Central Agency for Information Technology
|
|
- Harold Preston
- 8 years ago
- Views:
Transcription
1 Central Agency for Information Technology Kuwait National IT Governance Framework Information Security
2 Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage security services policy 4 Access management procedure Page 2
3 Objective and scope Objective Establish a basic minimum set of requirements that should be adopted by all Kuwait government ministries to better protect their information assets Scope All IT services being managed by the IT departments of government ministries Page 3
4 Roles and responsibilities Role Senior Management of government ministries Management Forum/Steering Committee Information Security Manager (ISM) Information Security Task Force (ISTF) Audit Committee Human Resource department Responsibility Shall be responsible to ensure that commitment towards best practices and processes are adopted and sustained towards managing the ISMS. Shall be responsible for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the ISMS. The committee shall be the owner of this policy. The owner shall be responsible for maintaining and reviewing the applicability of the policy based on a defined review mechanism. Shall be responsible for the initiation, implementation and follow up of all measures related to information security within IT department. ISM shall ensure adherence to this policy within the IT department. ISM shall provide security advice and analyze, review and resolve all issues related to information security. ISM will give direction and manage the processes related to information security management. Shall assist the ISM for the smooth implementation and functioning of the ISMS. Shall be responsible for scheduling and conducting independent internal audits. Independence and confidentiality shall be maintained by auditors irrespective nature of their jobs. Shall be responsible for skill development, and providing training and awareness for end users, IT personnel, vendors and third party employees as per their job requirements. Page 4
5 Information security management system Policy An ISMS policy shall be defined supported and authorized by senior management. Roles and responsibilities shall be defined and communicated to all stakeholders. Page 5
6 Risk management Policy Risk Management shall be performed periodically in high risk areas and risk treatment plan shall be developed. Page 6
7 Risk management (contd) Introduction Risk Management includes task and activities associated with assessing, mitigating and preventing threats to the organization. A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system Approach The Information Security Risk Management comprises of following stages: Risk identification Risk estimation and analysis Risk treatment Risk communication Risk review Page 7
8 Risk management process flow Establish Context Risk Identification Risk Analysis Risk Evaluation Risk Assessment Is Risk Assessment completed? No Yes Risk Monitoring, Review and Communication Risk Reduction Risk Avoidance Risk Transfer No Is Risk Treatment Completed? Yes Risk Accepatance Risk Treatment Page 8
9 Monitor and review ISMS Policy Execute monitoring and reviewing procedures and other control to determine whether the actions taken to resolve a breach of security were effective. Page 9
10 Manage Security Services Protection against malware Manage network and connectivity security Manage endpoint security Manage user identity and logical access Manage physical access to IT assets Manage sensitive documents and output devices Audit logging and monitoring Cryptography and digital signature security Password reset procedure Media handling Page 10
11 Protection against malware Policy Establish protection tools against all form of malware, control their proper function, train users on appropriate behaviour. Procedure Regular system patching of the network devices, servers and all workstations Servers, networks and systems should be installed with anti-virus to detect malicious software and file attachments Real-time scanning to be enabled on all system and servers/workstations and network devices to detect malicious software during non-peak traffic hours Page 11
12 Manage network and connectivity security Policy Design, establish and operate the network in a way that it prohibits unauthorized access and provides the necessary provisions against external attacks. Procedure General Network Security Virtual Private Network Security Network Routing Security Remote Access Security Router, Switch and Firewall Security Mobile Computing Security Page 12
13 General network security The network configuration details should be restricted to authorized personnel only Computers and network devices should be protected by password protected User ID's based on business needs, and role requirements All network services including privileges required for access must be reviewed on a periodic basis A network service job function matrix is maintained in which types of privileges are mapped with the functions of personnel Page 13
14 Virtual private network security All VPN traffic shall be protected using strong encryption and all VPN users will authenticate to the VPN server using their ID and password VPN access should be given to vendors, only after obtaining sufficient approval VPN clients systems should be protected from unauthorized access Page 14
15 Network routing security Access Control Lists (ACL) should be configured to ensure only legitimate inbound and outbound network traffic are enabled and also to prevent unauthorized access of resources Firewall or routers should be used for external routing to hide internal IP addresses Capabilities of Layer3 switch should be used to route traffic between all logical subnet networks Remote access accounts should be reviewed on a monthly basis and disable accounts which are inactive for more than 90 days Page 15
16 Router, switch and firewall security Physical access to network room should be properly restricted Routers, switches and firewalls should be configured to use AAA to control access to these devices Ensure that version of OS/firmware loaded on all devices are latest and stable Network devices should be tested for proper operation after upgrade before being put to production environment Session timeout should be set on all network devices Logs on network devices should be examined on a weekly basis Device software, configuration data, database files, etc., should be backed up frequently Page 16
17 Manage endpoint security Policy Establish the necessary endpoint security on all devices, implement appropriate deployment processes and control effective operation of endpoint security tools. Page 17
