UoB Risk Assessment Methodology
|
|
- Barnaby Sutton
- 8 years ago
- Views:
Transcription
1 [Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment and the mechanisms for reviewing risk periodically. Last updated Q North 24 th April 2015 This document and other Information Services documents are held online on our website:
2 University of Brighton Information Services Contents 1 Risk Assessment Methodology Introduction Identification of Assets Identification of Threats Risk Analysis and Assessment Confidentiality Integrity Availability Financial & Reputation Risk Decision Risk Score Risk Treatment... 7 Page 2 24 th April 2015
3 UoB Risk Assessment Methodology Document Details Author Approver Creation Date Version Andy Whillance Quentin North 24 April Version History 0.1 Draft prepared by Andy Whillance 1.0 Final issue by Quentin North 1 Risk Assessment Methodology 1.1 Introduction The University is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. Identifying potential threats to information assets, and to understanding where specific vulnerabilities may cause those threats to be exploited will assist this. Any vulnerability deemed to pose an unacceptable risk must be treated. This will be done either by implementing a control to reduce the risk, transferring the risk, or by implementing regular monitoring, audit or checking of existing controls. Residual risk, documented in the Asset and Risk Register will be accepted by management at an annual Management Review meeting. 1.2 Identification of Assets The Information Security Management Representative will sit with a representative from each departmental area, to identify assets that must be protected. These assets will be held on the departmental asset register. 1.3 Identification of Threats Threats to information assets will be stated within a Risk Register for each department. Where a specific vulnerability exists, this will also be stated. Threats may include but will not be limited to: Confidentiality Integrity Availability Theft Database corruption Hardware failure Unauthorised access Incorrect input Comms Failure Employee misuse Unauthorised modification Accidental Damage Printed Thursday, 06 August 2015 Page 3
4 University of Brighton Information Services Hacking Public website hacking Malicious Damage Incorrect information handling Incorrect information storage Loss during receipt/delivery Multiple versions of key documentation Unmaintainable source code Unauthorised modification to configuration Environmental (Fire, Flood etc.) Denial of Service Attacks Unavailability of key staff Application failure 1.4 Risk Analysis and Assessment On at least an annual basis, each area which maintains a Risk Register must review the list of identified assets. A list of generic threats will be assessed for each asset and, where the person performing the assessment feels there is a material risk, this will be recorded in the register. Where threats are not thought to pose any risk there is no need to record this in the register. The Risk Register should only contain those threats that cause concern. For each threat listed, the likelihood of the vulnerability being exploited is assessed based on the following categories: Likelihood 1 Is unlikely ever to happen 2 Likely to happen at some point if not addressed 3 Likely to happen within the six months, or has happened recently. For each threat, the impact to the organisation should a vulnerability be exploited is assessed based on the following guidance. The tables below are a guide to the risk assessor. The highest score identified out of the categories below will be used as the risk impact score: Confidentiality Impact 1 Data going missing would be an inconvenience, but it is unlikely to result in any issue (e.g. Leak of an internal procedure) 2 Public exposure of confidential information would require at least Page 4 24 th April 2015
5 UoB Risk Assessment Methodology an apology to a small number of individuals. 3 Public exposure of confidential information would lead to significant embarrassment for the organisation. External interest would be possible. 4 Public exposure of confidential information would lead to significant negative media interest, fines by the ICO and could cause distress or harm to those people affected. External interest would be very likely Integrity Impact 1 Loss or corruption of data would not cause any immediate problems. The problem may or may not be rectified. 2 Loss or corruption of the asset would need to be fixed at some point. Resource would be required to do so. 3 Loss or corruption of the asset would need to be fixed in a short time-scale. Significant resources would be required to do so. External interest would be possible. 4 Loss or corruption of data would mean that significant areas of the organisation would be required to recover from the error. External interest would be very likely Availability Impact 1 The asset may not ever be replaced, or recovery could be done at any point in the future 2 Recovery from downtime would require some effort to recoup any data or work lost. The recovery could be planned for a future date. 3 Recovery from downtime would require significant resource, and would need to be completed as soon as possible. External interest would be possible. 4 Unavailability of the system or function could result in harm to individuals and would significantly affect organisation activities for a long period. Immediate recovery would be required. External interest would be very likely Financial & Reputation Impact 1 No significant financial cost 2 A potential cost in terms of departmental budgets 3 Potential fines or loss of contracts or revenue totalling 100,000 Printed Thursday, 06 August 2015 Page 5
