PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

Size: px
Start display at page:

Download "PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1"

Transcription

1 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1 Version: 1.0 Date of Version: 20/09/2006

2 Security Risk Management IT Systems History of Changes Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 20/9/2006 B. Kolias Initial Version IT Manager 1.0 1/1/2007 Version 1.0 Page 2 of 46 20/9/2006

3 Security Risk Management IT Systems TABLE OF CONTENTS HISTORY OF CHANGES INTRODUCTION GENERAL OVERVIEW OF SECURITY RISK MANAGEMENT PROCEDURE FOR IT SYSTEMS 7 3. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE - SUMMARY TABLE IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE - DETAILED DESCRIPTION PREPARATION PHASE Determination of Scope of Operational risk management areas Selection of Measurement Methods RISK ASSESSMENT Identifying and Assessing Complex IT assets Identifying Composite IT Assets IT assets assessment Impact identification and assessment Identifying and Assessing Risks Classification of threats Identifying and assessing physical threats Identification and assessment of threats from human intervention Making Detailed Threat Table Identifying and Assessing Vulnerabilities Preparation of detailed vulnerability table Assessment of Risk Exposure Level Correlation of threats and vulnerabilities for each composite IT asset Preparation of detailed risk table Version 1.0 Page 3 of 46 20/9/2006

4 Security Risk Management IT Systems 4.3 RISK REDUCTION Risk Tolerance Level Assessment Comparison of Risk Exposure Levels with Risk Tolerance Levels Selection of Additional Protection Measures Assessment and Acceptance of Residual Risk MONITORING THE SYSTEM AND ITS ENVIRONMENT FOR CHANGES Identifying Endogenous Changes Monitoring IT assets Monitoring IT asset vulnerabilities Monitoring operational / organizational changes Identifying Exogenous Changes Monitoring the threat environment Monitoring the legal environment Management of Changes ANNEX A: INDICATIVE THREAT LIST ANNEX B: INDICATIVE VULNERABILITY LIST ANNEX C: INDICATIVE CONTROLS LIST ANNEX D: INDICATIVE ELECTRONIC SOURCES OF INFORMATION RELATING TO SECURITY THREATS AND VULNERABILITY ISSUES Version 1.0 Page 4 of 46 20/9/2006

5 Security Risk Management IT Systems 1. INTRODUCTION In the contemporary business environment, information is one of the most valuable assets of an enterprise, and the protection of the integrity, confidentiality and accessibility of IT assets is a necessary condition for the smooth and unhindered achievement of business goals. The Public Power Corporation S.A. (hereinafter referred to as PPC or the Corporation ), as an organization that relies on IT systems for the processing and management of operational information to support its business activity, has implemented a security framework for IT systems for the effective protection of its IT assets. IT Systems Security Risk Management (ITSSRM) is one of the components of this framework and includes the methodological approach required for the identification and effective management of the risks associated with the security of PPC IT assets. The ITSSRM procedure, which is based on the internationally recognized BS ISO/IEC standards, is an integrated approach, which is supported by the PPC IT systems security policy and includes the following stages: Recording and evaluating PPC IT assets. Identifying and assessing security threats and vulnerabilities of IT assets and existing protection measures. Assessment of security risks arising from the exploitation of the vulnerability of IT assets by recognized threats. Reduction of risks, through the implementation of suitable controls. Assessment and acceptance of residual risk, after implementation of protective measures. Continuous monitoring of systems and environment for changes and repetition of procedure if significant changes are detected. Version 1.0 Page 5 of 46 20/9/2006

6 Security Risk Management IT Systems The most important advantage of this approach is that it handles the security risks of information systems as issues concerning the entire Corporation, by examining the cost of the implementation of protective measures in correlation with the benefits resulting from the reduction of risks. The benefits of the implementation of this procedure are summarized as follows: The implementation of the procedure allows the PPC to focus on the achievement of its operational goals, through ensuring an acceptable level of risk. It provides the Corporation with the opportunity to evaluate its IT assets, by identifying threats and vulnerabilities, assessing the respective risks and by selecting the protection methods for limiting them through a cost-benefit analysis. Leads to the creation of an organized and controlled environment through which the Corporation can collect, process, transfer and store information in a secure way. In the following sections, the ITSSRM procedure is presented in detail, as well as the detailed individual guidelines for its implementation. Version 1.0 Page 6 of 46 20/9/2006

