SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL
|
|
- Eustace Rice
- 8 years ago
- Views:
Transcription
1 SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK
2 Contents Biography xix 1 Introduction The Role of the Information Security Manager Audit as a Driver for Security Initiatives Technology as a Driver for Security Initiatives Compliance as a Driver for Security Initiatives Security Risk as a Driver for Security Initiatives Ensuring a Quality Information Security Risk Assessment Security Risk Assessment The Role of the Security Risk Assessment Definition of a Security Risk Assessment The Need for a Security Risk Assessment Checks and Balances Periodic Review Risk-Based Spending A Requirement Security Risk Assessment Secondary Benefits Related Activities Gap Assessment Compliance Audit Security Audit Vulnerability Scanning Penetration Testing Ad Hoc Testing Social Engineering War Dialing The Need for This Book Who Is This Book For? 18 Exercises 19 Notes 20 VII
3 viii H Contents References 21 Bibliography 21 2 Information Security Risk Assessment Basics Phase 1: Project Definition Phase 2: Project Preparation Phase 3: Data Gathering Phase 4: Risk Analysis Assets Threat Agents and Threats Threat Agents Threats Vulnerabilities Security Risk Phase 5: Risk Mitigation Safeguards Residual Security Risk Phase 6: Risk Reporting and Resolution Risk Resolution 34 Exercises 35 Notes 36 References 37 3 Project Definition Ensuring Project Success Success Definition Customer Satisfaction Quality of Work Completion within Budget Setting the Budget Determining the Objective Limiting the Scope Underscoping 52 3 A.4.2 Overscoping Security Controls Assets Reasonableness in Limiting the Scope Identifying System Boundaries Physical Boundary Logical Boundaries Specifying the Rigor Sample Scope Statements 60
4 Contents a ix 3.2 Project Description Project Variables Statement of Work Specifying the Service Description Scope of Security Controls Specifying Deliverables Contract Type Contract Terms 67 Exercises 70 Notes '.. 71 References 72 Security Risk Assessment Preparation Introduce the Team Introductory Letter Pre-Assessment Briefing Obtain Proper Permission Policies Required Permission Required Scope of Permission Accounts Required Review Business Mission What Is a Business Mission? Obtaining Business Mission Information Identify Critical Systems Determining Criticality Approach 1: Find the Information Elsewhere Approach 2: Create the Information on a High Level Approach 3: Classify Critical Systems Identify Assets Checklists and Judgment Asset Sensitivity/Criticality Classification Approach 1: Find Asset Classification Information Elsewhere Approach 2: Create Asset Classification Information Approach 3: Determine Asset Criticality Asset Valuation Approach 1: Binary Asset Valuation Approach 2: Classification-Based Asset Valuation 91
5 Contents Approach 3: Rank-Based Asset Valuation Approach 4: Consensus Asset Valuation Approaches 5-7: Accounting Valuation Approaches Identifying Threats Threat Components Threat Agent Undesirable Events Listing Possible Threats Checklists and Judgment Threat Agent and Undesirable Event Pairing Threat Statements Validating Threat Statements Factors Affecting Threat Statement Validity Determine Expected Controls 104 Exercises 108 Notes 108 References 110 Bibliography Data Gathering Ill 5.1 Sampling Sampling Objectives Sampling Types Use of Sampling in Security Testing Approach 1: Representative Testing Approach 2: Selected Sampling Approach 3: Random Sampling The RIIOT Method of Data Gathering RIIOT Method Benefits RIIOT Method Approaches Review Documents or Designs Interview Key Personnel Inspect Security Controls Observe Personnel Behavior Test Security Controls Using the RIIOT Method 140 Exercises 141 Notes 141 References Administrative Data Gathering Threats and Safeguards 145
6 Contents xi Human Resources Recruitment Employment Termination Organizational Structure Senior Management Security Program Security Operations Audit Information Control User Accounts User Error Asset Control Sensitive Information Business Continuity Contingency Planning Incident Response Program System Security System Controls Application Security Configuration Management Third-Party Access The RIIOT Method: Administrative Data Gathering Review Administrative Documents Documents to Request Review Documents for Clarity, Consistency, and Completeness Reviewing Documents Other than Policies Interview Administrative Personnel Administrative Interview Topics Administrative Interview Subjects Administrative Interview Questions Inspect Administrative Security Controls Listing Administrative Security Controls Verify Information Gathered Determine Vulnerabilities Document and Review Findings Inspect the Security Organization Observe Administrative Behavior Test Administrative Security Controls Information Labeling Testing 200
