Certification of Externally Developed Software Craig A. Schiller Payoff
|
|
- Jonathan Bryant
- 8 years ago
- Views:
Transcription
1 Certification of Externally Developed Software Craig A. Schiller Payoff Developers of large systems spend thousands of dollars ensuring that the software they create performs as expected, that no unauthorized changes have been introduced, that the individuals hired to develop the system are of good character and background, that the system complies with laws and regulations, and that security safeguards are present and functionally correct. However, many developers add such support programs as a data base management system or an operating system with little or no measures to ensure or determine that the preceding concerns have been addressed. This first in a series of two articles discusses an approach to gathering assurances to support the certification (for use in systems) of software developed outside of the organization's control. Problems Addressed For years, the software engineering community has used certification as a means of ensuring that large critical systems(usually government-related) are accurate, correct, and ready for operational use. Certification was used primarily to validate code that was developed locally. It was assumed that Commercial Off-The-Shelf software was not a threat to the system. As applications grew in size and complexity, pressure increased to reduce their time to market, and as the number of individuals involved in commercial software development increased, the number of errors and incidents of malicious code also increased. The problem is aggravated by an attitude called the shrink-wrapped syndrome that has been inherited from the non-programming world. It is usually assumed that a shrinkwrapped or sealed package is better than an open package. The food and drug industry is highly regulated to build confidence and to protect the public. Unfortunately, the message is so strong that it carries over into such unregulated industries as software development. The result is that usually cautious software engineers place unwarranted trust in shrinkwrapped software. When problems occur, the developer usually has little recourse because commercial off-the-shelf (COTS) rarely includes source code or warranties. If enough other users have experienced a similar problem, then the commercial off-the-shelf (COTS) developer may make an out-of-cycle fix available. Otherwise, if it is fixed, the developer must wait for the next official version release. The local software developer is ultimately responsible for the performance of the system being developed, regardless of whether the source of the problem is traced to developed code or a commercial off-the-shelf (COTS) product. Commercial Off-The-Shelf products represent a category of software that may be assumed trustworthy, but the issue exists for all externally developed software (i.e., software that was developed outside of the security professional's control). The difference between internally developed software and externally developed software is control of the development process, knowledge gathered during development, and the ability to perform detailed tests based on that knowledge. The controlled gathering of knowledge of an internally developed system is fundamental to the concept of certification. This article presents a body of collectable knowledge that may be used to guide the determination of the content and extent of tests to reduce the threat from externally developed software.
2 Certification Concepts Used on Developed Software Certification of software developed for government use is a well-documented process. The most recognized description of certification is in the Federal Information Processing Standard (FIPS)102 publication. The objective of the certification process is to ensure that a system is accurate and correct, that a system meets all applicable federal laws and directives, and that the system security safeguards work as intended. The certification process relies on a significant (but unspecified) development infrastructure. Software developers may respond in several different ways to meet these requirements. Most attempts to address certification include a formal software development life cycle that provides for the following: Clear, testable requirements. Traceability of requirements through specification, design, coding, testing, and integration phases. Internal controls to ensure that the system that is tested is the same system that was specified, designed, and coded. Test results demonstrating that the system met its requirements accurately and correctly, and tests of the security safeguards demonstrating that they work as intended. Although these processes directly address the requirements for certification, other less direct processes and controls are usually necessary. For example, Configuration Management processes are necessary to ensure that changes are not introduced without management and technical review. Subcontract management is necessary to ensure that subcontracted work meets requirements; this provides an avenue for recovery should the subcontractor performance fail to meet requirements. The assurances that software development processes provide to the technical management team making a certification recommendation to executive management should be considered. Executive management should solicit certification recommendations from the discipline experts or technical managers (e.g., certification for the physical environment from industrial security or the facility manager or system certification from the software project manager). Organizational Process Assurances Organizational process assurances monitor the product assurance processes for corruption. Common implementations of organizational processes include program management, audit, risk management, internal control systems, corrective actions systems, contract review, internal quality audits, and the use of statistical tools for metrics collection and use. For computer systems products, the acquiring organization may have little visibility into the organizational processes. If the systems developing organization and its processes are well-known (e.g., when the developer is another part of the organization), the product-using organization may be able to accept some of the risk for a reduced testing regime based on the knowledge of the developer's assurance and an examination of the testing results. Several indications may be drawn by the presence or absence of International Standards Organization 9000 certification (an international quality certification program)and whether the organization has been through a software capability evaluation (e.g., as a part of a government contract proposal). If the organization claims ISO 9000 (i.e., 9001, 9002, or 9003)certification, a copy of the scope statement should be obtained. The scope statement identifies the extent of the certification; the certification may include software development