7 Security Risk Management IT Systems 2. GENERAL OVERVIEW OF THE SECURITY RISK MANAGEMENT PROCEDURE FOR IT SYSTEMS The following flow chart presents the steps to be followed in execution of the ITSSRM procedure. The chart graphically presents the successive stages of the approach, as well as the conditions that govern their relationship. Determination of the Scope of Operational risk management area Selection of Measurement Methods Identification and Assessment of IT assets Identification and Assessment of Risks Identification and Assessment of Vulnerabilities Identification and Assessment of Risk Exposure Selection and implementation of additional protection measures Determination of Risk Tolerance Level Does exposure to risk lie inside the Risk Tolerance Levels? YES Risk Acceptance Monitoring the system and its environment for changes Important changes to the IT system and/or its environment detected? NO Management of protective measures (controls) Repetition of Risk Assessment Procedure Version 1.0 Page 7 of 46 20/9/2006

8 Security Risk Management IT Systems 3. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE SUMMARY TABLE The following table summarizes the basic stages that must be followed for the implementation and the completion of the PPC ITSSRM procedure. ITSSRM procedure Preparation Phase Risk Assessment Risk Reduction Monitoring the Environment for Changes Determination of Scope of Operational risk management area Identifying and Assessing Composite IT assets Determination of Risk Tolerance Levels Identifying Endogenous Changes Selection of Measurement Methods Identifying and Assessing Risks Comparison of Risk Exposure Levels with Risk Tolerance Levels Identifying Endogenous Changes Identifying and Assessing Vulnerabilities Selection of Additional Protection Measures Management of Changes Assessment of Risk Exposure Assessment and Acceptance of Level Residual Risk Version 1.0 Page 8 of 46 20/9/2006

9 Security Risk Management IT Systems 4. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE DETAILED DESCRIPTION 4.1 Preparation Phase This phase is necessary to complete the appropriate preparation required before starting the ITSSRM procedure. The tasks to be undertaken at this phase are analyzed in the following paragraphs Determination of Scope of Operational risk management area Before the commencement of the risk management procedure, the scope and extent of the operational risk management area must be accurately determined, in order facilitate the prompt recognition of the critical IT assets which must be examined during the procedure. Within the scope of the PPC ITSSRM procedure, we determine four levels of study: the Computer System Level, the IT System Level, the Operating Unit Level and the Overall Corporation Level. Computer System Level: At this level, an integrated and complete risk management study is implemented for the selected computer system. A computer system is the IT system where the following elements have been subtracted : human resources and procedures. The software, hardware (e.g. servers, workstations, data transfer networks, etc.) and the data of the Payroll application or the e- mail system or the internet access infrastructure, are examples of computer systems, where we can implement the ITSSRM procedures. Therefore, at this level we focus mainly on the security risks related to the PPC technical IT infrastructure. IT System Level: At this level, the risk management study must be implemented for all the elements of the computer system, as described above (see Computer System Level). Furthermore, the risks must be analyzed for security issues related both to the personnel who operate and manage the computer system in question, and the procedures they carries out. This analysis may be carried out through interviews (e.g. with the use of questionnaires and checklists that arise from international standards, such as the ISO/IEC 17799) or with the use of adapted control programs or other special analysis tools. At this level we focus on the security risks related both to the PPC technical infrastructure and the procedures and people who operate and provide support for this infrastructure. Operating Unit Level: At this level, the IT systems security risk management procedure must be implemented for all IT systems supporting the operating unit under examination (e.g. General Division, Division, Subdivision, Section, Department, etc.). Version 1.0 Page 9 of 46 20/9/2006

