Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings
|
|
- Rafe Hawkins
- 8 years ago
- Views:
Transcription
1 Appendix A Hertsmere Borough Council - Review of information technology controls Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings We recommend the following Medium Acceptable use policy requires a minimum of eight characters actions to be taken: but we noted that the AD only requires seven characters. Password encryption is not defined because of a compatibility issue with the Intranet that is scheduled to be replaced by June If this setting is enabled, passwords can be retrieved more easily than which results in increased vulnerability. Screensaver is enabled to activate after 7,200 seconds (120 minutes). This leaves the workstation unprotected for too long Within the password policy, set the minimum password length to 8 characters; After the implementation of the project to replace the Intranet, the setting "store passwords in reversible encryption" should be Complete The minimum password length is now 8 characters. Implementation of our new Intranet system is now scheduled for June 2013 following a successful procurement project and agreed implementation plan. increasing the risk that an unauthorised person has the disabled; opportunity to hijack an active session. Set the screensaver to Policy is that people should lock their The E-Financials system allows the user to change their activate after at least 900 screens. The screensaver is only a last resort passwords within a day. We noted that the system only seconds; and however the lockout will be reduced to 1 remembers 3 old passwords which means that when users are Require a minimum of 1 day hour timeout. required to change their passwords, they are able to change before users are allowed to their passwords three times in a row to be able to re-use a change passwords within the Complete favoured password. system. The number of Users are allowed to change their passwords remembered passwords at any point. Without strong password and account security, there is greater risk should also be increased to The number of passwords remembered has of unauthorised users gaining access to the network placing the at least five. now been set to 5. residing information at risk.
2 Network and ABS E-Financials 2. Review of user accounts Medium There are no housekeeping activities that involve the reviews over the following: inactive or dormant accounts to identify any accounts belonging to temporary staff, consultants, or accounts no longer required Active Directory (AD) membership and ABS E-Financials access permissions Complete. Processes are now in place. Amendments have been made to the starters / leavers process and there is a quarterly check on dormant accounts. If user access is not reviewed by management on a regular basis, there is a risk that access will become disproportionate over time with user job responsibilities owing to the accumulation of roles as individuals transfer or move on to different positions within the Council. We recognise that management believes not a vast amount of employees have changed roles in the year and that for E-financials users, temporary staff have limited access to raise purchase orders or sales invoices and restricted approval limit. We recommend the following a review of inactive accounts over 90 days at the network and on ABS E- financials on a monthly basis. This exercise may help in identifying accounts that are no longer required including existing temporary staff to ensure that they have appropriately been removed or disabled from the systems. a review of AD membership and ABS E-Financials access permissions on a regular basis (e.g. quarterly or semi-annually) to ensure that access is appropriate based on job functions. This is linked with the financial regulation and control procedures and rules. This is frequently reviewed by section heads.
3 Network 3. Privilege management The powerful privileges should High From our queries, domain admin access should be restricted to the two infrastructure staff. However, we have noted the following accounts with domain admin privileges: Andrew Lawlo (used by the IS Service Support Officer) chrisg_a (used by the IS Service Support Officer) Grahamp_a (used for the shared resource with Stevenage Borough Council) hacker (account used for internal security testing) johnr_a (used by John Robinson) be restricted to appropriate personnel based on their current job role and responsibilities. We therefore recommend management: Create a server admin group for the use of the relevant IS Service Support Officers; Rename service accounts to This project is now under way. The requisite change request has been approved and we are now in the process of removing these accounts. All non-admin accounts are scheduled to have been removed by the end of October Pat Moloney (left the organisation but account used by the reflect its actual nature and Infrastructure staff as a service account) use; patm_a, (same as the one above) Remove John Robinson and Simon Pascal (used by IS System Specialist) Tom Jackson's accounts tomj_a (used by Tom Jackson) from the domain admin group; These roles potentially provide more privileges to the users than Disable unnecessary account what is required, which is susceptible to exploitation. like the hacker account; and Remove duplicate accounts.
