation 58 Page 29 29

30 Change management process REQUEST FOR CHANGE (RFC) PREPARATION: - assess risk and impact - open change record in Change Database VERIFICATION: Change Advisory Board (CAB) DECISION: CAB REJECTED ASSIGN A DATE FEEDBACK: change record APPROVED FEEDBACK: change record IMPLEMENTATION: backup and make change EVALUATION: verify correct operation - verify security and internal control - complete and close change record SEVERE PROBLEM: RESTORE OK: READY 59 Change Advisory Board CHANGE ADVISORY BOARD (CAB) Configuration Control Board, daily or weekly meeting, the participation may vary Change Manager Service Level Manager Case specialists architect technical experts design & development Operational management User / customer representative? Other process managers Security Manager for security relevant changes! 60 Page 30 30

31 Example EXAMPLE Incident car does not start work around / contingency plan: push Problem car does not start the entire week known problem: Lada RFC give me a Ferrari CAB decision use the train 61 Support of Security management CHANGE MANAGEMENT SUPPORT OF SECURITY MANAGEMENT In change management many issues are to be ensured Perform risk analyses impact in business processes (customer s responsibility) impact on IT infrastructure as a whole which level of security is needed Security plan (SOLL) selection of security controls / measures + audit + contingency + availability define Operational Level Agreements (OLAs) 62 Page 31 31

32 Support of Security management... CHANGE MANAGEMENT SUPPORT OF SECURITY MANAGEMENT (cont.) Implementation plan (SOLL minus IST), plan for implementation of selected controls / measures implementation of security baseline Operational Level Agreements (OLAs) Input for Request for Change (RFC) Change Advisory Board (CAB) Implementation Testing Acceptance 63 ITIL service level management Service Level Management I deliver with quality signature Service Level Management 64 Page 32 32

33 SLA Customer / company Service requirement management IT service provider gives feedback on compliance SLA Customer / company controls via SLA IT Service Provider Service Level management ITIL Management processes Security management 65 ITIL & security: a controlled process ITIL & security provides a controlled process and hence results in less errors in operation and security Configuration Incidents Problems Known errors RFC s Security Help Desk / Incident management }Problem Management Change Management Configuration Management Security Management 66 Page 33 33

34 SLA... Representant customer user organisation service user Account manager on on behalf of of IT ITorganisation Service Provider SLA service catalog including security Service Provision Agreements: performance of the Service Provider itself Underpinning contracts: external focus, e.g., datacom provider, electricity, hardware maintenance 67 QUALITY ASPECTS QUALITY ASPECTS Confidentiality Integrity Reliability Auditability Availability Effectiveness Efficiency Manageability etc. 68 Page 34 34

35 Information security: the business perspective Total Enterprise Risk Management resource Finance Assets Information Personnel risks / risk areas currency risks risks interest interest risks risks payments due due cash cash flow flow risks risks fire fire burglary theft theft calamities eavesdropping illegal illegal modification interruptions masquerading illness illness turnover demotivation knowledge drain drain measures treasury, insurance, security, alarms, alarms, insurance, information security, EDP EDP audit, audit, human human resource management, Laws and standards LAWS Computer crime: the owner must apply certain measures to protect networks, systems and data Privacy: special attention for information about individual persons IT for banks: regulations by national banks STANDARDS US Department of Defence, orange book: classification of trusted computing base European Community: ditto Code of Practice (CoP: UK and NL) with the objectives deals with the technical infrastructure and the organisation of IT create a common basis to develop an effective security practice increase the confidence in the business IT Infrastructure Library (ITIL): some 60 books on IT management practices OUR CHOICE: We selected the Code of Practice as a basis 70 Page 35 35