3 activities. ISO 9000certification states that the organization performs the stated objectives for the processes covered in the scope statement. The certification process also provides for regular recertification to ensure that the quality implied by ISO 9000 is actively maintained. This certification does not mean that the company puts out a quality product, nor does it mean that the processes are necessarily productive. It does mean that the organization has processes and that it follows its documented processes. This implies that if a copy of the organizational assurance processes can be obtained from an ISO 9000 certified product developer whose scope statement includes software development, the developer may be following those processes. This adds a significant measure of evidence to support the decision made regarding the use and testing of the software product. For an independent evaluation of the effectiveness or maturity of processes, the security professional may be able to use the results of evaluations or assessments in relation to the Software Engineering Institute's (SEI) Capability Maturity Model (CMM). An Software Engineering Institute software capability evaluation is performed to support the selection of a contractor for some government contracts. An assessment is usually performed by the contractor to determine whether it meets thecmm standard. In general, most assessments have been found to be at least one level higher than the subsequently evaluated level. If a contractor claims to have been evaluated at SEI level 3, then the product user knows (if the evaluation can be substantiated) that the product developer at the time of the evaluation had a mature development organization that has organizational level standards and procedures for configuration management, QA, training, project management, subcontract management, and software development. Similarly, if the developer claims to have been assessed at SEI level 3, he or she is more likely to have project-oriented maturity with defined processes. Substantiating the results of an assessment can only be achieved by having the developer prove these findings. The developer may be unwilling to do that because it may pinpoint company weaknesses. This issue highlights a significant difference between ISO 9000certification and Software Engineering Institute evaluations and assessments. ISO 9000 results are intended to be shared with potential customers, and SEI evaluations and assessments are intended to be used only in relation to a specific contract proposal offering. Therefore, SEI evaluations represent only the state of the contractor in relation to the proposal that requires the evaluation. Although the criteria of the Software Engineering Institute evaluation and assessments are more useful to the user of a product in determining the details of key assurance processes, the static nature of the evaluations and assessments and the strong binding to specific contract proposals weakens the criteria s usefulness as a general assurance meter. However, if the system developer has ISO 9000certification and a previous SEI evaluation, the product user can confidently use the SEI evaluation to support decisions to use the product and reduce the extent of product testing with no perceived severe losses. In the case of products with potentially severe losses, another form of organizational assurance can be acquired through an external audit. This form of assurance requires the cooperation of the product developer; assurance is only possible if the nature of the product makes this a reasonable request. If little is known about the organizational assurances, the rigor and thoroughness of testing should be increased. Product Assurance Product assurance is the core of the quality task, with processes defined for each life cycle phase. Product assurance ensures that the product does what it is supposed to do, that the product does it as well as was expected, and that the product shipped is what it is supposed to be (e.g., all product components are present, it is not an older version, it is not a test version, and it does not contain a virus). Product assurance examples include life cycle reviews (e.g.,design review, inspections, and peer reviews) and such processes as
4 requirements management and configuration management. The results of these assurances are produced by the developers. The previous comments regarding ISO 9000 and SEI evaluations also apply to product assurance. Similarly, if the developer s product assurance measures are appropriate to the potential for loss, then the product user may be able to reduce the rigor and extent of product assurances, as long as the user can validate that the product received is the product tested by the developer. Traditional methods include the concept of bonded software (QA locking the certified product in a penetration-resistant case using a serial numbered metal band) or storage in a protected library. Newer technologies include the use of digital signatures or cryptographic checksums. Measures that are less expensive and less effective may be appropriate for Electronic Data Systems Corp products with less severe potential losses. These measures include site visits, sitting in on development meetings, discussions with the technical staff, and interviews. These assurances are more qualitative than quantitative, but they may add