18 Manage endpoint security procedure Ensure endpoint security solution is updated for latest definitions Install and configure end-point security solution to enable encryption Ensure strong encryption algorithms are used for encrypting data Page 18
19 Manage user identity and logical access Policy Manage access of all users based on need-to-know principles and control adherence to access control policies. Sub-processes under identity and access management User ID Management Session Time-out User ID Nomenclature User ID Management Privileged User ID maintenance Procedure Information access restriction Secure Log-on Procedures Sensitive system isolation Use of System Utilities Limitation of Connection Time Page 19
20 User ID Management Disable accounts if inactive more than 90 days Issue unique User Id and restrict sharing Revoke user IDs of resigned employees Default accounts must be renamed Temporary user IDs should be disabled after stipulated time Page 20
21 User ID Nomenclature User ID creation shall follow a defined nomenclature Provision to distinguish contractor and temporary user IDs Page 21
22 Privileged user ID maintenance procedure Administrator accounts shall not be used for normal daily activities Privileged user IDs should be restricted Requests for privileged user ID creation and modification shall follow approval process Privileged user ID passwords should be changed every 45 day Page 22
23 Secure log-on procedures Display proper login banner Hide previous logged-on user information All login information must be logged Implement lock-out for more than 3 successive login failures Passwords should not be displayed or transmitted over network Page 23
24 Use of system utilities Segregate system utilities from application software Unnecessary system utilities should be removed Limit number of systems from which system utilities may be run Page 24
25 Manage user identity and logical access Limitation of connection time Users are allowed to connect to sensitive/high risk applications only during certain period User are also forced to re authenticate at certain intervals to prevent users from holding sessions Session time-out An idle session to an information system should be terminated after 10 minutes of user inactivity Password protected screen saver should be activated after 10 minutes of inactivity Page 25
26 Information access restriction Access to system functions restricted via Menu and interface structure design Set up security groups based on user role and access to data Applications should only access production and configuration data Audit log access should be restricted to respective application administrators Page 26
27 Sensitive system isolation Sensitive system should operate in a separate environment from operational systems Page 27
28 Manage physical access to IT assets Policy Put physical controls in place to ensure that access to premises is restricted to the authorized persons, manage access tokens and control and monitor physical access. Procedure Identification Card (ID card) issuance to permanent staff Reissuing Identification Card (ID card) to existing staff/lost card Access card issuance to permanent and temporary staff Reissuing access card to existing staff/lost card Access card issuance to new third party contract staff and service providers Reissuing of access card to existing third party contract staff and service providers staff/lost card Page 28
29 Manage sensitive documents and output devices Policy Establish procedures to identify sensitive documents and media and enforce the application of suitable protection mechanisms to these documents and media. Sub-processes under sensitive document management Information identification, classification, and labelling Handling and storage of information Distribution of information Disposal of information Downgrading/declassification of information Page 29
30 Audit logging and monitoring Policy Deploy the necessary system capabilities to log security events, collect event information and perform proper analysis. Sub-processes under Audit logging & monitoring Audit logging Protection of log information Administrator and operator logs Fault logging Clock synchronization Page 30
31 Audit logging and monitoring (contd) Audit logging Monitoring should be enabled for applications/systems Audit logs and system logs should be reviewed and kept for an agreed period Protection of log information Access to log files should be restricted to authorized users Log files should be backed up regularly and retained for a period of time Page 31
32 Clock synchronization A network time server should be implemented The network time server should be synchronized with a trusted internet time server (e.g., time.windows.com) Page 32
33 Cryptography and digital signature security Use encryption and digital signature where appropriate Policy Protect cryptographic material against unauthorized access and perform any cryptographic functions only in line with legal regulations. Sub-processes under Cryptography & digital signature General cryptography and digital signature Key management Data-in-transit Data-at-rest Asymmetric key lifetime Page 33
34 General cryptography and digital signature Access to encryption software should be given to personnel who handle confidential information Secret information in and password must be encrypted when data is in rest or transmitted over network Must deploy unique digital certificates to transfer information in all internet commerce servers Information systems should support symmetric and asymmetric key encryption Page 34
35 Key management All symmetric cryptographic keys must be randomly generated When symmetric encryption is used, policies will be applied depending on whether the data-in-transit versus data-at-rest Page 35
36 Data-in-transit Master keys must be changed once a year 128-bit encryption standard must be used Key-encrypting keys must be changed once a fortnight Data encrypting keys must be changed per session Page 36
37 Data-at-rest Key-encrypting keys must be changed every six months Master keys must be changed every year Data encrypting keys must be changed every year Master keys for In-active data must be changed every two years Page 37
38 Asymmetric key lifetime Cryptographic keys must be encrypted or stored on security token The lifetime of asymmetric keys dictated by certificate policy document Encryption keys must be strictly protected from unauthorized access Key associated with archived data must be archived Inactive cryptographic keys must be deleted or destroyed Page 38
39 Password policy Ensure that passwords are used securely. Only strong passwords are used and passwords are only known to the respective user Automatic tools are used to the extent possible to enforce usage of strong passwords Page 39