10 Security Risk Management IT Systems Overall Corporation level: At this level the ITSSRM procedure is implemented for the entire Corporation, and all IT systems used by PPC must be recognized as fully as possible Selection of Measurement Methods The selection of the measurement methods of the individual components of the risk (i.e. the asset value, threat and vulnerability), and especially the determination of their correlation, is a prerequisite for the execution of the risk assessment procedure. For the combination of a series of different variables to be feasible during the calculation of the individual and final figures, a measurable rating for each variable under examination must be established. The variables used in assessmeny of risk exposure establish the value rating of IT assets, the threat assessment rating, the vulnerability assessment rating and the risk assessment rating. For the purposes of the security risk management procedure, the use of a scale is established for the measurement of the relevant importance of each variable, which is presented in the following tables: Version 1.0 Page 10 of 46 20/9/2006

11 Security Risk Management IT Systems IT Assets Assessment Rating Scale Value Description 1 Negligible / Very Low 2 Low 3 Medium 4 High 5 Very High Threat Assessment Rating Scale Value Description 1 Low 2 Medium 3 High Vulnerability Assessment Rating Scale Value Description 1 Low 2 Medium 3 High Version 1.0 Page 11 of 46 20/9/2006

12 Security Risk Management IT Systems IT Systems Security Risk Assessment Rating Scale Minimum Risk Maximum Risk Low Medium High It is noted that the risk is the outcome derived from the three variables (value of IT asset, threat, vulnerability) and for the purposes of this ITSSRM procedure, it is assessed using a measurement scale with values ranging between 0 (negligible/minimum risk) and 8 (maximum risk). 4.2 Risk Assessment The effective management of PPC IT systems security risks requires the identification and assessment of the risks which threaten its IT assets. In this context, an analytical and detailed risk assessment approach is established, which is described in the following paragraphs and consists of the following steps: Identifying and evaluating IT assets Identifying and assessing threats Identifying and assessing vulnerabilities Assessment of risk exposure level In order to better understand the procedure in more depth, the definitions of the basic terms of the risk assessment procedure are presented below: Vulnerability: Refers to the weak spot or susceptibility of an IT asset or a group of IT assets which may be utilized / exploited by a threat. It is the condition that allows a threat to have impact at greater frequency, with greater consequences or both. Version 1.0 Page 12 of 46 20/9/2006

13 Security Risk Management IT Systems Threat: An activity or event which may have an undesirable result. An incident or action, which may have undesirable results if it occurs. Information Systems Security Risk: The potential of a specific threat to exploit one or more vulnerabilities of an IT asset (or a group of IT assets) leading to loss or damage to this asset. Impact: The damage or downgrading of the operational value (money, reputation, trust, etc) or any other loss which could be the consequence of a potential violation of the PPC systems security Identifying and Assessing Composite IT assets It should be stressed that this phase is very important and is critical to the successful completion of the entire ITSSRM procedure, because all subsequent phases are based on the initial identification and evaluation of PPC IT assets. Additionally, for the better and more efficient execution of this phase, and by extension of the ITSSRM procedures, PPC IT assets are grouped based on their physical nature and in this context they are called composite IT assets. More specifically, in the context of an IT system, one or more composite IT assets, which are composed of a number of individual IT assests, are identified and examined. It is noted that in the context of this ITSSRM program, the analysis and assessment of risks is carried out based solely on identification of IT systems and the composite IT assets they contain, without carrying out further analysis at the level of individual IT assets Identifying Composite IT Assets At this stage, all composite IT assets falling within the defined scope of an operational risk management area must be identified and recorded (Computer System Level, IT System Level, Operating Unit Level, PPC Level). For their more effective identification, the following types of composite IT assets are determined, and their definitions presented in the following table: Version 1.0 Page 13 of 46 20/9/2006

