e-governance Password Management Guidelines Draft 0.1
|
|
- Prudence Hodges
- 8 years ago
- Views:
Transcription
1 e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
2 Document Control S. No. Type of Information Document Data 1. Document Title egov Password Management Guidelines 2. Document Code GL_eGov_AM 3. Date of Release 4. Next Review Date 5. Document Owner DietY 6. Document Author(s) 7. Document Reviewer 8. Document Reference PR_eGov_UAMP Document Approval S. No. Document Approver Approver Designation Approver ID Document Change History Version No. Revision Date Nature of Change Date of Approval Document Classification: Internal Page 2 of 10
3 Table of Contents 1. INTRODUCTION PURPOSE SCOPE PASSWORD MANAGEMENT & CONSTRUCTION ACTIVE DIRECTORY ENVIRONMENT UNIX SYSTEMS PASSWORD ALLOCATION PROCESS PASSWORD RESET PROCESS PASSWORD MANAGEMENT GUIDELINES E-SAFE RECOMMENDATION ROLES AND RESPONSIBILITY Document Classification: Internal Page 3 of 10
4 1. INTRODUCTION Any compromise to the confidentiality, integrity or availability of e-gov networks, systems or information could impair the ability of e-gov Service delivery. Adverse public exposure brought on by a compromise would damage e-gov s credibility across the country. Ensuring that e-gov departments and public data are kept secure is a vital element in e-gov s approach to security. This document establishes the e-gov Password Management Guidelines to implement password controls i.e. e-gov Password Policy (refer in e-gov Security Policy (esp) ). The document is the outline of requirements for creating and protecting passwords within the e-gov service delivery environment across states, ministries or departments. Asset owners i.e. Department or application owners must perform a risk assessment of assets (application or data) held in the specific system to arrive at the criticality of asset/s.( Refer the e-governance Security Standards Framework (esafe) section GD300 Risk Assesment: Guidelines for Information Security Risk Assessment and Management in an e-governance project). Accordingly the advanced security features can be implemented as control improvements ( refer e-safe ( GD 210): Guidelines for implementing chosen security controls). The last section of this document deals with control recommendations and improvements as per e-safe ( e-governance Security Assurance Framework) 2. PURPOSE The principal objective of this document is to provide general guidelines for the protection of passwords used by people who have privileged and non-privileged access to multiple servers, systems and applications. Care and maintenance of these passwords is imperative to ensure computer accounts are not improperly accessed and e-gov information is not compromised, and subsequently to mitigate the associated risks. Compliance with these guidelines will help ensure the departments to comply with of e- Gov Password policy requirements. Document Classification: Internal Page 4 of 10
5 3. SCOPE This guideline does not supersede the requirements of the e-gov Password Policy and/or state specific password polices but is designed to augment the policy. The policy is applicable to all assets and information systems deployed in e-gov Service delivery framework. These guidelines will suffice to comply with minimum baseline requirements of esp recommended by esafe standard and best practices. 4. PASSWORD MANAGEMENT & CONSTRUCTION All account passwords should follow the e-gov or applicable Password Policy. Where possible, privileged user accounts should be tied into a centrally managed system such as Active Directory or Novell edirectory and avoid using local system accounts. This provides a mechanism to enforce password policy and account management along with auditing of password change guidelines ACTIVE DIRECTORY ENVIRONMENT When utilizing Active Directory (AD), rights should be managed by roles. These roles should be defined at the highest level (global, enterprise, regional, and local) possible to allow for the simplest management. Password complexity should be enabled in the domain controllers to ensure e-gov password policy is complied with UNIX SYSTEMS Often UNIX hosts are not part of a larger directory structure such as AD but are more likely to be stand-alone devices. These UNIX hosts that are not incorporated into a mature directory structure must meet the same requirements as it pertains to user and password management within the AD infrastructure PASSWORD ALLOCATION PROCESS Document Classification: Internal Page 5 of 10
6 In order to ensure that passwords are communicated only to the relevant user, they should be communicated back to the originator of the request or the person to whom this is assigned Passwords should be communicated securely to the users like use of encrypted s could be done for communicating the passwords to the users All initial passwords should be Forced to Modify on the first usage 4.4. PASSWORD RESET PROCESS Users/ administrators during the course of time may forget their passwords, in which case the same has to be reset. If the password reset is not done in a proper and secure manner, it is possible for unauthorized users to ask for passwords of authorized users to be reset and gain access to systems. Password reset requests should come from appropriate channels to system administrators/ application administrators If the user has forgotten his ID password or is not able to login to his account he/ she should personally raise a password change request as per the formally managed process in place viz. Service Desk. Responsible team should verify the user identity and then forward the password change request to system administrators The designated personnel should confirm the request with the person who has requested the reset. On his satisfaction, the new password should be allocated and confirmed back to the end user only. In the event of suspected compromise of password or disclosure, user shall require to raise a security incident. He/ She should also inform designated team viz. Service Desk immediately. Subsequently the password should be changed and communicated to user. Before changing the password, the the Service Desk should authenticate the user. A log of password resets, wherever possible should be maintained for auditing purposes PASSWORD MANAGEMENT GUIDELINES Following e-gov Password policy controls should be enforced so that all the system accounts are bound to have password of minimum desired quality. Document Classification: Internal Page 6 of 10