7 xii Contents Media Destruction Testing Account and Access Control Procedures Testing Outsourcing and Information Exchange 209 Exercises 211 Notes 212 References 214 Bibliography Technical Data Gathering Technical Threats and Safeguards Information Control User Error Sensitive and Critical Information User Accounts Business Continuity Contingency Planning System Security System Controls Application Security Change Management Secure Architecture Topology Transmission Perimeter Network Components Access Control Intrusion Detection Configuration System Settings Data Security Storage Transit The RIIOT Method: Technical Data Gathering Review Technical Documents Technical Documents to Request Review Technical Documents for Information Review Technical Security Designs Interview Technical Personnel Technical Interview Topics Technical Interview Subjects Technical Interview Questions 248
8 Contents B xiii Inspect Technical Security Controls List Technical Security Controls Verify Information Gathered Determine Vulnerabilities Document and Review Findings Observe Technical Personnel Behavior Test Technical Security Controls Monitoring Technology Audit Logs Anti-Virus Systems Automated Password Policies Virtual Private Network Firewalls, IDS, and System Hardening Vulnerability Scanning Penetration Testing Testing Specific Technology 280 Exercises 283 Notes 283 Reference 285 Bibliography 285 Physical Data Gathering Physical Threats and Safeguards Utilities and Interior Climate Power Heat Humidity Fire Fire Impact and Likelihood Fire Safeguards Fire Alarm Systems Fire Alarm Installation Types Fire Suppression Fire Evacuation Flood and Water Damage Lightning Earthquakes Volcanoes Landslides Hurricanes Tornadoes Natural Hazards Summary Human Threats to Physical Security 312
9 xiv H Contents Personnel Screening Barriers Lighting Intrusion Detection Physical Access Control Preventing Unauthorized Entry Preventing Unauthorized Removal The RIIOT Method: Physical Data Gathering Review Physical Documents Physical Documents to Request Review Physical Documents for Information Interview Physical Personnel Physical Security Interview Topics Physical Security Interview Subjects Physical Security Interview Questions Inspect Physical Security Controls Listing Physical Security Controls Verify Information Gathered Determine Physical Vulnerabilities Document and Review Physical Findings Observe Physical Personnel Behavior Test Physical Security Safeguards Doors and Locks Intrusion Detection 352 Exercises 352 Notes 362 References Security Risk Analysis Determining Security Risk Uncertainty and Reducing Uncertainty Review Available Data Examine Historical Data Use Judgment Use Tools Use Conditional Probabilities Creating Security Risk Statements Team Review of Security Risk Statements Obtaining Consensus Deriving Overall Security Risk 378 Exercises 378 Notes 378 References 379
10 Contents a xv 10 Security Risk Mitigation Selecting Safeguards Method 1: Missing Control Leads to Implementing Safeguard Method 2: People, Process, Technology Method 3: Administrative, Physical, Technical Method 4: Preventive, Detective, Corrective Method 5: Available Technology Safeguard Solution Sets Safeguard Cost Calculations Justifying Safeguard Selections Justification through Judgment Cost-Benefit Analysis Establishing Security Risk Parameters 389 Exercises 392 Notes 392 Bibliography Security Risk Assessment Reporting Cautions in Reporting Pointers in Reporting Report Structure Executive-Level Report Base Report Appendices and Exhibits Document Review Methodology: Create the Report Using a Top-Down Approach Document Specification Draft Final Assessment Brief Action Plan 406 Exercises 406 Note 407 References 407 Bibliography Security Risk Assessment Project Management Project Planning Project Definition Project Planning Details Project Phases and Activities Phases and Activities Scheduling Allocating Hours to Activities 412
11 xvi H Contents Project Resources Objectivity vs. Independence Internal vs. External Team Members Skills Required Team Skills Team Member Skills Project Tracking Hours Tracking Calendar Time Tracking Project Progress Tracking Taking Corrective Measures Obtaining More Resources Using Management Reserve Project Status Reporting Report Detail Report Frequency Status Report Content Project Conclusion and Wrap-Up Eliminating "Scope Creep" Eliminating Project Run-On 432 Exercises 432 Notes 433 Reference Security Risk Assessment Approaches Quantitative vs. Qualitative Analysis Quantitative Analysis Expected Loss Single Loss Expectancy Annualized Loss Expectancy Safeguard Value Quantitative Analysis Advantages Quantitative Analysis Disadvantages Qualitative Analysis Qualitative Analysis Advantages Qualitative Analysis Disadvantages Tools Lists Templates Security Risk Assessment Methods FAA Security Risk Management Process OCTAVE FRAP 448
12 Contents a xvii CRAMM NSAIAM 451 Exercises 451 Notes 452 References 452 Index 455