14 Security Risk Management IT Systems Composite IT Assets Table Composite IT Asset Description Servers Risk assessment must cover any physically separate server or mainframe as a composite IT asset. The server includes the hardware, software and the information stored in the servers. Network Risk assessment must cover any physically separate component of the network as a different system component. The group of network components includes routers, hubs, switches, cabling, etc. Risk assessment here must ignore risks created by network servers. For each component, the hardware, software and transmitted information must be taken into account. Clients / Workstations Workstations include the hardware, software and the information stored in the equipment. Miscellaneous etc. Storage devices, ATMs, Printers, FAX machines, PBX call center, IT assets assessment Impact identification and assessment The valuation of IT assets will be carried out based on the assessment of the impact for each IT asset identified. Therefore, the impact from the violation of the security of an IT asset indicates its value to the Corporation. The following two parameters are considered fundamental to the effective identification of the impact: Version 1.0 Page 14 of 46 20/9/2006

15 Security Risk Management IT Systems Impact factors / Basic security principles - Confidentiality, Integrity and Accessibility Main impact areas Namely, critical areas where the violation of one of the basic security principles has serious consequences All IT assets identified are assigned values ranging between 1 and 5 for each of the critical impact areas in case of violation of each of the basic security principles (confidentiality/ integrity / accessibility). A detailed description of the scale of the degree of impact is presented in the following table. IT Assets Assessment Rating Scale Value Description Interpretation 1 Negligible / Very Low The violation of one of the security principles (confidentiality / integrity / accessibility) has a negligible or very low impact on the operation of the system and the Corporation. 2 Low The violation of one of the security principles (confidentiality / integrity / accessibility) may cause loss or damage of minimum importance. 3 Medium The violation of one of the security principles (confidentiality / integrity / accessibility) may cause significant loss or damage, which could have adverse effects on the operational procedure. 4 High The violation of one of the security principles (confidentiality / integrity / accessibility) may cause extensive damage or loss with significant adverse effects on the operation of the system and the PPC. 5 Very High The violation of one of the security principles (confidentiality / integrity / accessibility) has extremely significant impact on the operation of the system and the Corporation. Version 1.0 Page 15 of 46 20/9/2006

16 Security Risk Management IT Systems The assessment rating of IT assets is then calculated, based on the above scale, with the help of the following table. Version 1.0 Page 16 of 46 20/9/2006

17 Security Risk Management IT Systems Impact Identification and Assessment for each IT Resource Impact factors / Basic security principles Confidentiality Integrity Accessibility Main impact areas Personal safety Personal information Legal and regulatory obligations Commercial and economic interests Financial loss Disruption of activities Public order Compliance with business policies and standards Public image and PPC brand reputation Business performance Environmental safety Note: The values in the table are indicative Version 1.0 Page 17 of 46 20/9/2006

18 Security Risk Management IT Systems In this context, an impact rating of 3 in the personal safety area, in the event of violation of the accessibility of the IT asset under examination, implies that loss of the accessibility to this asset may contribute to the loss of human life. The total impact rating for each basic security principle is the maximum of the individual values assessed for each main impact area. The total impact rating for the IT asset under examination is the maximum of the three values estimated for each basic security principle Identifying and Assessing Risks The identification and assessment of the IT assets is achieved through identification of security threats and their properties and features, in order facilitae effective and detailed risk assessment for each PPC composite IT asset Classification of threats The first step in specifying threats is distinguishing between threats caused by human intervention and physical threats. The further analysis and classification of threats arising from human intervention uses the following features: Threat Intent: deliberate (D) or random (A) Threat Origin: internal (Int), external associates (X) and external (ex) intervention: By combining the above features, we can form the following threat categories arising from human Internal and Deliberate (IntD) Internal and Random (IntR) External Associates and Deliberate (XD) Version 1.0 Page 18 of 46 20/9/2006