7 All users getting access to e-gov systems are authenticated using active directory feature provided by Windows NT/2003/2008. The system should grant access to the domain, provided the user Id and passwords are correct. If any application or data base that are not integrated with active directory services (ADS), it should have provisions of creating unique user Ids and passwords to authenticate users prior accessing the systems Passwords should be encrypted when stored in files or databases. Access to this field of the database should be restricted to only system security administrators Passwords should not be transmitted in clear text form over any kind of network Authentication, authorization and accounting for all critical network devices should be done through centrally controlled server and access for same should be provided to specific security administrators Password complexity requirements should be enforced using domain policies. The complexity requirements should include minimum of following points: Minimum password age should be set for one day Minimum password length should of eight characters Record of last 5 passwords should be maintained in order to prevent its reuse Password should contain a mix of alphabetic and non-alphabetic characters (number, punctuation or special characters) or a mix of at least two types of non-alphabetic characters Policy should be set such that password for all users having normal access as well as privilege users to systems expires in 45 days Policy should be enforced to lock the user account after 5 successive invalid login attempts Account lockout duration and reset account lockout duration should be set for 30 minutes for desktops If administrative privileged account is locked out, then the user should not be able to login until the account is unlocked by the system administrator Document Classification: Internal Page 7 of 10
8 By default, all applications and systems should be configured to not display passwords on the screen while being keyed in Policy should be set to audit user account login/logout, to ensure each user can be held accountable for his/her act Logs for all the activities should be maintained for 90 days. Logs of unsuccessful attempts and suspected successful attempts should be reviewed by designated administrators periodically Default accounts should be disabled and/ or default passwords should be changed immediately by adhering to the base line hardening procedures for the systems and applications Provide proper user awareness trainings to all the users (including the third party vendor employees, contract employees) to ensure password procedures and policies are followed by all the users Force users to change the temporary password given during the account creation at the first log-on 4.6. E-SAFE RECOMMENDATION Besides the aforementioned exhaustive list of controls laid down in e-gov Password Policy, following guidelines should be followed at in application code ( APPLICATION CLASS) and infrastructure ( INFRASTRUCTURE CLASS) as recommended by e-safe as per the criticality of the environment. (Refer Guidelines for Implementation of Security Control ( GD 210): Guidelines for implementing chosen security controls) I. Following list of control improvements are recommended for applications in e- SAFE application class. Application should not allow creation or use of weak passwords by users Maintain a record/history of specified no of previously used passwords to prevent re-use. Define the requirement of the control mechanisms in RFP and/or SRS. Document Classification: Internal Page 8 of 10
9 Conduct formal testing of the implemented control mechanisms. II. Following list of controls are best practices to be followed in e-gov environment recommended in e-safe Infrastructure class. In some of the devices, by default the authentication scheme is not present or default system accounts are without password. Such default system accounts without password shall be disabled. The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability. The default passwords of the devices (e.g. network routers, switches, Access point etc.) should be changed during installation and this practice should be integrated with the organizational procedure for installation of the computing and communication devices. The keeper of master passwords should be a trusted employee like Project Manager belonging to e-governance Information Security Working Group ( ISWG), available during emergencies. Any copies of the master passwords must be stored in a very secure location (a sealed envelope or a properly access controlled repository with limited access). The passwords of privileged users (such as network technicians, electrical or electronics technicians and management, and network designers/operators) should be most secured and be changed frequently. Authority to change master passwords should be limited to trusted employees. A password audit record, especially for master passwords, should be maintained separately from the control system. Store password files separately from application system data. III. Following list of control improvements are recommended for applications in e- SAFE application class. The organization should adopt a managed process to verify the identity of the requestor for resetting or reissue of the account password. The system should store the password not in clear text and should eliminate use of weak hash (NTLM hash instead of LANMAN hash or salted MD5) The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability. Document Classification: Internal Page 9 of 10