confidence or weight to other assurances. Personnel Assurances Personnel assurances include a comprehensive training program that provides instruction at the awareness level up to and including the cognitive level. To provide assurance, the training should be provided to meet clearly stated, testable objectives. To develop a comprehensive training program, the task and skills necessary to meet the organization s needs should be identified. The tasks and skills should also be expressed in terms of roles and responsibilities. Critical roles and responsibilities (including those that are critical during disaster recovery or emergency conditions) should be identified. Roles requiring special attention (e.g., separation of duty, position certification, or profession certification) should be identified. Clearances and personnel performance reviews also provide assurance. For securityrelated products with less severe potential losses, more credibility can be given to development teams lead by acertified Information Systems Security Professional (CISSP) or composed of personnel with other appropriate certifications. For systems products with severe potential losses, it is recommended that an official description of the development organization's roles, responsibilities, clearances required, internal controls guaranteeing separation of duty, and key position qualifications and credentials be identified. Financial Assurances Program management reviews address financial assurances. A company's inability to manage its finances can cause a development program to fail. Subcontract management is another facet of the financial assurances. The cost and schedule program data is used to project expenses to allow management to react to financial conditions and trends before they become program-threatening incidents. The source selection process may apply weight to such items as financial stability when making the selection. The loss of financial stability of either the prime contractor or its subcontractors could threaten the customer's ability to maintain the system after delivery, and it has the potential to reduce the quality of the product in response to financial pressures. If the intended use for the product does not require periodic updates or deficiency resolution from the developer, then financial assurances may not be necessary. If the product is easily replaced by another similar product, then financial assurance is unnecessary. However, if the product serves a critical function (e.g., availability), sensitive function (e.g., integrity), or if the developer provides a key management service to support confidentiality that could result in severe loss, then some financial assurances should be pursued, preferably before acquisition.
5 Some management aspects of financial assurance can be derived from the availability of SEI Capability Maturity Model evaluation results regarding project management and subcontract management. Other financial assurances can be gained by reviewing the developer's annual report, financial statements, stock ratings, and other indicators from Standard and Poor's, Dunn and Bradstreet, and court filings for bankruptcy. A knowledgeable CPA should be consulted for other available indicators of financial stability. Operations Assurances To preserve the quality delivered with the system, the operations community should have processes for receiving, handling, storing, installing, testing, and accrediting the system for operation. The operations community should conduct tests and inspections from an operations perspective to ensure that normal operations perform as expected. In addition, the operations community should develop, publish, and test plans for disaster recovery, continuity of operations, and end-user contingency planning. Physical Environment Assurances The physical environment of the operations and development sites can affect the safeguard selection process. A sensitive application, such as NASA's mission control, is usually located in a controlled access area (i.e., an area that is not accessible to the public). Additional safeguards required should be considered. A system's certification and accreditation to operate are only valid for a specific physical environment. For systems that are developed for general use or for many different user communities, the developers should clearly describe the physical environment assumptions and expectations used when developing the product. Logical Environment Assurances With logical environment assurances, the developer documents the environments in which the product is expected to be successfully executed. The logical environment includes restrictions (e.g., minimum memory required, maximum records supported, export restrictions), limitations (e.g., supports text files only, specific device requirements), devices tested on, devices not tested but expected to execute on, compatibility issues, and preferred, required, or alternative system parameter settings. Risk and Vulnerability Assurances It is not possible to protect a system against all potential threats and exploitable vulnerabilities. Managers use risk management to select the set of potential threats and vulnerabilities that should be addressed. Security professionals determine the value of assets by examining the nature of the asset and its actual or proposed use. This is to assess the value to the organization as well as the potential value to those who might exploit the organization, the existence of vulnerabilities, the frequency of each threat, the potential impact of each threat, and the exploited vulnerability. They may also determine and use a measure of the certainty of the data used and collected. From this information, security professionals may recommend to management a set of potential threats and vulnerabilities to address and a set of proposed safeguards. The contents of these two sets of data depends on the reliability of the data used to make the decisions. In the case of threat and vulnerability data, no certified sources of information are evident. Therefore, certifying the supporting data consists of documenting its source and selecting information to judge its credibility, currency, and accuracy.