19 Security Risk Management IT Systems External Associates and Random (XR) External and Deliberate (ExD) External and Random (ExR) Physical threats (e.g. fires, floods, earthquakes, etc) belong to the ExR category (external random threats). The above threat classification contributes to the risk assessment procedure in the following ways: It assists PPC personnel in the identification of threats. It will contribute to risk assessment evaluation: For example, an internal deliberate threat has a greater probability of occurring, given that the threat agent has the required knowledge and resources available, though there is reduced motivation, since he is aware of the higher risk of being caught. It will contribute to selection of suitable protection measures to reduce risk Identifying and assessing physical threats Physical threats are assessed separately, because their features differ from the features of human intervention threats. Physical threats are easier to determine and have a general impact, and therefore their assessment must be carried out according to the different locations of the PPC composite IT assets. The ITSSRM group must prepare tables for composite IT assets of the Corporation classified by location, according to the example shown in the following table. Computer System 1 Building A Building B Building C Building D Building E Composite IT Asset 1 Office 3C Version 1.0 Page 19 of 46 20/9/2006

20 Security Risk Management IT Systems Computer System 1 Building A Building B Building C Building D Building E Composite IT Asset 2 Network equipment storage area Secure area A1 Composite IT Asset 3 Offices, 3 rd floor Composite IT Asset 4 Kitchen Composite IT Asset 5 Corridor 3 rd floor Subsequently, based on historical data and with the assistance of specialized personnel, an assessment of the probability or frequency of threats arising for each location must be carried out. With the use of the Threat Assessment Rating Scale (High Medium Low), as presented in the following table, an assessment rating for threats may be specified. It is noted that if a physical threat is not related to a specific location, no assessment grade will be specified, since it does not need to be included in the risk assessment. Composite IT Asset Physical Threat Assessment Table Computer System 1 Physical Threat Physical Threat Assessment Rating Composite IT Asset 1 Physical Threat 1 Physical Threat 2 Physical Threat 3 Physical Threat 4 H L M M Version 1.0 Page 20 of 46 20/9/2006

21 Security Risk Management IT Systems Composite IT Assets Physical Threat Assessment Table Computer System 1 Physical Threat Physical Threat 5 Physical Threat Assessment Rating L Composite IT Asset 2 Physical Threat 1 Physical Threat 2 Physical Threat 3 Physical Threat 4 Physical Threat 5 H L M M L Composite IT Asset x Physical Threat 1 H It should be stressed that the above table must be completed for each composite IT asset and for all physical threats identified Identification and assessment of threats from human intervention Threats from human intervention are characterized by a different group of features. These threats must be identified and assessed for each composite PPC IT asset and cannot be grouped according to location. The first step in the assessment of the threats from human intervention is the identification variables and the use of a single scale for measuring these threats. As already specified (start of paragraph 4.2), a threat is an activity or event which may give rise to undesirable results. Based on this definition, we can distinguish two factors which may be used in order to measure the relative importance of threats: the agent of the threat, i.e. the agent whose actions may create this threat and the probability of the threat, i.e. how probable it is that the threat will arise. For the assessment of the two factors (agent and probability of occurrence of the threat) we can use the following variables: Version 1.0 Page 21 of 46 20/9/2006

22 Security Risk Management IT Systems Capability: The volume of information available to the threat agent (knowledge, education, technological specialization, etc) and the availability of the required resources. Motivation: The perception of the threat agent with regard to the interest value of PPC IT assets, in relation to the risk of being identified and caught, and motivation to violate policy, standards and PPC security procedures in general. The following table may be used as an example for calculation of the risk assessment rating. Each threat must be assessed with the use of the recognized features of the threats described above (capability, motivation and probability) and specify the risk assessment rating, using the Threat Assessment Rating Scale (paragraph 4.1.2). Threat Assessment Table from Human Intervention Computer System 1 Threat from Human Intervention Type of Threat Capability Motivation Threat Assessment Rating from Human Intervention Composite IT Asset 1 Threat 1 ExR L L L Threat 2 ExD L M L or M Threat 3 ExD M M M Threat 4 IntD H H H Threat 5 IntD H L L or M Composite IT Asset 2 Threat 1 ExR H H H Threat 2 ExD H L L or M Threat 3 ExD M H L or M Version 1.0 Page 22 of 46 20/9/2006