10 For highly sensitive system, the root or administrator password shall be broken into two parts and each part will be available with two different persons to minimize the security risk by person. In environments with a high risk of interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multi-factor authentication using biometric like thumb impression, physical tokens(rsa token), smart card or USB token having digital certificate ROLES AND RESPONSIBILITY Role Responsibility Service desk/helpdesk Ensure proper user identification is done System Administrator/ Application Administrator CISO Generation of passwords Ensuring that users are forced to change the passwords after logging first time Resetting the passwords and communicating the same to the user Ensure appropriate policies are configured to meet the requirements of password management guidelines Ensure proper user awareness trainings are done to educated users on use of password and its management Document Classification: Internal Page 10 of 10
Network Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationGuideline on Access Control
CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0
More informationAccount Management Standards
Account Management Standards Overview These standards are intended to guide the establishment of effective account management procedures that promote the security and integrity of University information
More informationThe City of New York
The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope
More informationVice President of Information
Name of Policy: Password security policy 1 Policy Number: Approving Officer: Responsible Agent: Technology Scope: 3 3364-65-07 President all University campuses New policy proposal Major revision of existing
More informationPolicy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors
TITLE: Access Management Policy #: Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors Purpose The purpose of this policy is to describe
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationState of Vermont. System/Service Password Policy. Date: 10/2009 Approved by: Neale F. Lunderville Policy Number:
State of Vermont System/Service Password Policy Date: 10/2009 Approved by: Neale F. Lunderville Policy Number: Contents Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope... 3
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationService Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin
Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin Purpose of document The purpose of this document is to assist users in reset their USD passwords
More informationPassword Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.
DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result
More informationCITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT
CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration
More informationCAPITAL UNIVERSITY PASSWORD POLICY
1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's
More informationCYBER SECURITY POLICY For Managers of Drinking Water Systems
CYBER SECURITY POLICY For Managers of Drinking Water Systems Excerpt from Cyber Security Assessment and Recommended Approach, Final Report STATE OF DELAWARE DRINKING WATER SYSTEMS February 206 Kash Srinivasan
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationRemote Access Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationICT Password Protection Policy
SH IG 30 Information Security Suite of Policies ICT Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This document describes the information security
More informationAcceptable Usage Guidelines. e-governance
Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationAbout Microsoft Windows Server 2003
About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationMusina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-
Musina Local Municipality Information and Communication Technology User Account Management Policy -Draft- Version Control Version Date Author(s) Details V1.0 June2013 Perry Eccleston Draft Policy Page
More informationICT USER ACCOUNT MANAGEMENT POLICY
ICT USER ACCOUNT MANAGEMENT POLICY Version Control Version Date Author(s) Details 1.1 23/03/2015 Yaw New Policy ICT User Account Management Policy 2 Contents 1. Preamble... 4 2. Terms and definitions...
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationAdditional Security Considerations and Controls for Virtual Private Networks
CYBER SECURITY OPERATIONS CENTRE APRIL 2013 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES
More informationUT Martin Password Policy May 2015
UT Martin Password Policy May 2015 SCOPE The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by the University of Tennessee at Martin. Any information
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationAuthorized. User Agreement
Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION
More informationIdentification and Authentication on FCC Computer Systems
FCC Computer Security TABLE OF CONTENTS Desk Reference 1 INTRODUCTION...1 Identification and Authentication on FCC Computer Systems 1.1 PURPOSE...1 1.2 BACKGROUND...1 1.3 SCOPE...2 1.4 AUTHORITY...2 2
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationIDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience
IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse
More informationWeb Plus Security Features and Recommendations
Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of
More informationTable of Contents. Page 1 of 6 (Last updated 30 July 2015)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationPOLICY. Number: 7311-25-003 Title: Password Policy
POLICY Number: 7311-25-003 Title: Password Policy Authorization [ ] President and CEO [X] Vice President, Finance and Corporate Services Source: Director, Information Technology Services Cross Index: 7311-25-002,
More informationCA Technologies Solutions for Criminal Justice Information Security Compliance
WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationNetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0