6 External Interface Assurance Interfaces with other systems and organizations are a potential source of problems for system developers. To minimize the problems from external interfaces, developers create and maintain interface specification and interface control documents for rigorous interface control. Memorandums of agreement or understanding for less rigorous interface control are also created. Systems products may also have documentation or supporting code for developers that include interface definitions. This may be in the form of application programming interfaces or documents that describe file and field formats. Documented external interfaces may allow product users to conduct black box testing. External interface assurances may provide all forms of integrity, availability, and confidentiality assurance. Other forms of assurance may exist within an organization's development processes (e.g., maintainability, timeliness, responsiveness, documentation, useability, communications, and legality). Following the pattern used for the above assurances, an organization would develop equivalent measure that can be taken for systems products for each form of assurance that is unique to the organization (or otherwise missing from the preceding list). Applying Certification Concepts ISO 9000 describes a series of concerns that a manufacturer should address regarding the certification of materials acquired for use in the manufacturing process. In software, the corollary to acquired materials is externally developed software and data. As the International Standards Organization 9000standard recognizes, an organization cannot reasonably claim a product is certified unless all internally and externally developed components have been certified for a specified purpose. However, with planning it is possible to certify a product in stages. In the case of software, the product can be certified for general use within an organization(i.e., data has been gathered and some tests have been run and documented that do not have to be repeated when a department performs specific certification of the product). In some cases, general certification may cover all or most of a department's concerns. There may be no need for certification based on the general use of the product (e.g., a data base management system [DBMS]). However, if that DBMS is used to dispense drugs to patients, for example, the concerns for integrity, privacy, and availability fuel a need to certify the DBMS for this intended use. The security professional then determines the degree and type of certification to recommend by examining the general use of the product and the intended use of the product for the type and severity of potential loss. The following is a summary of the tasks essential to certifying systems-related products: Determining the type and degree of certification required for general use of the product. Determining the types of potential losses that could result from general use. Estimating the range of severity. Developing likely loss scenarios Determining the type and degree of certification required for the intended use of the product. Determining the types of potential losses that could result from the intended use. Estimating the range of severity.
7 Developing likely loss scenarios. Previous screen Gathering identification and assurance information about the Electronic Data Systems Corp product and developer.prescribing tests on the basis of the type of loss, the severity, likely loss scenarios, and the available assurance information.conducting tests.prescribing corrective action activities on the basis of test results, assurance data, potential types of losses, and potential severity.managing the proposed corrective actions for approval.executing the corrective action activities approved by technical management.preparing and delivering the certification briefing to management.changing the version designator for each product to indicate certification. Recommended Course of Action Software that has been developed outside of the organization's control can present certain concerns to the security practitioner. The certification concepts and different types of assurances contained in this article form a basis from which to evaluate this type of software. By reviewing the information provided, the security practitioner can ensure that certification for externally developed software follows the correct process. The second article in this series provides a checklist by which this software can be evaluated. The author would appreciate hearing about experiences in implementing this or related efforts regarding externally developed software. The author may be contacted at the following address and phone number: Craig A. Schiller Fathom Lane Houston, Author Biographies Craig A. Schiller Craig A. Schiller is a senior analyst for PARANET, Inc. In addition, he is the cofounder of an automated information system security engineering team for NASA's Johnson Space Center, NASA's technology for information security conference, and the Texas Gulf Coast chapter of the ISSA.
National Information Assurance Certification and Accreditation Process (NIACAP)
NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT
More informationYour Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.
INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc. February 2013 1 Executive Summary Adnet is pleased to provide this white paper, describing our approach to performing
More informationSoftware Engineering: Analysis and Design - CSE3308
CSE3308/DMS/2004/25 Monash University - School of Computer Science and Software Engineering Software Engineering: Analysis and Design - CSE3308 Software Quality CSE3308 - Software Engineering: Analysis
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS CISM ITEM DEVELOPMENT GUIDE Content Page Purpose of the CISM Item Development Guide 2 CISM Exam Structure 2 Item Writing Campaigns 2 Why Participate as a CISM
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationCOORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element)
FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationVISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data
VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data 1 Table of Contents Executive Summary... 3 Template
More informationThe Second National HIPAA Summit
HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationReaching CMM Levels 2 and 3 with the Rational Unified Process
Reaching CMM Levels 2 and 3 with the Rational Unified Process Rational Software White Paper TP174 Table of Contents INTRODUCTION... 1 LEVEL-2, REPEATABLE... 3 Requirements Management... 3 Software Project
More informationChange Management. Why Change Management? CHAPTER
Change Management 19 CHAPTER In this chapter, you will Learn why change management is an important enterprise management tool Understand the key concept of segregation of duties Review the essential elements
More information4 Testing General and Automated Controls
4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn
More informationThe purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision of resources to support service requirements.
CAPACITY AND AVAILABILITY MANAGEMENT A Project Management Process Area at Maturity Level 3 Purpose The purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationSTATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE
STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationGUIDELINES FOR FORENSIC LABORATORY MANAGEMENT PRACTICES INTRODUCTION
GUIDELINES FOR FORENSIC LABORATORY MANAGEMENT PRACTICES INTRODUCTION The American Society of Crime Laboratory Directors is a professional organization of managers and supervisors employed in forensic laboratories.
More information<name of project> Software Project Management Plan
The document in this file is adapted from the IEEE standards for Software Project Management Plans, 1058-1998, which conforms to the requirements of ISO standard 12207 Software Life Cycle Processes. Tailor
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationSurgi Manufacturing Quality Manual
Surgi Manufacturing Page 1 of 18 Approvals: QA: Eng. Mgt. : A Date: 18Aug98 1. Introduction... 4 1.1 Scope... 4 1.2 Purpose... 4 1.3 Authority... 4 1.4 Issue of the Manual... 4 1.5 Amendments... 4 1.6
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationIT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
More informationIT SECURITY PROGRAM MANAGEMENT
G O E B E L A S S O C I A T E S IT Management with Value and Purpose IT SECURITY PROGRAM MANAGEMENT HOW TO ADD VALUE AND GIVE PURPOSE TO YOUR INFORMATION SECURITY PROGRAM (Suarez, K. 2007) DANIEL C GOEBEL,
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationSoftware Engineering Compiled By: Roshani Ghimire Page 1
Unit 7: Metric for Process and Product 7.1 Software Measurement Measurement is the process by which numbers or symbols are assigned to the attributes of entities in the real world in such a way as to define
More informationInformation Security Series: Security Practices. Integrated Contract Management System
OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment Information Security Series: Security Practices Integrated Contract Management System Report No. 2006-P-00010 January 31,
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationCounselorMax and ORS Managed Hosting RFP 15-NW-0016
CounselorMax and ORS Managed Hosting RFP 15-NW-0016 Posting Date 4/22/2015 Proposal submission deadline 5/15/2015, 5:00 PM ET Purpose of the RFP NeighborWorks America has a requirement for managed hosting
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More information8. Master Test Plan (MTP)
8. Master Test Plan (MTP) The purpose of the Master Test Plan (MTP) is to provide an overall test planning and test management document for multiple levels of test (either within one project or across
More informationAdobe PDF for electronic records
White Paper Adobe PDF for electronic records Digital signatures and PDF combine for definitive electronic records and transactions Contents 1 PDF and electronic records 2 Digital certification 3 Validating
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationMission Assurance and Security Services
Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationPHASE 9: OPERATIONS AND MAINTENANCE PHASE
PHASE 9: OPERATIONS AND MAINTENANCE PHASE During the Operations and Maintenance Phase, the information system s availability and performance in executing the work for which it was designed is maintained.
More informationSOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT
SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT Mar 31, 2014 Japan Aerospace Exploration Agency This is an English translation of JERG-2-610. Whenever there is anything ambiguous in this document, the original
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationMASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY
MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY HTTP://SCIENCE.HAMPTONU.EDU/COMPSCI/ The Master of Science in Information Assurance focuses on providing
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationSoftware Testing. Knowledge Base. Rajat Kumar Bal. Introduction
Software Testing Rajat Kumar Bal Introduction In India itself, Software industry growth has been phenomenal. IT field has enormously grown in the past 50 years. IT industry in India is expected to touch
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationDisaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery
Disaster Recovery 1.1 Introduction Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and
More informationNetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR
More informationHUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
More informationBrainloop Cloud Security
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationHigh Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe
2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information
More informationRisk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.
Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C. Burget September 14, 2014 1 Agenda Information Assurance
More informationPurchase College Information Security Program Charter January 2008
January 2008 Introduction When an organization implements an information security program, it raises the question of what is to be written, and how much is sufficient. SUNY Information Security Initiative
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act Report October 27, 2009 Reference Number: 2010-20-004 This
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationWHITE PAPER. Mitigate BPO Security Issues
WHITE PAPER Mitigate BPO Security Issues INTRODUCTION Business Process Outsourcing (BPO) is a common practice these days: from front office to back office, HR to accounting, offshore to near shore. However,
More informationDOE O 226.1A, IMPLEMENTATION OF DEPARTMENT OF ENERGY OVERSIGHT POLICY CONTRACTOR ASSURANCE SYSTEMS CRITERIA ATTACHMENT 1, APPENDIX A
DOE O 226.1A, IMPLEMENTATION OF DEPARTMENT OF ENERGY OVERSIGHT POLICY CONTRACTOR ASSURANCE SYSTEMS CRITERIA ATTACHMENT 1, APPENDIX A DEFINITIONS Assurance systems encompass all aspects of the processes
More informationReview of the SEC s Systems Certification and Accreditation Process
Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy
More informationCMS Information Security Risk Assessment (RA) Methodology
DEPARTMENT OF HEALTH & HUMAN SERVICES Centers for Medicare & Medicaid Services 7500 Security Boulevard, Mail Stop N2-14-26 Baltimore, Maryland 21244-1850 CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS)
More informationHow To Improve Nasa'S Security
DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL
More informationWhite Paper from Global Process Innovation. Fourteen Metrics for a BPM Program
White Paper from Global Process Innovation by Jim Boots Fourteen Metrics for a BPM Program This white paper presents 14 metrics which may be useful for monitoring progress on a BPM program or initiative.
More informationState of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO
Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More information2014 Audit of the Board s Information Security Program
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More information5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE
5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 17 IT Security Controls, Plans and Procedures First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Implementing IT Security
More informationInternational Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationMANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY
MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology
More informationSoftware Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201
PURCHASE ORDER ATTACHMENT Q-201A Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201 1. A qualified employee shall be selected by the Software Quality Manager
More informationFundamentals of Measurements
Objective Software Project Measurements Slide 1 Fundamentals of Measurements Educational Objective: To review the fundamentals of software measurement, to illustrate that measurement plays a central role
More informationWhat do you think? Definitions of Quality
What do you think? What is your definition of Quality? Would you recognise good quality bad quality Does quality simple apply to a products or does it apply to services as well? Does any company epitomise
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationThe Advantages of ISO 9001 Certification
Standards, d Certification and Regulations Reprisal: Types of Requirements Functional requirements: requirements that specify a function that a system or system component must be able to perform The watch
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationEvaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
More informationRe: SEC Proposed Rule Regulation SCI SEC File No. S7-01-13; Release No. 34-69077
Ms. Elizabeth M. Murphy Securities and Exchange Commission 100 F Street, NE Washington, D.C. 20549 Re: SEC Proposed Rule Regulation SCI SEC File No. S7-01-13; Release No. 34-69077 Dear Ms. Murphy, I are
More informationCamber Quality Assurance (QA) Approach
Camber Quality Assurance (QA) Approach Camber s QA approach brings a tested, systematic methodology, ensuring that our customers receive the highest quality products and services, delivered via efficient
More informationCredit Card Related Merchant Activities
Credit Card Related Merchant Activities Standards Examiners should evaluate the above-captioned function against the following control and performance standards. The Standards represent control and performance
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationSHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
More informationDepartment of Public Utilities Customer Information System (BANNER)
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
More information