1 TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July /8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar Photovoltaic Generation
2 INTRODUCTION In general, policy is a plan or course of action a business intends to influence, determine decisions, actions and other matters and an architecture is the art and science of designing and building something. A cybersecurity policy architecture is the cornerstone of an effective business strategy. Specifically, a cybersecurity policy architecture is the foundation of an enterprise protecting assets, a combination of administrative, technical, and physical protection. A cybersecurity policy architecture needs to be based on executive directives to create an asset protection program, establish protection goals, measures, target and assign responsibilities using the enterprise business mission, vision, and values. The cybersecurity policy architecture development, like a life cycle process, involves the establishment, implementation, monitoring, maintenance, and improvement of enterprise asset production. A cybersecurity policy architecture is an interlocking set of documents that provide guidance for business requirements. This article will form a foundation of what an enterprise needs to consider when developing an effective cybersecurity policy architecture. WHY THE NEED FOR A CYBERSECURITY POLICY ARCHITECTURE? The first questions an enterprise often ask in developing a cybersecurity policy architecture are: Do we really need a cybersecurity policy architecture? How long is this going to take? How much staff is it going to take to implement? How much maintenance does this requirement? The goal of a cybersecurity policy architecture is to basically maintain the integrity, confidentiality and availability of enterprise assets and resources. In the absence of an established cybersecurity policy architecture, the enterprise s current and past activities become the de facto policy. Without a formal cybersecurity policy architecture on which to defend the enterprise assets, the enterprise may be in greater danger of an asset breach, loss of competitive advantage, customer confidence and government interference. By implementing a cybersecurity policy architecture, the enterprise takes control of its destiny for protecting assets. In the absence of an established cybersecurity policy architecture, the internal and/or external audit staffs and the courts may step in and set protection decisions and internal policy. When developing a cybersecurity policy architecture, there is a risk in saying too much as there is in saying too little. The cybersecurity policy architecture should provide the asset protection direction required by the enterprise while maintaining discretion in the implementation of the cybersecurity policy architecture. The more details and documents in the cybersecurity policy architecture, the more frequent the update requirements and the more complicated the training process for individuals and third parties. The cyber security policy architecture documents need to be clear and not subject to interpretation on the use, rights, and privileges
3 of enterprise assets. Individuals need to know what is expected of them and how they will be appraised with respect to using and protecting enterprise assets. It does not take a long time to write the cybersecurity policy architecture documents, yet the devil is in the details in understanding the enterprise risks and how to protect enterprise assets without greatly impacting operational activities. The implementation and understanding of a cybersecurity policy architecture will be the responsibility of everyone within the enterprise with a core team of cybersecurity experts leading and facilitating the development, maintenance, and implementation of the cybersecurity policy architecture. It is a strong recommendation to create a matrix of topics to be included for the cybersecurity policy architecture; this will limit the repetition of information across multiple documents and limit the amount of time needed for reviews and maintenance. The implementation of a cybersecurity policy architecture may take time, because the individuals need to understand why they need to limit the enterprise asset risk, what it means to them, and how much do they need to change their internal processes to accommodate the implementation of the cybersecurity policy architecture. If the cybersecurity policy architecture is designed and implemented in a business process manner, the enterprise will limit their enterprise asset risk and, possibly, improve individual business processes by uncovering redundancy and information leaks. Once implemented, the cybersecurity policy architecture should be reviewed on an annual basis to ensure the documents continue to fulfill the enterprise and business mission, vision, values, and business requirements. An enterprise might have technology fail due to the lack of business and cybersecurity requirements when evaluating, purchasing, or developing new technology. Before enterprise technology is implemented, it is important to note that portions of the cybersecurity policy architecture need to be reviewed and updated to ensure the governance and protection of enterprise assets. A good model to think of when looking at the technology and processes within the enterprise is to ensure that any policy architecture documentation is at the center of all business processes, in particular cybersecurity processes, see Figure 1 (Cybersecurity Policy Architecture a Continuous Process).