4 Network 4. Temporary staff access (Restated from prior year) Medium There is currently no process to ensure that temporary staff access to the network is removed on a timely basis. Therefore, there is no assurance that the users with access to the network are currently employees of the Council. Complete. The account request form has been amended and therefore all temporary accounts now get setup with an expiry date. The absence of an adequate process to remove temporary users from the network could result in people who do not work for the Council having access to the network and Council data. 5. Information security policy There is an overarching security policy in draft since 2010 so it has not yet been formally approved by senior management nor has it been communicated to staff. To raise awareness on information security, the IS team participates in the induction provided to new staff. This discusses the purpose of IS, its strategic objectives, the teams within IS, and a brief mention of Freedom of Information (FOI), Data Protection Act (DPA), and Environmental Information Regulation (EIR). However, this induction training does not cover information security roles and responsibilities like reporting of security incidents. There is an acceptable use policy made available to users but this also does not cover responsibilities over information security. Without documenting IT security practices and procedures within the framework of an overall IT security policy, there is a risk that inappropriate levels of information security are implemented across the Council. To ensure that only valid users have access to the Council's network, management should request a leaving date as part of the temporary user set up process. This would ensure that the system automatically identifies the user as a leaver and disables their account. If this functionality does not exist, the leaving date can be used as method of identifying temporary staff to ensure that their accounts are disabled on a timely basis. In order to ensure that effective security management practices are put in place to protect all IT assets, we recommend management develop an information security policy that sets out the following: a definition of information security, its overall objectives, and scope; a brief explanation of the security policy, principles, standards, and compliance requirements to relevant legislations and business continuity management requirements; Low Agreed. To be implemented by December 2012.
5 a definition of general and specific responsibilities for information security management including reporting of incidents; and references to supporting documentation, e.g. more detailed security policies and procedures to administer or monitor systems. Agreed. To be implemented by December 2012.
6 Network 6. IT risk management Low In the past, a corporate risk register was maintained which has now been delegated to the head of each individual unit. We observed that an IT risk register is being maintained. However, it only covers the following risks: Failure of IT system Failure to implement new IT system or upgrade Failure to implement a robust project planning management process The Council now has a shared service support for Risk Management with Stevenage Borough Council who will undertake risk management for Hertsmere. This action point is therefore expected to be completed by December Although we have noted appropriate network security controls, for example regular network penetration tests, other IT security risks that apply to the Council have not yet been identified and assessed resulting in unmanaged risks. 7. Remote access Staff requests for remote access via the service desk and approval is confirmed with the Head of the Unit. No request form is used to capture management approval nor is it reflected in the service desk call record. There is a risk that some requests may not undergo the proper management approval. ABS E-Financials 8. Generic privileged account The account used for user administration is "Security" which is being shared by the Business Support Officer and the Systems Accountant to carry out user maintenance activities. The use of shared accounts makes it more difficult to establish or trace accountability for the activities carried out by administrators. We recommend management perform a separate risk assessment exercise to identify and evaluate other IT securityspecific risks in line with existing business and operational risk management framework. This should document IT security risks and the mitigating strategies in place and confirm the extent of any residual risks which the organisation agrees to have reduced to an acceptable level. We recommend management integrate the request for remote access into the existing electronic form in order to properly and consistently document the management approval. Unique accounts should be provided for the administrators. Low Medium Complete. Service requests are now logged on the service desk system. This is not within the control of HBC, as this is a system design. We are in discussion with ABS (the system supplier) to find a way forward.
AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationThe Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable
The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com
More informationHow To Audit Health And Care Professions Council Security Arrangements
Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan
More informationEmbedding Digital Continuity in Information Management
Embedding Digital Continuity in Information Management This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage risks to digital
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationInformation Security Team
Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More informationInformation Governance Policy
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk
More informationSolihull Metropolitan Borough Council. IT Audit Findings Report September 2015
Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationImplementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance
Financial Scrutiny and Audit Committee 11 February 2014 Agenda Item No 13 Implementation of Internal Audit : Summary of Progress Report by Finance Summary: This report updates members on progress in implementing
More informationEA-ISP-012-Network Management Policy
Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:
More informationColeg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green
Coleg Gwent Wireless Audit Internal Audit Report (2.10/11) 23 May 2011 Overall Opinion: Amber Green Coleg Gwent CONTENTS Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 10 Debrief
More informationRecommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.