6 University of Brighton Information Services or more. External interest would be possible. 4 Potential fines or loss of contracts or revenue totalling 100,000 or more. External interest would be very likely. 2 Risk Decision 2.1 Risk Score The risk score is calculated based on the product of likelihood and impact. Risk Score Permitted Action 12 Action must be taken to reduce the risk 9 Action should be taken to reduce the risk. The IS Governance Board may accept 8 Reduce or accept by the Governance Board and Risk Owner 6 Risk Owner must accept or seek to reduce risk 4 Risk Owner must accept or seek to reduce risk 3 Can be accepted without any treatment 2 Can be accepted without any treatment 1 Can be accepted without any treatment The decision above should be based on the following guidance: Low (Score 1-3) Where risk is scored as low (Green), acceptance may be assumed. No immediate or future action is required. Controls will be subject to monitoring as part of checks, Internal Audit, in order to verify that controls are being adequately enforced. Medium (4-7) Where risk is scored at low-medium (Yellow), asset owners may accept the risk, although the value of the asset against which the threat is noted will be taken into consideration. Resources should be allocated to investigate potential future controls, or improvements to existing controls. Some monitoring of existing controls may be initiated. High (8+) Where risk is scored as high (Red), the risk should be treated, either by implementation of a new control, improvement to existing controls or transferring the risk to a third party. Close monitoring of existing controls will be initiated until the risk is reduced. Risk must be reviewed on a more regular (monthly) basis. Where action is chosen (e.g. reduce, transfer, avoid) the residual risk will be recorded using the same formula as for the net risk. Page 6 24 th April 2015
7 UoB Risk Assessment Methodology 2.2 Risk Treatment At a Management Review, the highest risks will be discussed by the management team. A decision to accept, treat or transfer the risks will be stated and recorded in the Risk Register. Any actions assigned will be tracked by the Departmental Information Security Representative. Progress will be reviewed at regular management meetings. Printed Thursday, 06 August 2015 Page 7
University of Brighton School and Departmental Information Security Policy
University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives
More informationInformation Security Team
Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface
More informationGuidance on data security breach management
Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationMANAGED WORKSTATIONS: Keeping your IT running
MANAGED WORKSTATIONS: Keeping your IT running What state are your PCs in? Systems running slowly? PCs or laptops crashing for no reason? Too much time trying to resolve simple IT issues? Out-of-date software?
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationPerforming Effective Risk Assessments Dos and Don ts
Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013 Introduction Who am I? Why Risk Management? Because you have to Because
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationElectronic Signature Policy
Electronic Signature Policy June 2, 2010 ELECTRONIC SIGNATURE POLICY 1. Introduction 1.1. Background 1.1.1. New York State adopted an Electronic Signatures and Records Act (ESRA) which provides guidance
More informationTHE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31
THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More informationData Security Breach Management Procedure
Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG
More informationBusiness Continuity Planning in IT
Introduction: Business Continuity Planning in IT The more your business relies on its IT systems, the more you need to consider how unexpected disruptions might affect your business. These disruptions
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationData Security Breach Management - A Guide
DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process
More informationThe Influence of Software Vulnerabilities on Business Risks 1
The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal
More information1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services
1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system
More informationOperational Risk Management Policy
Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationCOMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance
Security Breach and Weakness Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Security Breach & Weakness
More informationRisk Assessment Guide
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationICT Disaster Recovery Plan
7 Appendix A ICT Disaster Recovery Plan Definition of a Disaster A computer disaster is the occurrence of any computer system or associated event which causes the interruption of business, leading in the
More informationOutsourcing and third party access
Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security
More informationUnit 3 Cyber security
2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:
More informationCyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen
Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationInformation security risk management using ISO/IEC 27005:2008
Information security risk management using ISO/IEC 27005:2008 Hervé Cholez / Sébastien Pineau Centre de Recherche Public Henri Tudor herve.cholez@tudor.lu sebastien.pineau@tudor.lu March, 29 th 2011 1
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationDisaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery
Disaster Recovery 1.1 Introduction Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationSEC s Cybersecurity Risk Alert Part 2 of 3
SEC s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons,
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationOnce more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer
Once more unto the breach... Dealing with Personal Data Security Breaches Helen Williamson Information Governance Officer Aims of the session What are we going to look at? What is a data security breach?
More informationIntroduction to Security
2 Introduction to Security : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l01, Steve/Courses/2013/s2/its335/lectures/intro.tex,
More information28400 POLICY IT SECURITY MANAGEMENT
Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationRisk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.
Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C. Burget September 14, 2014 1 Agenda Information Assurance
More informationa Medical Device Privacy Consortium White Paper
a Medical Device Privacy Consortium White Paper Introduction The Medical Device Privacy Consortium (MDPC) is a group of leading companies addressing health privacy and security issues affecting the medical
More informationData Security Breach Incident Management Policy
Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...
