Information Security
|
|
- Annabel Baldwin
- 8 years ago
- Views:
Transcription
1 Information Security CDS Spotlight: June 2013 Research Bulletin June 14, 2013 ECAR CDS Spotlight Series Gregory W. Hedrick, Director, Security Services, Purdue University Joanna Grama, Portfolio Manager, EDUCAUSE Overview This special ECAR research bulletin series highlights findings from the EDUCAUSE Core Data Service, focusing on a small but meaningful slice of data collected in the CDS. These selected highlights are intended to provide context and meaning for CDS benchmarks that might be of especially broad interest or particularly timely or that could help draw connections between research from ECAR and CDS. The series is featured along with other CDS publications on the CDS website ( and is available to eligible ECAR subscribers as part of their subscription. This spotlight focuses on data from the 2012 Core Data Service to better understand how higher education institutions approach information security activities. Information provided for this spotlight was derived from Module 7 of CDS, which asked several questions regarding IT security. Responses from 636 institutions were analyzed. Only U.S. institutions with a designated Carnegie class (AA, BA, MA, DR) were analyzed for this bulletin. The Role of Information Security in the IT Organization A unique discipline that blends technology, smart business processes, legal and regulatory requirements, and plain old common sense, information security doesn t just impact an IT organization it impacts an entire higher education institution. Information security can be thought of both as an IT domain area in its own right and as a strategy that must be reflected in an institution s governance and policies. At some point, most higher education IT organizations grapple with where to place information security activities organizationally and how best to approach those activities. Most institutions (89%) report that their central IT organization is primarily responsible for campus information security activities. Far fewer institutions (7%) report that information security responsibility is shared between central IT and other administrative or academic units (see Figure 1) EDUCAUSE and Gregory W. Hedrick and Joanna Grama. CC by-nc-nd. 1
2 Figure 1. General Responsibility for Information Security Why Is It Important? Regardless of organizational area, information security remains a constant concern for higher education IT organizations. Higher education institutions use and store large volumes of data, including personal information of employees and students, sensitive institutional business data, and faculty research data. Practices designed to institute strong and effective controls to safeguard data are often at odds with higher education s values of collaboration and openness. Because of the different types of data that a higher education institution must protect, effective use of security technologies and coordination between IT organizations and administrative and academic units are key. 2
3 What Do the Data Show? Institutions approach information security in a number of different ways CDS data showed that institutions vary in how information security practices are apportioned by area of organizational responsibility, the types of security technologies deployed, institutional use of risk assessments, and how institutions approach security certifications for IT personnel. IT Security Practices by Area of Responsibility Higher education institutions implement a number of IT security practices, and most often central IT organizations are responsible for implementing technical security safeguards (see Figure 2). Technical (or logical ) safeguards are those activities implemented in the hardware and software of information systems. At over 85% of institutions, central IT organizations are responsible for these eight IT security practices: network segmentation (96%), firewall operation and management (91%), network access control (91%), intrusion detection system operation (90%), netflow data collection and analysis (88%), answering and processing abuse (86%), scanning the network for vulnerabilities (85%), and the selection of security software (85%). Figure 2. Responsibility for Technical Practices Shared responsibility between central IT organizations and other administrative or academic units tends to occur for IT security practices that are administrative in nature. Administrative safeguards are those controls influenced by laws and regulations and that set forth the institution s rules and policies. Most of these security practices impact institutional business organizations and functions, making shared responsibility a natural fit. In particular, information security and privacy regulatory compliance is a shared responsibility at over 64% of institutions (see Figure 3). 3
4 Figure 3. Responsibility for Administrative Practices At some institutions, IT security practices are outsourced. While very few IT security services are outsourced overall, practices that are outsourced tend to be those that validate internal security practices. For instance, penetration testing (12%), scanning of web applications for vulnerabilities (6%), and scanning for network opportunities (5%) are the most commonly outsourced IT security practices. Likely due to technical skill requirements and alignment with law enforcement procedures, forensic analysis activities are also outsourced at a higher rate (8%). No significant differences by Carnegie class or control were found among different types of institutions. Security Technologies Higher education IT organizations continue to deploy a number of security technologies to protect institutional infrastructure and data. Firewalls continue to be the most widely used security technology across campus. In particular, firewalls are used in force at most institutions to protect external Internet connections (89%) and high-security servers and networks (87%) (see Figure 4). 4