Audit Committee, 25 June 2013 Internal audit Review of recommendations Executive summary and recommendations At its meeting on 29 September 2011, the Committee agreed that it should receive a paper at
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationAppendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management
Appendix 1b DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA Review of Mobile Portable Devices Management DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance
More informationAIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security. www.uscyberpatriot.
AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE Microsoft Windows Security www.uscyberpatriot.org AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION
More informationInformation Management Policy
Information Management Policy Document Control Title Organisation Description Author(s) Information Management Policy London Legacy Development Corporation The Information Management Policy describes how
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationIT control environment Caerphilly County Borough Council
Audit 2008/2009 November 2009 Author: PricewaterhouseCoopers LLP Ref: C09366 IT control environment Caerphilly County Borough Council We found the overall IT control environment at Caerphilly County Borough
More informationInternal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority
Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationDacorum Borough Council Final Internal Audit Report
Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationDepartment of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government
Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft
More informationHow To Audit A Windows Active Directory System
South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement
More informationAberdeen City Council IT Security (Network and perimeter)
Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary
More informationInformation Management Strategy. July 2012
Information Management Strategy July 2012 Contents Executive summary 6 Introduction 9 Corporate context 10 Objective one: An appropriate IM structure 11 Objective two: An effective policy framework 13
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationThe Annual Audit Letter for Torbay Council
The Annual Audit Letter for Torbay Council Year ended 31 March 2014 October 2014 Alex Walling Engagement Lead T 0117 305 7804 E alex.j.walling@uk.gt.com Mark Bartlett Manager T 0117 305 7896 E mark.bartlett@uk.gt.com
More informationICT Strategy 2010-2013
ICT Strategy 2010-2013 If you would like to receive this publication in an alternative format (large print, tape format or other languages) please contact us on 01832 742000. East Northamptonshire Council
More informationInformation Governance Policy
Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationIT Operations User Access Management Policies
1. Approval and Authorisation Completion of the following signature blocks signifies the review and approval of this Process (signed copy held in safe) Name Job Title Signature Date Authored by:-
More information4. Specification. Contract No: 1752 Title: Provision of Print Devices and Print Management System 61
4. Specification Management System 61 Introduction Tenders are invited for the provision of print devices and a print management system; inclusive of Supply, Delivery, Installation and Configuration, in
More informationDate of review: Information Governance Group January 2016. Policy Category: CONTENT SECTION DESCRIPTION PAGE
Title: Date Approved: January 2015 Division/Department: Corporate Services Corporate Records Policy Approved by: Date of review: Information Governance Group January 2016 Author (post-holder): Interim
More informationSiena College Password Management Policy
Siena College Password Management Policy Updated: 5/29/14 Note: Status: Approved. I. Purpose: The purpose of this policy is to establish a standard for the creation of strong passwords, the protection
More informationIT ACCESS CONTROL AND USER ACCESS MANAGEMENT POLICY
IT ACCESS CONTROL AND USER Effective Date May 20, 2016 Cross-Reference 1. Contract Management Policy Responsibility Director, Information 2. IT Password Policy Technology 3. Record Classification and Handling
More informationHow To Manage A University Computer System
PC asset management policy Name of policy, procedure or regulation Purpose of policy, procedure or regulation PC asset management policy To provide a policy framework in relation to PC asset management
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationBureau du vérificateur général. V.9. Active Directory Security
Bureau du vérificateur général TABLE OF CONTENTS 1. INTRODUCTION...319 2. AUDIT SCOPE...320 3. S, RECOMMENDATIONS AND ACTION PLANS...321 3.1. Multiple Active Directories...322 3.2. Active Directory Risk
More informationINFORMATION GOVERNANCE STRATEGY NO.CG02
INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationINFORMATION GOVERNANCE STRATEGY
INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationCorporate Affairs Overview and Scrutiny Committee
Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated
More informationINTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN
INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO
More informationUse of The Information Services Active Directory Service (AD) Code of Practice
Use of The Information Services Active Directory Service (AD) Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be
More informationDublin Institute of Technology IT Security Policy
Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationArgyll and Bute Council
Argyll and Bute Council 3 June 2009 Contents Page 1 Executive Summary 1 Appendices A B Action plan Progress in implementation of prior year recommendations 1 1 Executive Summary 1.1 Introduction The Council's
More information10 THINGS CLASS SYSTEM ADMINISTRATORS NEED TO KNOW. Andrew Chau
10 THINGS CLASS SYSTEM ADMINISTRATORS NEED TO KNOW Andrew Chau 1 ABOUT ME MY ACTIVE IS Dodgeball Volleyball Golf Cooking 2 AGENDA 1) MAINTAIN INTERNET SETTINGS 2) SYSTEM MAINTENANCE SYSTEM OPTIONS VIEW
More informationScottish Sports Council Group and Lottery Fund
Scottish Sports Council Group and Lottery Fund Annual Audit Report 2012-13 September 2013 2 2013 Grant Thornton UK LLP. All rights reserved Scottish Sports Council Group and Lottery Fund 2012-13 Annual
More informationJob Description. Job Title: Department: ICT Service Support Manager Responsible to:
Job Description Job Title: ICT Service Support Manager Responsible to: ICT/IS Manager Main purpose of the job: Department: INFORMATION TECHNOLOGY Number of people directly managed: 3 + temporary contractors
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationSenate. SEN15-P17 11 March 2015. Paper Title: Enhancing Information Governance at Loughborough University
SEN15-P17 11 March 2015 Senate Paper Title: Enhancing Information Governance at Loughborough University Author: Information Technology & Governance Committee 1. Specific Decision Required by Committee
More informationUser Management Guide
AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationPolicy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors
TITLE: Access Management Policy #: Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors Purpose The purpose of this policy is to describe
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationAppendix 1C. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK
Appendix 1C DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Karen Walker, Risk and Assurance
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationBYOD Guidance: Good Technology
GOV.UK Guidance BYOD Guidance: Good Technology Published 16 March 2015 Contents 1. About this guidance 2. Summary of key risks 3. Architectural components 4. Technical assessment 5. Other considerations
More informationInformation Governance Policy
Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationLauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More information2) applied methods and means of authorisation and procedures connected with their management and use;
Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements.
More informationROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER
July 22, 2010 ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER DEBORAH J. JUDY DIRECTOR, INFORMATION TECHNOLOGY OPERATIONS CHARLES L. MCGANN, JR. MANAGER, CORPORATE INFORMATION SECURITY
More information3.2 This situation is also experienced by Officers who also need remote access to Council networks.
Report Asset Management Committee 29 September 201 15- BROADBAND ACCESS TO COUNCIL NETWORKS 1. Reason for Report To seek Members' approval to undertake a pilot project which will lead to the introduction
More informationBring Your Own Device (BYOD) Policy
Bring Your Own Device (BYOD) Policy Document History Document Reference: Document Purpose: Date Approved: Approving Committee: To set out the technical capabilities of the chosen security solution Airwatch
More informationUniversity of Sunderland Business Assurance Over-arching Information Governance Policy
University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001
More informationRecommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.
Report to: Cabinet Date: 14 th October 2004. Report: of Head of Corporate Personnel Services Report Title: USE of INTERNET POLICY Summary of Report. The use of the Internet is growing rapidly. Over the
More informationInformation Management Policy
Title Information Management Policy Document ID Director Mark Reynolds Status FINAL Owner Neil McCrirrick Version 1.0 Author Deborah Raven Version Date 26 January 2011 Information Management Policy Crown
More informationExploiting Transparent User Identification Systems
Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationGuideline on Access Control
CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationMerthyr Tydfil County Borough Council. Information Security Policy
Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of
More informationDepartment of Public Utilities Customer Information System (BANNER)
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationInformation Management Policy London Borough of Barnet
Information Management Policy London Borough of Barnet DATA PROTECTION 11 Information Management Policy - Unrestricted Document Control Document Description Version V.03 Date Created September 2010 Information
More information