36 Nederlandse verwarring over namen Veel kwaliteitsaspecten worden gebruikt in een verschillende context, zoals in NIVRA-geschriften (o.a. 53 en 62) Efficiëntie Effectiviteit Integriteit Exclusiviteit Controleerbaarheid Beschikbaarheid Memorandum van De Nederlandsche Bank (memo DNB) Betrouwbaarheid (integriteit, exclusiviteit en controleerbaarheid) Continuïteit (beschikbaarheid) Code of Practice (CoP) - CIA Confidentiality - vertrouwelijkheid Integrity - integriteit Availability - beschikbaarheid 71 Code of Practice Introduction The purpose of information security is to ensure business continuity and to minimize business damage by preventing and minimizing the impact of security incidents. Information security management enables information to be shared, while ensuring the protection of information and computing assets. The three basic components (quality aspects) of CoP are: CONFIDENTIALITY INTEGRITY AVAILABILITY Information takes many forms. It can be stored on computers, transmitted across networks, printed out or written down on paper, and spoken in conversations. From a security perspective, appropriate protection must be applied to all forms of information, including papers, databases, films, view foils, models, tapes, diskettes, conversation and any other methods to convey knowledge and ideas. 72 Page 36 36

37 What is important? QUALITY ASPECTS OF INFORMATION CONFIDENTIALITY Protecting sensitive information from unauthorized disclosure or intelligible interception INTEGRITY Safeguarding the accuracy and completeness of information and computer software AVAILABILITY Ensuring that information and vital services are available to the business processes when required AUDITABILITY Allowing to verify compliance with the objectives EFFECTIVENESS Doing the right things EFFICIENCY Doing the things right (at the lowest costs) CIA 73 Mapping/grouping quality aspects Effectiveness Efficiency Manageability Etc. Exclusivity (Wet Computer Criminaliteit) Reliability (Memo De Nederlandsche Bank - DNB) Confidentiality (CoP) Integrity (CoP) Auditability (NIVRA) Availability (CoP, DNB, NIVRA) CIA: Confidentiality, Integrity & Availability CoP: Code of Practice for Information Security Management (UK BS7799:1995) 74 Page 37 37

38 CORPORATE INFORMATION SECURITY CORPORATE INFORMATION SECURITY Positioning ACIB model CIS Code of of Practice 75 Causes of damage to information CAUSES OF DAMAGE TO INFORMATION Investigation Price Price Waterhouse UK, UK, causes causes are are 33% 33% Human Human errors errors } 10% 10% Strikes Strikes (UK) (UK) 10% 10% Industrial espionage 10% 10% Fraud Fraud 33% 33% Errors Errors in in information systems systems and and technical infrastructure Similar Similar investigation in in USA USA 55% 55% Human Human errors errors } 16% 16% Dishonest acts acts 11% 11% Disgruntled employees 10% 10% Fire Fire 5% 5% Water Water 3% 3% Other Other causes causes Almost Almost 82% 82% is is caused caused by by human human actions. actions. The conclusion is: people are the weak link in computer security The financial consequences due to fraud substantially exceed those due to errors. Exact figures are not available due to enterprises reluctancy to provide details SECURITY IS BASED ON PROCEDURES AND CONTROLLING THE PEOPLE IN YOUR ENTERPRISE 76 Page 38 38

39 Positioning for EDP audit POSITIONING FOR EDP AUDIT Top management (Board of Directors) Reporting on security health Line management and staff Code of Practice for IT Security (CoP: UK and NL) IT management and staff Technical security standards and studies (by EDP auditors, e.g, Platform Informatiebeveiliging - PI) Unix OS/400 NT Internet Intranet Workflow OS/390 RACF Oracle SNA etc. Novell Lan Server 77 Positioning for management PLATFORM INFORMATIEBEVEILIGING (PI) AND CoP Policy Strategic Code of Practice Baseline approach Tactical Unix OS/400 NT PI standards OS/390 RACF Oracle SNA Novell Lan Server PI studies Internet Intranet Workflow Multimedia Mobile Cryptography Operational baselines 78 Page 39 39

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

This is a free 15 page sample. Access the full version online.

This is a free 15 page sample. Access the full version online. AS/NZS ISO/IEC 17799:2001 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology. It was approved on behalf

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Which ITIL process or function deals with issues and questions about the use of services, raised by end users?