5 Figure 4. Prevalence of Various Security Technologies In 2012, CDS asked about intrusion protection systems (IPS), access control lists (ACL), network access control (NAC) and data loss prevention (DLP) implementations for the first time. These different technologies are used alone and in concert to secure an institution s IT infrastructure and institutional data. Institutions use IPS implementations to monitor network traffic for malicious activity and actively prevent attempted intrusions. Because their main function is to block malicious intrusion, IPS solutions are more likely to be implemented on external Internet connections (52%) and in high-security areas (40%). Institutions use ACLs to manage user and process access permissions on systems or resources. ACLs ensure that only approved users can access certain systems and networks, and that regulated access provides a basic level of system security. ACLs are more likely to be used in areas where access permissions must strictly be monitored and enforced, such as highsecurity servers (60%). Institutions can use NAC to verify whether equipment connecting to the network is running antivirus software. NAC can then prevent access to the network until antivirus software is installed and identified vulnerabilities on the equipment are resolved. NAC is a newer security technology and more difficult to implement than other technologies like firewalls and ACLs. At the institutions using NAC, it is predominantly used to segregate residence hall networks from main campus networks (21%). This is because higher education IT organizations typically have less control over student-owned machines but still need to allow those machines access to the campus network. The use of NAC helps prevent possible compromise of critical campus infrastructure. DLP is also a newer technology used to protect sensitive institutional data or intellectual property. This technology is designed to detect a potential data breach through monitoring data during storage and transmission. While DLP is still an emerging technology in higher education, its use may grow in the future because some regulatory programs, such as the Payment Card Industry (PCI) standards, require that DLP be implemented as part of an institution s security activities. DLP solutions are more likely to be implemented in areas where data are stored and 5
6 where the technology can detect data leaving an institution, such as external Internet connections (5%), high-security servers (4%) or individual workstations (4%). Mobile device management (MDM) for personally owned devices was another new question asked by CDS in MDM is used to secure and monitor the use of mobile devices deployed across an institution. MDM use may increase in the future due to the rise of the bring-your-owndevice (BYOD) explosion at higher education institutions. Only 10% of institutions have implemented an MDM policy for personally owned devices such as laptops, smartphones, tablets, or portable storage devices (see Figure 5). Private bachelor s institutions are most likely to have implemented such a policy (15%), followed by associate s institutions (13%). It may be that the size, governance models, and culture of these institutions allow IT organizations to more easily implement policies requiring the use of MDM on personally owned devices. Figure 5. MDM Policies Risk Assessment Responsibility for information risk management activities tends to be split nearly evenly between being primarily with central IT organizations (48%) and being shared between central IT and other administrative or academic units (46%). The use of risk assessments to help identify vulnerabilities in and threats to critical subsets of institutional IT resources continues to rise across all institutional areas, highlighting its growing importance in determining IT security deficiencies and priorities. Overall, institutions report the greatest use of risk assessments in reviewing central IT systems and infrastructure. However, from 2011 to 2012, the largest increase was in the use of risk assessments to review central administrative systems and data, from 53% to 59% (see Figure 6). Central administrative systems and data include student 6
7 administration systems (admissions, financial aid, registration, etc.), financial information systems, procurement systems, human resource systems, payroll, and similar enterprise-wide systems. 1 Figure 6. Change in Risk Assessments IT Security Personnel Most higher education institutions (89%) do not require IT security personnel to obtain security certifications. Doctoral institutions are the notable exception, where nearly 26% of public institutions and 14% of private institutions require security certifications (see Figure 7). Few institutions (10%) appear to be planning to require security certifications for IT security personnel. Private master s institutions are the most likely to be planning to require security certifications in the future (17%). Even though most institutions do not require security certifications, many institutions do provide financial support when security personnel do obtain those certifications. Once again, doctoral institutions (both public and private) are more likely to provide either full or partial financial support to those employees who obtain certification. 7