More informationSchedule 5: SaaS Premium Service Level Agreement
Schedule 5: SaaS Premium Service Level Agreement Service Level Agreement Number - - - - - _- _- _- _ ( ) Document Version: SLA (with SAAS) V_1_4 Contents 1. Provision of Service Warranty 3 1.1. Formula
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationInstitute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander
Institute of Internal Auditors Cyber Security Birmingham Event 15 th May 2014 Jason Alexander Introduction Boards growing concern with Cyber Risk Cyber risk is not new, but incidents have increased in
More informationTom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh
Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment
More informationRISK MANAGEMENT STRATEGY
RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationCouncil, 14 May 2015. Information Governance Report. Introduction
Council, 14 May 2015 Information Governance Report Introduction 1.1 The Information Governance function within the Secretariat Department is responsible for the HCPC s ongoing compliance with the Freedom
More informationExternal Penetration Assessment and Database Access Review
External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management
More informationHow to Practice Safely in an era of Cybercrime and Privacy Fears
How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,
More informationCYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS
CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS These Cybersecurity Testing and Certification Service Terms ( Service Terms ) shall govern the provision of cybersecurity testing and certification services
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationRisk Management Policy
Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012
More informationRISK ASSESSMENT GUIDELINES
RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationWill we be in trouble? How information laws are enforced
Will we be in trouble? How information laws are enforced Max Todd Information Compliance team, Council Secretariat Wednesday 23 September 2015 Breaches of data security - read all about it London clinic
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationOur Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009!
Disaster Recovery Review FREE Promotional Offer Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009! This review is designed to help the small business better
More informationINSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.
Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationInformation Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationDemystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature
Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationEliminating Infrastructure Weaknesses with Vulnerability Management
A Guidance Consulting White Paper P.O. Box 3322 Suwanee, GA 30024 678-528-2681 http://www.guidance-consulting.com Eliminating Infrastructure Weaknesses with Vulnerability Management By Guidance Consulting,
More informationThe Ministry of Information & Communication Technology MICT
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
More informationCYBER RISK SECURITY, NETWORK & PRIVACY
CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationIT Service Management
IT Service Management VNUG Conference 2013-09-04 Anders Stenmark Business Critical Consultant, HP Agenda Introduction Reliable service delivery ITSM ITSM Assessments 2 Introduction Anders Stenmark Business
More informationInformation Security Policy
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
More informationCITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard
CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information
More informationNIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities
Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.
More informationCOMHAIRLE NÁISIÚNTA NA NATIONAL COUNCIL FOR VOCATIONAL AWARDS. Consultative Draft Module Descriptor. Network Security.
COMHAIRLE NÁISIÚNTA NA gcáilíochtaí GAIRMOIDEACHAIS NATIONAL COUNCIL FOR VOCATIONAL AWARDS Consultative Draft Module Descriptor Network Security Level 6 C30260 January 2006 1. Module Title Network Security
More information5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS
5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS 1 Introduction As small and mid-sized companies rely more heavily on their computer networks to
More informationG-Cloud Definition of Services Security Penetration Testing
G-Cloud Definition of Services Security Penetration Testing Commercial in Confidence G-Cloud Services An Overview Inner Security is a leading CREST registered information security services provider. We
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationGUIDE TO MANAGING DATA BREACHES
8 MAY 2015 CONTENT PURPOSE OF THE GUIDE 3 INTRODUCTION 4 HOW DATA BREACHES COULD OCCUR 5 RESPONDING TO A DATA BREACH 6 i. DATA BREACH MANAGEMENT PLAN 6 ii. CONTAINING THE BREACH 7 iii. ASSESSING RISK AND
More informationBusiness Continuity and Disaster Survival Strategies for the Small and Mid Size Business. www.integrit-network.com
Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business www.integrit-network.com Business Continuity & Disaster Survival Strategies for the Small & Mid Size Business AGENDA:
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationCyber and Data Security. Proposal form
Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which
More informationCyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.
Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000 Security Threats & Vulnerabilities in assets are two most fundamental
More informationInformation Technology Services Information Security Incident Response Plan
Information Technology Services Information Security Incident Response Plan Authors: Peter Hamilton Security Manager Craig Collis Head of Risk, Quality and Continuity Date:1/04/2014 Version:1.3 Status:Final
More information5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council
Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council 5.5 For the Year Ended December 31, 2013 Penetration Tests 5.5. Penetration Tests Table
More informationVersion: 3.0. Effective From: 19/06/2014
Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016
More informationPAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA
1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationCalifornia State University, Chico. Information Security Incident Management Plan
Information Security Incident Management Plan Version 0.8 January 5, 2009 Table of Contents Introduction... 3 Scope... 3 Objectives... 3 Incident Management Procedures... 4 Roles and Responsibilities...
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN
PARLIAMENTARY AND EALT SERVICE OMBUDSMAN Information Security Breach Policy Version 2.0 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body:
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationBusiness Continuity Planning
Business Continuity Planning We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That s why
More information