4 Figure 1 Cybersecurity Policy Architecture a Continuous Process 1 WHAT REALLY IS A CYBERSECURITY POLICY ARCHITECTURE? Simple statements from executive management can have great meaning and value to individuals. The concept of a cybersecurity policy architecture needs to be talked about in the concept of a set of documents and processes for the business. Using a document set concept, the enterprise can supplement their business requirements when divesting or acquiring new entities, evaluating software for implementation, evaluating data flows, or assisting is consequences when someone abuses their privileges within the enterprise. The cybersecurity policy architecture is the enterprise s approach for asset protection and will show the future enterprise your due diligence in protecting enterprise assets. A cybersecurity policy architecture will change, as the enterprise changes and the business requirements change to fit the environment. The cybersecurity policy architecture must compliment the enterprise business model and requirements do not write a cybersecurity policy architecture for the sake of having documentation. A cybersecurity policy architecture is a continuous process. It assists the enterprise compliance, risk management, governance, and information assurance and gives the enterprise internal policies, guidelines, standards and processes to monitor enterprise assets. For the most part, the cybersecurity policy architecture is designed to protect critical systems, system owners, system users through physical and virtual controls. GETTING STARTED WITH A CYBERSECURITY POLICY ARCHITECTURE When developing or maintaining a cybersecurity policy architecture, the enterprise needs to apply a SMART principle (Specific, Measurable, Agreeable, Realistic, and Time bound) to ensure 1 Building an Effective Information Security Policy Architecture, by Sandy Bacik, published by Taylor and Francis Group, page 16, 2008, ISBN:
5 the cybersecurity policy architecture continues to meet the enterprise business requirements. All enterprise documents should have a defined scope, how much or how far does the document encompass. For the most part, a cybersecurity policy architecture includes anyone and anything that connects to, communicates with, or accesses an enterprise asset. When developing a cybersecurity policy architecture it is important to note that the documents should: Be easy to understand Be applicable to the enterprise environment Be enforceable and do able Be phased in or staged for implementation Meet business objectives. Depending upon the enterprise culture, the enterprise individuals will need to understand how the cybersecurity policy architecture fits into the enterprise architecture. By performing a business link with the enterprise value of assets can assist in developing support for the cybersecurity policy architecture, something similar to the Figure 2 (Connecting with Enterprise Values) below. Figure 2 Connecting with Enterprise Values 2 A basic process that is followed when developing documents within the cybersecurity policy architecture can be seen in Figure 3 (Cybersecurity Policy Architecture Development Process). It is normally an event, incident, requirement, or some sort of request that initiates the process for developing or modifying a document within the cybersecurity policy architecture. 2 Building an Effective Information Security Policy Architecture, by Sandy Bacik, published by Taylor and Francis Group, page 125, 2008, ISBN:
6 Figure 3 Cybersecurity Policy Architecture Development Process The cybersecurity policy architecture should be written to clear up confusion, not generate new issues. Remember the reading and comprehension level of the enterprise individual and when writing the documents, remember the 5 Ws of Journalism 101: What what is to be protected (the Intent) Who who is responsible (Responsibilities) Where where within the organization does the policy reach (Scope) How How will compliance be monitored (Compliance) When when does the policy take effect Why why was the policy developed If you use a topic based approach to the enterprise cybersecurity policy architecture, many components may already have been written and just need to be enhanced and centrally located. And when writing, if the lower level document relate to a higher level enterprise document, then the minimal number of documents will need to be written, see Figure 4 (Laying Out a Policy Architecture).
7 Figure 4 Laying Out a Policy Architecture 3 The enterprise also needs a basic set of document definitions, if they have not already been defined, for a cybersecurity policy architecture, such as the following Table 1 (Sample Definitions). Consultant An entity that provides expert or professional advice. Contractor Customer / Client Employee Guideline Partner Policy Procedure/Process/ Work Instruction Staff Standard Vendor An entity that performs services for another person under an express or implied agreement. An entity that buys goods or services. An entity that is hired by the enterprise. An outline for a statement of conduct. This is a guide as to how something or something should perform, such as acceptable use of the Internet. An entity that is associated with the enterprise in performing activities from a non enterprise facility using a non enterprise infrastructure. A high level statement for goals/behaviors/consequences Documented step by step instructions to get to a goal Any entity that falls into the categories of Client, Consultant, Contractor (PO), Contractor (regular), Co Op, Customer, Employee, Partner, Student, Vendor, or Volunteer. A standard set of rules and procedures that are required A seller. One who disposes of a thing in consideration of money. Table 1 Sample Definitions 3 Building an Effective Information Security Policy Architecture, by Sandy Bacik, published by Taylor and Francis Group, page 25, 2008, ISBN:
8 A simple initial list of cybersecurity policy architecture topics includes the following: Certification of systems and applications Visitor logs / escorting Chain of trust and partner agreement Hard keys Key card Record Processing Testing and revisions Release of Information Need to have/know access Confidentiality Agreements Secure workstation location Access control Security awareness training Access authorization, establishment, modification network Access control Access authorization, establishment, Audit controls modification System banners Request for account enable/disable/unlock Access control lists Request for UserID & Password Authentication Security configuration management Audit configurations Change Control Logs Configuration Control Authorization control Inventory (owned, leased, loaned) Request for UserID and System Access Operating system (content, user, or role based) Application Role based authentication Hardware Data authentication Inventory Entity authentication Anti virus Communications/network controls Encryption (if used) Banners Security Testing Access controls Security management process Alarm Security Policy Audit trails Risk Analysis & Management Encryption (optional) Assigned security responsibility Entity authentication Media controls Event reporting Accountability / access control (Liability Integrity controls Agreements) Message authentication Backups Software Use Data storage Modem Use Disposal Internet and E Mail Usage Physical access controls Classification of Information Verify access prior to physical access
9 Once there is an initial list of topics and the enterprise knows what existing standards, legal and regulatory requirements are required, and then a matrix for easier maintenance can be established, such as the Table 2 (Cybersecurity Policy Architecture Compliance) below. Enterprise Area NISTIR 7628 v1.0 ISO PCI DSS EU Privacy CobIT Common Criteria Generally Accepted Privacy Principles Generally Accepted Security Principles Access Control X X X X X X X X Application X X X X X X Development Asset Management X X X X X Business Operations X X X X X X Communications X X X X X X X X Compliance X X X X Corporate X X X X Governance Customers X X X X X X X Incident X X X X X X X X Management IT Operations X X X X X X X X Outsourcing X X X X X X X Physical / X X X Environmental Policies & X X X X X X X X Procedures Privacy X X X X X Security X X X X X X X Table 2 Cybersecurity Policy Architecture Compliance MAINTENANCE OF A CYBERSECURITY POLICY ARCHITECTURE As stated previous, all documents within the cybersecurity policy architecture should be reviewed on an annual basis. An annual review does not mean the cybersecurity policy architecture documents require updates annual, it is to ensure that cybersecurity policy architecture remains current and in alignment with the enterprise business requirements. A simple matrix to help who is the owner, the reviewers, and the last review of each cybersecurity policy architecture document can be seen below in Table 3 (Cybersecurity Architecture Maintenance Matrix). Performing an annual review and maintaining a matrix will assist and limit the time necessary for regulators and auditors when performing testing and compliance tasks. Adding another column of location will also allow the review to know exactly where the most current copy of the cybersecurity policy architecture document resides for efficient access.
10 Document Description Document Number Incident Handling Procedure Incident Handling Standard Informatio n Assurance Policy Informatio n Security Program IT Change Control Process Describes the process for investigating an electronic incident. Describes standards used when investigating an electronic incident. Describes the over arching stance on information assurance within MYC. Describes the tasks and responsibilitie s of the information assurance program as it relates to the enterprise This process addresses a consistent method used to assess, coordinate, and carry out all modifications made to the IT Infrastructure. Owner Reviewers Approved Date Last Reviewed IN CSO IT Ops, IT Mgt IN CSO IT Ops, IT Mgt MS CSO IT Mgt, VP HR, VP IT, CFO, VP Global Ops, CEO Date Published Comment Yes 2009/ /08 IT Approved Yes 2009/ /08 IT Approved No, but approved within IT SA CSO IT Mgt No, but approved within IT PD IT Mgt IT Ops, IT Apps, IT Mgt Table 3 Cybersecurity Policy Architecture Maintenance Matrix HR, IT approved 07/09; Waiting since 07/20/06 for CFO and CEO approvals HR, IT approved 07/09; Waiting since 07/20/06 for CFO and CEO approvals Yes 2009/ /08 IT Approved
11 While the development and review of a cybersecurity policy architecture is similar to a development lifecycle, the cybersecurity policy architecture continues to evolve as the enterprise grows. The enterprise can look at the cybersecurity policy architecture in Figure 5 (Cybersecurity Policy Architecture Lifecycle) for servicing the enterprise s cybersecurity policy architecture. Figure 5 Cybersecurity Policy Architecture Lifecycle 4 CONCLUSION Most enterprises would prefer to establish their own cybersecurity policy architecture instead of having some third party impose internal protection. The basic threats that may prevent an enterprise from reaching this goal are unauthorized access, modification, disclosure or destruction, whether deliberate or accidental, of the information or the systems and applications that process and use assets. A cybersecurity policy architecture documents the enterprise s ability to protect assets against risks and threats. The cybersecurity policy architecture also coordinates the enterprise s lines of business, looking at the risk, balancing it with protection enterprise assets, regulatory and business requirements. The enforcement of a cybersecurity policy architecture will be through a combination of administrative and technical procedures and processes. When a cybersecurity policy architecture is integrated into an enterprise development, product, and security lifecycle, the risk and threats to enterprise assets is limited and compliance and governance of those enterprise assets will be integrated into all business 4 Building an Effective Information Security Policy Architecture, by Sandy Bacik, published by Taylor and Francis Group, page 150, 2008, ISBN:
12 processes making cybersecurity everyone s responsibility and remember a few things about good documents: Getting Accurate Info Obtaining Details Operations Documenting Problem Summary Documenting Details Only Changes Understanding Everyone Network Total Enterprise Satisfied Enterprise Good documentation is accurate and assists the enterprise in protecting assets. Ask follow up questions such as who, what, when, where, why, and how. Operating processes cannot be greatly impacted. Ensure it is know what issues are being solved through asset protection Be specific when writing the more detailed documents of a cybersecurity policy architecture, such as standards and procedures. Only keep to the subject of cybersecurity and asset protection. Document changes to the enterprise environment and documents. Ensure the cybersecurity policy architecture documents are understood by all entities. Everyone in the enterprise needs to be included in the cybersecurity policy architecture implementation. Network with all levels of the enterprise to ensure an understanding of the need for a cyber security policy architecture. All assets within the enterprise need to be included within the cybersecurity policy architecture. Through monitoring and active participation in implementing and maintaining a cybersecurity policy architecture, the enterprise can limit the risk to assets and be satisfied with the asset governance.
13 ABOUT THE AUTHOR Sandy Bacik, EnerNex Principal Consultant, author and former CSO, has over 15 years direct cybersecurity development, implementation, and management experience in the areas of Audit Management, Disaster Recovery/Business continuity, Incident investigation, Physical security, Privacy, Regulatory compliance, Standard Operating Policies/Procedures, and Data Center Operations and Management. Ms. Bacik has managed, architected and implemented comprehensive information assurance programs and managed internal, external, and contracted/outsourced information technology audits to ensure various regulatory compliance for state and local government entities and Fortune 200 companies. She has developed methodologies for risk assessments, information technology audits, vulnerability assessments, security policy and practice writing, incident response, and disaster recovery. Ms. Bacik currently volunteers and co chairs subgroups with NERC, NIST, and UCA OpenSG; assists in developing interoperability and security standards and requirements for the Smart Grid. Ms. Bacik is the author of Building an Effective Security Policy Architecture (2008) and HIPAA Security by Example (2012) and a contributing author to the Information Security Management Handbook (2009, 2010, 2011, 2012).
HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
Disclaimer An Introduction to HIPAA and how it relates to docstar This document is provided by docstar to our partners and customers in an attempt to answer some of the questions and clear up some of the
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
Compliance, audit, risk, security what s the difference and why do we need it? Presented By: Sandy Bacik, Principal Consultant Agenda Defining compliance, audit, risk, and security What is the difference
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. email@example.com, firstname.lastname@example.org
Challenges of Integrating Data Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions Page 1 Driving Factors Integration of significant disparate
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
NEES@Buffalo Cybersecurity Plan Introduction The NEES Cyberinfrastructure (CI) system is composed of fourteen equipment sites and one central IT facility, henceforth referred to as NEEScomm IT. With IT
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
Technology Help Desk 412 624-HELP  technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
A Technical Template for HIPAA Security Compliance Peter J. Haigh, FHIMSS email@example.com Thomas Welch, CISSP, CPP firstname.lastname@example.org Reproduction of this material is permitted, with attribution,
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
HIPAA Myths WEDI Member Town Hall Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim
HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the
PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2
Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
Cascading Risk Tom Kellermann, CISM VP of Security Awareness Core Security Technologies www.coresecurity.com The Evolution of the Threat Syndicates and the business model Internet Arms Bizarre Online fraud
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS 15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS Do you clarify the information security risks that exist whenever your suppliers have
The IT Security Policy Guide Why you need one, what it should cover, and how to implement it By: InstantSecurityPolicy.com InstantSecurityPolicy.com Page 1 Table of Contents 1. Introduction 3 2. What is
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
SECURITY HANDBOOK Mission Statement: UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting investigations. UIT Security
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
Leveraging Regulatory Compliance to Improve Cyber Security Leveraging Regulatory Compliance to Improve Cyber Security Brian Irish, Cyber Security Assurance Manager Salt River Project LEVERAGING REGULATORY
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
Your consent to our cookies if you continue to use this website.