Which ITIL process or function deals with issues and questions about the use of services, raised by end users? 1 of 40 Which ITIL process or function deals with issues and questions about the use of services, raised by end users? A. Availability Management B. Service Level Management C. Problem Management D. Service

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

Information security management systems Specification with guidance for use

Information security management systems Specification with guidance for use BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

ITIL Essentials Study Guide

ITIL Essentials Study Guide ITIL Essentials Study Guide Introduction Service Support Functions: Service Desk Incident Management Problem Management Change Management Configuration Management Release Management Service Delivery Functions:

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

An ITIL Perspective for Storage Resource Management

An ITIL Perspective for Storage Resource Management An ITIL Perspective for Storage Resource Management BJ Klingenberg, IBM Greg Van Hise, IBM Abstract Providing an ITIL perspective to storage resource management supports the consistent integration of storage

More information

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management INTERNATIONAL STANDARD This is a preview - click here to buy the full publication ISO/IEC 27002 First edition 2005-06-15 Information technology Security techniques Code of practice for information security

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

Protection of Computer Data and Software

Protection of Computer Data and Software April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Service Improvement. Part 3 The Strategic View. Robert.Gormley@ed.ac.uk http://www.is.ed.ac.uk/itil

Service Improvement. Part 3 The Strategic View. Robert.Gormley@ed.ac.uk http://www.is.ed.ac.uk/itil Service Improvement Part 3 The Strategic View Robert.Gormley@ed.ac.uk http://www.is.ed.ac.uk/itil Service Management House Customers Avail. Mgmt Capacity Mgmt Service Level Mgmt Continuity Mgmt Financial

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

An introduction to ITIL concepts

An introduction to ITIL concepts An introduction to ITIL concepts Written by Justin Murray October 2005 Introduction... 2 Objective... 2 The ITIL books and processes... 3 Service Management: a key part of ITIL... 4 Service Support...

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc. Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Agenda Information Security Management in Universities Recent

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

Outsourcing and Information Security

Outsourcing and Information Security IBM Global Technology Services Outsourcing and Information Security Preparation is the Key However ultimately accountability cannot be outsourced February 2009 page 2 1. Introduction 3 1.1 Reason for outsourcing

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

INFORMATION SYSTEMS. Revised: August 2013

INFORMATION SYSTEMS. Revised: August 2013 Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology

More information

IT OUTSOURCING SECURITY

IT OUTSOURCING SECURITY IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

WHY DO I NEED DATA PROTECTION SERVICES?

WHY DO I NEED DATA PROTECTION SERVICES? WHY DO I NEED DATA PROTECTION SERVICES? Data processing operations have evolved with breathtaking speed over the past few years, expanding from very large mainframe operations to small business networks.

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Information Security Policy

Information Security Policy Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

Security Compliance Assessment Checklist

Security Compliance Assessment Checklist Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards 2010.

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Overview of Service Support & Service

Overview of Service Support & Service Overview of Service Support & Service Delivery Functions ITIL Service Support / Delivery- 1 Service Delivery Functions Availability Management IT Services Continuity Management Capacity Management Financial

More information

OCR LEVEL 3 CAMBRIDGE TECHNICAL

OCR LEVEL 3 CAMBRIDGE TECHNICAL Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY

More information

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework

More information

ISO IEC 27002 2005 (17799 2005) INFORMATION SECURITY AUDIT TOOL

ISO IEC 27002 2005 (17799 2005) INFORMATION SECURITY AUDIT TOOL 9.1 USE SECURITY AREAS TO PROTECT FACILITIES 1 GOAL Do you use physical methods to prevent unauthorized access to your organization s information and premises? 2 GOAL Do you use physical methods to prevent

More information

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management INTERNATIONAL STANDARD ISO/IEC 27002 First edition 2005-06-15 Information technology Security techniques Code of practice for information security management Technologies de l'information Techniques de

More information

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information