NetIQ Advanced Authentication Framework - Client User's Guide Version 5.1.0 Table of Contents 1 Table of Contents 2 Introduction 4 About This Document 4 NetIQ Advanced Authentication Framework Overview
More informationCal State Fullerton Account and Password Guidelines
Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms
More informationCHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device
CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationPassword Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist
Password Self-Service for Novell edirectory Brent McCormick Novell Corporate Technology Strategist Audience by Industry Government Healthcare Financial Services Education Telecommunications Manufacturing
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationPension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update
Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationPROTECTING SYSTEMS AND DATA PASSWORD ADVICE
PROTECTING SYSTEMS AND DATA PASSWORD ADVICE DECEMBER 2012 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationIT Security Procedure
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
More information1 Introduction 2. 2 Document Disclaimer 2
Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency Access Control Policy April 2014 Agenda Questions & Follow-Up Policy Overview: Access Control Policy Risk Assessment Framework
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationSiena College Password Management Policy
Siena College Password Management Policy Updated: 5/29/14 Note: Status: Approved. I. Purpose: The purpose of this policy is to establish a standard for the creation of strong passwords, the protection
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationChronic Disease Management
RESOURCE AND PATIENT MANAGEMENT SYSTEM Chronic Disease Management (BCDM) Version 1.0 Office of Information Technology (OIT) Division of Information Resource Management Albuquerque, New Mexico Table of
More informationOracle WebCenter Content
Oracle WebCenter Content 21 CFR Part 11 Certification Kim Hutchings US Data Management Phone: 888-231-0816 Email: khutchings@usdatamanagement.com Introduction In May 2011, US Data Management (USDM) was
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationFrequently Asked Questions (FAQs) SIPRNet Hardware Token
Air Force Public Key Infrastructure System Program Office (ESC/HNCDP) Phone: 210-925-2562 / DSN: 945-2562 Web: https://afpki.lackland.af.mil Frequently Asked Questions (FAQs) SIPRNet Hardware Token Updated:
More informationDriveLock and Windows 7
Why alone is not enough CenterTools Software GmbH 2011 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationSecuring Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology
20140115 Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology TABLE OF CONTENTS What s at risk for your organization? 2 Is your business
More informationPatch Management Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationSANS Institute First Five Quick Wins
#1 QUICK WIN- APPLICATION WHITELISTING SANS Critical Controls: #2: Inventory of Authorized and Unauthorized Software 1) Deploy application whitelisting technology that allows systems to run software only
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationStandard: Event Monitoring
Standard: Event Monitoring Page 1 Executive Summary The Event Monitoring Standard defines the requirements for Information Security event monitoring within SJSU computing resources to ensure that information
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationTHE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY
THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY 1.0 Purpose The purpose of this policy is to establish Office of Human Resources (OHR) standards for creation of strong
More informationE Security Assurance Framework:
Version: 1.0 January, 2010 E Security Assurance Framework: Baseline Security Controls for Medium Impact Information Systems esafe GD202 Government of India Department of Information Technology Ministry
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationDefense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4
More informationMBAM Self-Help Portals
MBAM Self-Help Portals Authoring a self-help portal workflow for BitLocker Recovery Using Microsoft BitLocker Administration and Monitoring (MBAM) Technical White Paper Published: September 2011 Priyaa
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationSECURE YOUR WINDOWS ENTERPRISE WITH STRONG PASSWORD MANAGEMENT
Specops Software presents: SECURE YOUR WINDOWS ENTERPRISE WITH STRONG PASSWORD MANAGEMENT By Derek Melber, MCSE, MVP Secure Your Windows Enterprise with Strong Password Management... 3 Windows Default
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationProgressBook CentralAdmin User Guide
ProgressBook CentralAdmin User Guide ProgressBook CentralAdmin User Guide (This document is current for ProgressBook v14.2.0 or later.) 2013 Software Answers, Inc. All Rights Reserved. All other company
More informationFAQs for Password Self Service
FAQs for Password Self Service Contents 1.1 What is PSS? 1.2 What do I do if I forget my Portal/POS or Network/Workstation password? 1.3 What do I do if my Portal/POS or Network/Workstation password has
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationDepartment of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report
Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report November 2006 promoting efficient & effective local government Executive Summary The Department
More informationAchieving PCI Compliance for: Privileged Password Management & Remote Vendor Access
Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access [ W H I T E P A P E R ] Written by e-dmz Security, LLC April 2007 Achieving PCI Compliance A White Paper by e-dmz Security,
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationWindows Log Monitoring Best Practices for Security and Compliance
Windows Log Monitoring Best Practices for Security and Compliance Table of Contents Introduction... 3 Overview... 4 Major Security Events and Policy Changes... 6 Major Security Events and Policy Changes
More information