8 Figure 7. Security Certifications What Could This Mean for You and Your Institution? This spotlight points out that responsibility for IT security practices in higher education IT organizations may depend on the underlying nature of the practice. IT security practices that have a technology and institution-wide focus, such as network administration or network access control, tend to be located within an institution s central IT organization. This makes sense because the implementation of these very technical practices is more likely to be successful when they are centrally organized and administered on behalf of the institution. Conversely, this spotlight points out that responsibility for administrative IT security practices those practices that are influenced by laws and regulations and impact business processes tends to be shared between the central IT organization and another administrative or academic unit. In these situations, the central IT organization must work with the other unit to understand underlying business process and administrative requirements. Then the units must work together to design security solutions that meet administrative requirements without impeding business processes. For outsourced IT security practices, this spotlight found that IT security practices more likely to be outsourced are those that tend to validate institutional IT security practices or that require 8
9 special levels of training, skill, and impartiality (e.g., forensics). Because most higher education institutions do not require that their IT security personnel obtain security certifications, it is likely that IT security practices requiring sophisticated levels of knowledge, training, and skill will continue to be outsourced at higher rates. In 2012, CDS asked about innovative security technologies such as NAC, DLP, and MDM for the first time. As higher education IT organizations look for technological solutions to protect critical systems and data, it is likely that these types of technologies will be implemented at greater rates in the future. NAC and DLP in particular can be implemented by a central IT organization to protect the institution and its data as a whole. Finally, this spotlight found that the use of risk assessments to help identify vulnerabilities in and threats to critical subsets of institutional IT resources continues to rise across all institutional areas. Institutions need to continue using risk assessments to help identify existing vulnerabilities in critical systems and to validate the IT security practices used to protect those systems. Risk assessments can also be useful in prioritizing risk response and determining where to apply institutional resources. Where to Learn More Lang, Leah, and Pam Arroway CDS Executive Summary Report. Louisville, CO: EDUCAUSE, January 2013, available from Higher Education Information Security Guide, available from About the Authors Gregory W. Hedrick (hedrick@purdue.edu) is the Director of Security Services at Purdue University. Joanna Grama (jgrama@educause.edu) is the Portfolio Manager for the EDUCAUSE Center for Analysis and Research (ECAR). Citation for This Work Hedrick, Gregory W., and Joanna Grama, CDS Spotlight: Information Security, Louisville, CO: EDUCAUSE Center for Analysis and Research, June 14, 2013, available from Note 1. See the Core Data Service Survey Glossary, 9
FOUR Networking, Advanced Technologies, and IT Security
FOUR Networking, Advanced Technologies, and IT Security The fourth section of the core data survey focused on networking, methods of remote access, bandwidth shaping, videoconferencing capabilities on
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationHow to Secure Your Environment
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
More informationMy CEO wants an ipad now what? Mobile Security for the Enterprise
My CEO wants an ipad now what? Mobile Security for the Enterprise Agenda Introductions Emerging Mobile Trends Mobile Risk Landscape Response Framework Closing Thoughts 2 Introductions Amandeep Lamba Manager
More informationOvercoming PCI Compliance Challenges
Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationHow To Secure Your Store Data With Fortinet
Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationConsumerization/User-Provisioned Technology Survey
EDUCAUSE Center for Applied Research Consumerization/User-Provisioned Technology Survey Thank you for participating in this ECAR survey. This study is designed to develop a framework for the important
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationWhite Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations
Identifying Network Security and Compliance Challenges in Healthcare Organizations Contents Introduction....................................................................... 3 Increased Demand For Access............................................................
More informationInformation Technology Services in UB Owned, Controlled and Managed Space
Information Technology Services in UB Owned, Controlled and Managed Space Category: Information Technology Date Established: 5/2/2014 Responsible Office: VPCIO Date Last Revised: 8/14/2014 Responsible
More informationNext. CDS 2015 Survey Module 7 Information Security Survey Errata
1 CDS 2015 Survey Survey Errata This module includes questions about the IT security organization, staffing, policies, and practices related to information technology security. This is an optional module.