23 Security Risk Management IT Systems Threat Assessment Table from Human Intervention Computer System 1 Threat from Human Intervention Type of Threat Capability Motivation Threat Assessment Rating from Human Intervention Threat 4 IntD M L M or L Threat 5 IntD L L L Composite IT Asset x Threat 1 ExR H H H Preparation of Detailed Threat Table At this point, a detailed threat table should be prepared for each IT system, which will present the recognized threats (from human and physical interventions), their classification and the assessment rating of each threat. Detailed Threat Table Computer System 1 Threat Type of Threat Composite IT Asset 1 Threat Assessment Rating from Human Intervention Threat 1 ExR H Threat 2 IntD L Threat 3 ExD M Threat 4 ExR M Threat 5 ExR L Composite IT Asset 2 Threat 1 IntD H Threat 2 IntD L Version 1.0 Page 23 of 46 20/9/2006

24 Security Risk Management IT Systems Threat 3 ExD M Detailed Threat Table Computer System 1 Threat Type of Threat Threat Assessment Rating from Human Intervention Threat 4 ExR M Threat 5 ExR L Composite IT Asset x Threat 1 IntD H Identifying and Assessing Vulnerabilities The purpose of vulnerability identification and assessment is to identify and distinguish between security vulnerabilities and subsequently proceed with the assessment of vulnerabilities as a whole. At this point it should be noted that the terms related to security risk and vulnerability assessment frequently acquire a different significance depending on the context they are used in. For the purpose of the ITSSRM procedures, the term security vulnerability refers to a feature of the system whose security may be violated in order to gain access to it and allow use of its resources for purposes other than the original ones. Furthermore, vulnerabilities are the weak spots or susceptibilities, as well as inadequate security or disadvantages associated with the implementation of a system which is likely to be affected by a threat. Additionally, it should be emphasized that the existence of vulnerabilities does not depend on the actual realization of any cases of threat or attack. During the performance of the vulnerability assessment tasks, various methods and techniques may be used to identify and assess the risks related to PPC IT assets. These include the following: Version 1.0 Page 24 of 46 20/9/2006

25 Security Risk Management IT Systems Vulnerability scanning With the use of automated software tools, the ITSSRM group periodically scans IT assets for vulnerabilities. Attack and penetration testing in the PPC network: The ITSSRM team periodically coordinates the performance of such activities, in order to identify unknown vulnerabilities, not only from an external but also from internal points of access to PPC IT assets. Vulnerability updates: The ITSSRM team is responsible for maintaining contact with the suitable suppliers or organizations, in order to remain up to date regarding the appearance of new vulnerabilities related to PPC IT assets at all times. Technical security architecture assessment: The ITSSRM team periodically coordinates the execution of such assessments, in order to identify any vulnerability in the PPC technical security architecture. Security configuration assessment: The ITSSRM team periodically carries out security configuration assessments in specific systems, in accordance with internationally recognized security practices and configuration standards. The calculation of the assessment rating for each vulnerability identified will subsequently be based on the following features: Severity: The severity of the impact in case of exploitation of a specific vulnerability. This includes the range of impact and the probability of escalation (e.g. where the utilization / exploitation of a specific vulnerability might lead). Exposure: The ease of exploitation of a specific vulnerability via physical or electronic means (required expertise, required resources). Version 1.0 Page 25 of 46 20/9/2006

26 Security Risk Management IT Systems Preparation of the detailed vulnerability table At this point a detailed vulnerability table should be prepared for each IT system, which shall include the respective vulnerabilities and their assessment ratings, by using the example of the following table: Vulnerability Table Computer System 1 Vulnerability Severity Exposure Vulnerability Assessment Rating Composite IT Asset 1 Vulnerability 1: H H H Vulnerability 2: M L M or L Vulnerability 3: L L L Vulnerability 4: H M M Composite IT Asset 2 Vulnerability 1: H H H Vulnerability 2: M L M or L Vulnerability 3: L L L Vulnerability 4: H M M Vulnerability 5: H L M Composite IT Asset x Vulnerability 1: H H H Specifically with regard to security vulnerabilities which are related to computer system configuration issues (e.g. lack of service pack, security fixes, upgrades, etc), carrying out the respective adjustments and installation of improved versions is recommended, directly after discovery of the vulnerability in question. Version 1.0 Page 26 of 46 20/9/2006