From the Lab to the Boardroom:
From the Lab to the Boardroom: How to perform a Security Risk Assessment Like a Professional Doug Landoll, CISSP, CISA General Manager, Security Services En Pointe Technologies dlandoll@enpointe.com (512)
More informationTHE COMPLETE PROJECT MANAGEMENT METHODOLOGY AND TOOLKIT
THE COMPLETE PROJECT MANAGEMENT METHODOLOGY AND TOOLKIT GERARD M. HILL CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an informa business
More informationSOFTWARE TESTING AS A SERVICE
SOFTWARE TESTING AS A SERVICE ASHFAQUE AHMED (g) CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK
More informationRESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press
SECURE and RESILIENT SOFTWARE Requirements, Test Cases, and Testing Methods Mark S. Merkow and Lakshmikanth Raghavan CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationImplementing the Project Management Balanced Scorecard
Implementing the Project Management Balanced Scorecard Jessica Keyes CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an informa business
More informationCtfo MANAGEMENT SECURITY PATCH. Felicia M. Nicastro. Second Edition. CRC Press. VC#*' J Taylor & Francis Group / Boca Raton London New York
SECURITY PATCH MANAGEMENT Second Edition Felicia M. Nicastro Ctfo CRC Press VC#*' J Taylor & Francis Group / Boca Raton London New York CRC Press Is an imprint of the Taylor & Francis Croup, an Informa
More informationQuality Management. Theory and Application PETER D. MAUCH. Ltfi) CRC Press. \ V J Taylor & Francis Group. ^ ^ Boca Raton London New York
Quality Management Theory and Application PETER D. MAUCH Ltfi) CRC Press \ V J Taylor & Francis Group ^ ^ Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an Informa business
More informationRisk Analysis and the Security Survey
Risk Analysis and the Security Survey Fourth Edition James F. Broder Eugene Tucker ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Butterworth-Heinemann
More informationGovernance Simplified
Information Security Governance Simplified From the Boardroom to the Keyboard TODD FITZGERALD, cissp; cisa, cism Foreword by Tom Peltier CRC Press Taylor & Francis Croup Boca Raton London NewYork CRC Press
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationDevelopment and Management
Cloud Database Development and Management Lee Chao CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an Informa business AN AUERBACH BOOK
More informationTABLE OF CONTENTS CHAPTER TITLE PAGE
viii TABLE OF CONTENTS CHAPTER TITLE PAGE TITLE PAGE DECLARATION DEDICATION ACKNOWLEDGEMENT ABSTRACT ABSTRAK TABLE OF CONTENTS LIST OF TABLES LIST OF FIGURES LIST OF APPENDICES I II III IV VI VII VIII
More informationNetworking. Systems Design and. Development. CRC Press. Taylor & Francis Croup. Boca Raton London New York. CRC Press is an imprint of the
Networking Systems Design and Development Lee Chao CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an Informa business AN AUERBACH BOOK
More informationBUSINESS ANALYSIS FDR INTELLIGENCE
BUSINESS ANALYSIS FDR BUSINESS INTELLIGENCE BERT BRIJS CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an informa business AN AUERBACH
More informationfor Research and Guiding Innovation for Positive R&D Outcomes Lory Mitchell Wingate
Project Management for Research and Development Guiding Innovation for Positive R&D Outcomes Lory Mitchell Wingate CRC Press Taylor & Francis Group BocaRaton London New York CRC Press is an imprint of
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationPAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA
Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationManagement. Project. Software. Ashfaque Ahmed. A Process-Driven Approach. CRC Press. Taylor Si Francis Group Boca Raton London New York
Software Project Management A Process-Driven Approach Ashfaque Ahmed CRC Press Taylor Si Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Croup, an Informa business
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationDetection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup
Network Anomaly Detection A Machine Learning Perspective Dhruba Kumar Bhattacharyya Jugal Kumar KaKta»C) CRC Press J Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor
More informationRegulations on Information Systems Security. I. General Provisions
Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationInformation Protection Readiness for Securing Personal Information
for Securing Personal Information Information Protection Readiness for Securing Personal Information May 23, 2014 Office of the City Auditor The Office of the City Auditor conducted this project in accordance
More informationImplementation. Business-Driven IT-Wide Agile (Scrum) and Kanban (Lean) Andrew T. Pham and David K. Pham. An Action Guide for Business and IT Leaders