More informationInformation Technology Services in Community Colleges Strengths, Opportunities, and Challenges
Information Technology Services in Community Colleges Strengths, Opportunities, and Challenges contents Executive summary // page 2 Key findings // page 3 Conclusions and recommendations // page 16 Methodology
More informationNext. CDS 2015 Survey Module 7 Information Security Survey Errata
CDS 2015 Survey Survey Errata This module includes questions about the IT security organization, staffing, policies, and practices related to information technology security. This is an optional module.
More informationARCHITECT S GUIDE: Comply to Connect Using TNC Technology
ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org
More informationEmerging Trends in the Network Security Market in India, CY 2013
Emerging Trends in the Network Security Market in India, CY 2013 Advanced Threat Landscape will Give Rise to Increased Network Security Spending 9AC3-74 July 2014 Contents Section Slide Numbers Executive
More informationCyber Essentials Questionnaire
Cyber Essentials Questionnaire Introduction The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber security test where IT is a business enabler rather than a core deliverable.
More information933 COMPUTER NETWORK/SERVER SECURITY POLICY
933 COMPUTER NETWORK/SERVER SECURITY POLICY 933.1 Overview. Indiana State University provides network services to a large number and variety of users faculty, staff, students, and external constituencies.
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationBYOD Policy & Management Part I
Introduction Many of today s endpoints are neither known nor protected. According to Gartner, enterprises are only aware of 80 percent of the devices on their network. Those 20 percent of unknown devices
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agency Mobile Security July 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: Mobile Security
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationHow To Understand How Your Institution Provides Educational Technology Services
1 CDS 2015 Survey Survey Errata This module includes questions about educational technology service functions and facilities provided by central IT and other units. Topics include: student technology,
More informationCyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013
Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSpecific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationUse Bring-Your-Own-Device Programs Securely
Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out
More information5 Information Systems
5 Information Systems 5 Information Systems Accurate transaction processing across a broad array of academic and administrative functions as well as effective decision-support systems are essential to
More informationBring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com
Bring Your Own Device (BYOD) and Mobile Device Management tekniqueit.com Bring Your Own Device (BYOD) and Mobile Device Management People are starting to expect the ability to connect to public networks
More informationBring Your Own Device (BYOD) and Mobile Device Management. www.cognoscape.com
Bring Your Own Device (BYOD) and Mobile Device Management www.cognoscape.com Bring Your Own Device (BYOD) and Mobile Device Management People are starting to expect the ability to connect to public networks
More informationBest Practices for DLP Implementation in Healthcare Organizations
Best Practices for DLP Implementation in Healthcare Organizations Healthcare organizations should follow 4 key stages when deploying data loss prevention solutions: 1) Understand Regulations and Technology
More informationPOLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.
POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University
More informationWHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment... 2. Adaptive Network Security...
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Adaptive Network Security Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with Adaptive
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationWHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Secure Network Access Control Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationNORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290
NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 Class Code(s): 0117 0118 SCOPE OF WORK: INFORMATION SYSTEMS SECURITY ANALYST Work involves the completion of technical
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationUniversity System of Maryland University of Maryland, College Park Division of Information Technology
Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationLunch & Learn Series Subscribe!