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

Incident Response Plan for PCI-DSS Compliance

Incident Response Plan for PCI-DSS Compliance Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

ISMS Implementation Guide

ISMS Implementation Guide atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

INFORMATION SECURITY California Maritime Academy

INFORMATION SECURITY California Maritime Academy CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS Effective Date June 9, 2014 INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS OF THE HELLER SCHOOL FOR SOCIAL POLICY AND MANAGEMENT Table of Contents 1.

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

IT Architecture Review. ISACA Conference Fall 2003

IT Architecture Review. ISACA Conference Fall 2003 IT Architecture Review ISACA Conference Fall 2003 Table of Contents Introduction Business Drivers Overview of Tiered Architecture IT Architecture Review Why review IT architecture How to conduct IT architecture

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information

Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:bhu261@gmail.com Outline of Information Security Introduction Impact of information Need

More information

Automated Risk Management Using SCAP Vulnerability Scanners

Automated Risk Management Using SCAP Vulnerability Scanners Automated Risk Management Using SCAP Vulnerability Scanners The management of risks to the security and availability of private information is a key element of privacy legislation under the Federal Information

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Regulatory Framework for Communications Security and Privacy in Greece

Regulatory Framework for Communications Security and Privacy in Greece Regulatory Framework for Communications Security and Privacy in Greece Georgia Bafoutsou, Nikolaos Antoniadis, Eugenia Nikolouzou, Athanasios Panagopoulos Authority for the Assurance of Communications

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

Operational Risk Management Policy

Operational Risk Management Policy Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well

More information

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

DETAILED RISK ASSESSMENT REPORT

DETAILED RISK ASSESSMENT REPORT DETAILED RISK ASSESSMENT REPORT Executive Summary During the period June 1, 2004 to June 16, 2004 a detailed information security risk assessment was performed on the Department of Motor Vehicle s Motor

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

ISO 27000 Information Security Management Systems Foundation

ISO 27000 Information Security Management Systems Foundation ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical

More information

Incident Reporting Guidelines for Constituents (Public)

Incident Reporting Guidelines for Constituents (Public) Incident Reporting Guidelines for Constituents (Public) Version 3.0-2016.01.19 (Final) Procedure (PRO 301) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................

More information

APPENDIX 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT

APPENDIX 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT TUGeneral TUSecurity TURequirements TUDesign TUIntegration

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework

More information

Information Security Awareness Training

Information Security Awareness Training Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Acceptable Use Policy

Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established culture of openness,

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

Security Risk Management - Approaches and Methodology

Security Risk Management - Approaches and Methodology 228 Informatica Economică vol. 15, no. 1/2011 Security Risk Management - Approaches and Methodology Elena Ramona STROIE, Alina Cristina RUSU Academy of Economic Studies, Bucharest, Romania ramona.stroie@gmail.com,

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

INFORMATION SECURITY Humboldt State University

INFORMATION SECURITY Humboldt State University CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014 EXECUTIVE SUMMARY OBJECTIVE The objectives of

More information

UF Risk IT Assessment Guidelines

UF Risk IT Assessment Guidelines Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training

More information

Information Security Incident Management Guidelines. e-governance

Information Security Incident Management Guidelines. e-governance Information Security Incident Management Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Practical Guidance for Auditing IT General Controls. September 2, 2009

Practical Guidance for Auditing IT General Controls. September 2, 2009 Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

Information Security Policy

Information Security Policy Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

RISK ASSESSMENT On IT Infrastructure Mr Pradhan P L & Prof P K Meher

RISK ASSESSMENT On IT Infrastructure Mr Pradhan P L & Prof P K Meher RISK ASSESSMENT On IT Infrastructure Mr Pradhan P L & Prof P K Meher Objective: To develop risk assessment method to safeguard or protect of Information System assets of an organization. Element that identify

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information