Business-Driven IT-Wide Agile (Scrum) and Kanban (Lean) Implementation An Action Guide for Business and IT Leaders Andrew T. Pham and David K. Pham Foreword by Jack Bergstrand, Former CFO of the Coca-Cola
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationAdvances in Network Management
Advances in Network Management Jianguo Ding UC) CRC Press >5^ J Taylor & Francis Croup ^""""^ Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationEngineering Design. Software. Theory and Practice. Carlos E. Otero. CRC Press. Taylor & Francis Croup. Taylor St Francis Croup, an Informa business
Software Engineering Design Theory and Practice Carlos E. Otero CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Croup, an Informa business AN
More informationManagement. ITIL Release. Dave Howard. A Hands-on Guide. CRC Press. Taylor & Francis Group. Taylor St Francis Croup, an Informa business
ITIL Release Management A Hands-on Guide Dave Howard CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Croup, an Informa business AN AUERBACH
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationPolicies and Procedures
Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationMAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationPROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1
PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationElectronic Payment Schemes Guidelines
BANK OF TANZANIA Electronic Payment Schemes Guidelines Bank of Tanzania May 2007 Bank of Tanzania- Electronic Payment Schemes and Products Guidleness page 1 Bank of Tanzania, 10 Mirambo Street, Dar es
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationCLINICAL DATA MANAGEMENT
J * Edition Practical Guide to CLINICAL DATA MANAGEMENT Susanne Prokscha (g) CRC Press Taylor Francis Croup London York CRC Press is an imprint of the Taylor Francis Croup, an buslness Preface Introduction
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationProject Management Concepts, Methods, and Techniques
Project Management Concepts, Methods, and Techniques Claude H. Maley Uffi\ CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an Informa
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationSecurity Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan
Security Metrics A Beginner's Guide Caroline Wong Mc Graw Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents FOREWORD
More informationInformation Technology and Organizational Learning
Information Technology and Organizational Learning Managing Behavioral Change through Technology and Education Second Edition Arthur M. Langer CRC Press Taylor & Francis Group Boca Raton London New York
More informationPerforming Effective Risk Assessments Dos and Don ts
Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013 Introduction Who am I? Why Risk Management? Because you have to Because
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationRequirements Engineering for Software
Requirements Engineering for Software and Systems Second Edition Phillip A. Laplante CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an
More informationImproving Business Process Performance
Improving Business Process Performance Gain Agility, Create Value, and Achieve Success JOSEPH RAYNUS CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationSTANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices
A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards
More informationBusiness Information Systems and Technology
Business Information Systems and Technology A primer Brian Lehaney, Phil Lovett and Mahmood Shah Routledge Taylor & Francis Group LONDON AND NEW YORK Contents List of case studies xii List of figures xiii
More information15 Organisation/ICT/02/01/15 Back- up
15 Organisation/ICT/02/01/15 Back- up 15.1 Description Backup is a copy of a program or file that is stored separately from the original. These duplicated copies of data on different storage media or additional
More informationSupply Chain Risk. An Emerging Discipline. Gregory L. Schlegel. Robert J. Trent
Supply Chain Risk Management An Emerging Discipline Gregory L. Schlegel Robert J. Trent CRC Press Taylors.Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup,
More informationANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York
ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an
More informationSOFTWARE TESTING. A Craftsmcm's Approach THIRD EDITION. Paul C. Jorgensen. Auerbach Publications. Taylor &. Francis Croup. Boca Raton New York
SOFTWARE TESTING A Craftsmcm's Approach THIRD EDITION Paul C. Jorgensen A Auerbach Publications Taylor &. Francis Croup Boca Raton New York Auerbach Publications is an imprint of the Taylor & Francis Group,
More informationTechno Security's Guide to Securing SCADA
Techno Security's Guide to Securing SCADA Foreword xxiii Chapter 1 Physical Security: SCADA and the Critical Infrastructure's Biggest Vulnerability 1 Introduction 2 Key Control 3 Check All Locks for Proper
More informationIt Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe
It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe Agenda Who Is VendorSafe Technologies? It Won t Happen to Me! PCI DSS Overview The VendorSafe Solution Questions
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationContinuity of Operations Planning. A step by step guide for business
What is a COOP? Continuity of Operations Planning A step by step guide for business A Continuity Of Operations Plan (COOP) is a MANAGEMENT APPROVED set of agreed-to preparations and sufficient procedures
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationCHAPMAN & HALL/CRC INNOVATIONS IN SOFTWARE ENGINEERING AND SOFTWARE DEVELOPMENT. Software Test Attacks to Break Mobile and Embedded Devices
CHAPMAN & HALL/CRC INNOVATIONS IN SOFTWARE ENGINEERING AND SOFTWARE DEVELOPMENT Software Test Attacks to Break Mobile and Embedded Devices Jon Duncan Hagar (g) CRC Press Taylor & Francis Group Boca Raton
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationGUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT
GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationSecurity Audits #403.01 Page 2 of 12 Effective September 4, 2007 DEFINITIONS
Security Audits #403.01 Page 2 of 12 Effective September 4, 2007 DEFINITIONS Administrative Procedure Act (APA): The State of Vermont statute that defines rulemaking to adopt rules, which, when adopted,
More informationUnderstanding Sage CRM Cloud
Understanding Sage CRM Cloud Data centre and platform security whitepaper Document version 2016 Table of Contents 1.0 Introduction 3 2.0 Sage CRM Cloud Data centre Infrastructure 4 2.1 Site location 4
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationIntroduction to Supply Chain Management Technologies
Introduction to Supply Chain Management Technologies Second Edition David Frederick Ross CRC Press Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup,
More informationC ONTENTS. Acknowledgments
kincaidtoc.fm Page vii Friday, September 20, 2002 1:25 PM C ONTENTS Preface Acknowledgments xxi xxvii Part 1 CRM: Is It Right for Your Company? 1 Chapter 1 Commerce in the 21st Century 3 1.1 Understanding
More informationProject Management Theory and Practice
Project Management Theory and Practice Gary L. Richardson CRC Press Taylor& Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationComputer Security Literacy
Computer Security Literacy Staying Safe in a Digital World Douglas Jacobson and Joseph Idziorek CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis
More informationRisk Analysis and Risk Management
SECURITY MANAGEMENT PRACTICES Risk Analysis and Risk Thomas R. Peltier Risk management is the process that allows business managers to balance operational and economic costs of protective measures and
More information^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA
^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS KOGAN PAGE London and Sterling, VA Contents Foreword by Nigel Turnbull How to use this book
More informationGENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
More informationDesign of Enterprise Systems
Design of Enterprise Systems Theory, Architecture, and Methods Ronald E. Giachetti CRC Press Taylor &. Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationGUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS
GUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS When used appropriately, identity management systems provide safety and security where they are needed. When used improperly, identity management
More informationSHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationINFORMATION TECHNOLOGY RISK MANAGEMENT PLAN
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
More informationCISO's Guide to. Penetration Testing. James. S. Tiller. A Framework to Plan, Manage, and Maximize Benefits. CRC Press. Taylor & Francis Group
CISO's Guide to Penetration Testing A Framework to Plan, Manage, and Maximize Benefits James S. Tiller CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor
More informationCommercial Practices in IA Testing Panel
Commercial Practices in IA Testing Panel March 22, 2001 Albuquerque, New Mexico First Information Assurance Testing Conference Sponsored by: Director, Operational Test and Evaluation Panel Members! Dr.
More informationChecklist for Vulnerability Assessment
Checklist for Vulnerability Assessment Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on
More informationIT Security Procedure
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationSecurity, and Intelligence
Machine Learning Forensics for Law Enforcement, Security, and Intelligence Jesus Mena CRC Press Taylor &. Francis Group Boca Raton London NewYork CRC Press is an imprint of the Taylor & Francis Croup,
More informationSecurity Control Standard
Department of the Interior Security Control Standard Physical and Environmental Protection April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More information