Lunch & Learn Series Noon on the 3 rd Tuesday of each month Security.uconn.edu for detailed information L&L RFC Subscribe! Presentation schedule is still being worked out Contact Jason Pufahl (jason.pufahl@uconn.edu)
More informationINFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationDell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations
Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations Inside ü Tips for deploying or expanding BYOD programs while remaining
More informationBring Your Own Device Policy. Report to the Joint Legislative Oversight Committee on Information Technology
Bring Your Own Device Policy Report to the Joint Legislative Oversight Committee on Information Technology Chris Estes State Chief Information Officer March 2014 This page left blank intentionally Contents
More informationSecurity Issues with Integrated Smart Buildings
Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern
More informationConquering PCI DSS Compliance
Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,
More informationUMDNJ Information Security Plan 2007
UMDNJ Information Security Plan 2007 W. Thompson Page 1 6/4/2007 Table of Contents Table of Contents... 2 Introduction... 3 Contact... 4 Risk Assessment... 5 Plan Components... 6 Awareness... 7 Policy
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationEndpoint protection for physical and virtual desktops
datasheet Trend Micro officescan Endpoint protection for physical and virtual desktops In the bring-your-own-device (BYOD) environment, protecting your endpoints against ever-evolving threats has become
More informationLocal IT Security for Colleges, Schools, and Departments:
EDUCAUSE Center for Applied Research Research Bulletin Volume 2006, Issue 24 December 5, 2006 Local IT Security for Colleges, Schools, and Departments: A Higher Education Perspective Derek Spransy, Emory
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationState of Information Security
State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page
More informationWireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business. www.megapath.com
Wireless Services The Top Questions to Help You Choose the Right Wireless Solution for Your Business Get Started Now: 877.611.6342 to learn more. www.megapath.com Why Go Wireless? Today, it seems that
More informationUniversity of Central Florida Class Specification Administrative and Professional. Information Security Officer
Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team
More informationAyla Networks, Inc. SOC 3 SysTrust 2015
Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationMobile Device Strategy
Mobile Device Strategy Technology Experience Bulletin, TEB: 2012-01 Mobile Device Strategy Two years ago, the Administrative Office of Pennsylvania Courts (AOPC) standard mobile phone was the Blackberry.
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationSECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD
SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD www.wipro.com Table of Contents Executive Summary 03 Introduction 03 Challanges 04 Solution 05 Three Layered Approach to secure BYOD 06 Conclusion
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More information10 Building Blocks for Securing File Data
hite Paper 10 Building Blocks for Securing File Data Introduction Securing file data has never been more important or more challenging for organizations. Files dominate the data center, with analyst firm
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationBring Your Own Device (BYOD) and Mobile Device Management
Bring Your Own Device (BYOD) and Mobile Device Management Intivix.com (415) 543 1033 PROFESSIONAL IT SERVICES FOR BUSINESSES OF ALL SHAPES AND SIZES People are starting to expect the ability to connect
More informationCYBERSECURITY: ISSUES AND ISACA S RESPONSE
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services
More informationBRING YOUR OWN DEVICE (BYOD) AND MOBILE DEVICE MANAGEMENT
BRING YOUR OWN DEVICE (BYOD) AND MOBILE DEVICE MANAGEMENT www.intivix.com (415) 543 1033 HELP TEAM MEMBERS TO COLLABORATE MORE EASILY FROM ANYWHERE. People are starting to expect the ability to connect
More informationKEY TRENDS AND DRIVERS OF SECURITY
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationMobility, Security Concerns, and Avoidance
By Jorge García, Technology Evaluation Centers Technology Evaluation Centers Mobile Challenges: An Overview Data drives business today, as IT managers and security executives face enormous pressure to
More informationCautela Labs Cloud Agile. Secured.
Cautela Labs Cloud Agile. Secured. Vulnerability Management Scanning and Assessment Service Vulnerability Management Services New network, application and database vulnerabilities emerge every day. Because
More informationReadiness Assessments: Vital to Secure Mobility
White Paper Readiness Assessments: Vital to Secure Mobility What You Will Learn Mobile devices have been proven to increase employee productivity and job satisfaction, but can also pose significant threats
More informationSymantec Endpoint Security Management Solutions Presentation and Demo for:
Symantec Endpoint Security Management Solutions Presentation and Demo for: University System of Georgia Board of Regents Information Technology Services Executive Summary Business Requirements To migrate
More informationCase Study: Security Implementation for a Non-Profit Hospital
Case Study: Security Implementation for a Non-Profit Hospital The Story Security Challenges and Analysis The Case The Clone Solution The Results The Story About the hospital A private, not-for-profit hospital
More informationSecuring BYOD With Network Access Control, a Case Study
Securing BYOD With Network Access Control, a Case Study 29 August 2012 ID:G00226207 Analyst(s): Lawrence Orans VIEW SUMMARY This Case Study highlights how an organization utilized NAC and mobile device
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More information