40 Password reset procedure Password reset request initiation Request recording Request acceptance and user verification Request execution Request closure Page 40
41 Password reset procedure (contd) Password reset request initiation The User must initiate the password reset request by contacting the Service Desk via /phone/in person Request recording The Service Desk must record the password reset request and note the requestor details Request acceptance and user verification The Service Desk must verify the details of the user based on user factors like data verification, voice recognition and employee ID validation Page 41
42 Media handling Policy Electronic and paper based information storage media need to be handled according to established procedures. Storage facilities which are intended for this purpose shall be used. Appropriate media disposal procedures need to be followed. Sub-processes under media handling Management of removable media Disposal of media Security of system documentation Page 42
43 Media handling (contd) Management of removal media Removable media should be identified, classified, labelled, stored and handled according to asset management procedure document Disposal of media Media should be disposed safely and securely as per Asset Management Procedure document Security of system documentation System documentation should be classified, labelled, and stored as per Asset Management Procedure document Page 43
44 Access management procedure
45 Objective and scope Objective The objective of this procedure is to establish security requirements to have a controlled access to information resources and access rights granted to users are limited to their business roles Scope Applies to all access granting, monitoring and revoking requests that are applicable to the IT environment Page 45
46 Other key policy statements
47 Other key policy statements Security awareness Basic security awareness training shall be provided to all information system users including third party users and contractors Compliance management Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness. Data protection and privacy of personal information Appropriate measures shall be implemented to protect personal information as per the relevant legislation, regulation, and contractual requirements Page 47
48 Other key policy statements (contd) Human resources security Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations Third party service delivery management Controls must be in place to ensure all third party services shall comply with the agreed service level agreements. Government Ministry shall ensure that all the security controls, service definitions, and delivery levels included in the third party service provider s contracts are implemented, operated, and maintained by the service provider Clear screen and clear desk Screens and desks shall not unveil any confidential information when unattended. It s the users responsibility to prohibit unauthorized persons to look at screens, etc. Page 48
49 Metrics Metrics serve to provide transparency on the compliance with security policies Example metrics are: Number of security related incidents reported, logged, tracked and resolved on timely manner Number of identified vulnerabilities or threats not adequately addressed in the previous risk assessment report Number of internal audit conducted and the results discussed during management review meetings Number of management review meeting executed against planned as per policy Page 49
50 Critical success factors Commitment and support from senior management Adequate financial and human resources for success Distribution of guidance on information security policy and standards to all managers, employees and other parties Roles and responsibilities for ISMS are allocated and clearly communicated Periodic risk assessment carried out as planned and/or prior to any change Implementation of controls in line with risk treatment plan/security plan. Proactive management approach towards security awareness to all end users, employees, third party users, vendors and contractors Page 50
51 Thank you
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationDokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11
Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationINFORMATION SYSTEMS. Revised: August 2013
Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology
More informationHow To Protect Data From Attack On A Network From A Hacker (Cybersecurity)
PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security
More informationDublin Institute of Technology IT Security Policy
Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationControls for the Credit Card Environment Edit Date: May 17, 2007
Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit
More informationc) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.
Responsible Office: Chief Information Officer Pages of these Procedures 1 of 5 Procedures of Policy No. (2) - 1. User Access Management a) User Registration The User ID Registration Procedure governs the
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationHow to Secure Your Environment
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationHardware and Software Security
Today, with the big advancement of technology and the need to share data globally at all time. Security has become one of the most important topics when we talk about data sharing. This means that the
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationInformation Security Management. Audit Check List
Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationSTRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction
Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationCSU, Chico Credit Card PCI-DSS Risk Assessment
CSU, Chico Credit Card PCI-DSS Risk Assessment Division/ Department Name: Merchant ID Financial Account Location (University, Auxiliary Organization) Business unit functional contact: : Title: Telephone:
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationConsensus Policy Resource Community. Lab Security Policy
Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationUMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY Originator: IT Performance and Capacity Management Policy Approval and Version Control Approval Process: Position or Meeting
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationADM:49 DPS POLICY MANUAL Page 1 of 5
DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationPCI and PA DSS Compliance Assurance with LogRhythm
WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More information