ASU Web Application Security Standard
|
|
- Edmund Kelley
- 8 years ago
- Views:
Transcription
1 ASU Web Application Security Standard Spring 2014
2 2 1 PURPOSE This standard seeks to improve the security of ASU Web applications by addressing the following: Threat modeling and security testing Web application criticality and the associated review process Web application Sign- Off/Approval process 2 SCOPE This standard applies to all ASU web applications including: Web sites on ASU managed networks, including wireless Web sites that include asu.edu in their DNS hostname Web sites using Arizona State University s registered trademarks, service marks, word marks, or logos, including Arizona State University, ASU, seal, or athletic mascot Sparky (reference the communications guide: 3 DEFINITIONS The following are common terms that will occur throughout this document. Availability Rating Availability rating is a business-based classification, a rating that is based entirely on ASU s assessment of the importance of the site s availability for ASU s business continuity. Tier 1 - core web sites that are vital to all of ASU. This set of applications will be defined by the CIO and CISO in conjunction with ASU s executive leadership. Circumstances that could indicate a Tier 1 rating include: ASU cannot do business if this web site is down. Many other ASU systems rely on this web site being available. Tier 1 examples include enterprise student learning management systems, payroll systems, student administration systems, the ASU home page, , and authentication systems to support these systems. Tier 2 - enterprise-wide systems relied upon by most students or employees such as MyASU, and other online learning systems used in for-credit classes. Tier 3 sites including department-specific applications and all other applications. Centralized A centralized Web application is a Web application that is developed, hosted, and managed within the University Technology Office (UTO). These applications may have been developed at the request of an external source. Core Application Security Review team This team is organized by the Information Security Office and is convened to review criticality application ratings. The team typically includes members of the Information Security Office, UTO application development, UTO operations and members of the University s decentralized development community as appropriate. Criticality Rating The criticality rating is the overall web site rating which combines both the data rating and the availability rating to determine an overall rating. See the table in section 4.2 for an example.
3 3 Data Rating Data Rating is the rating of a web site based on the data included on the site in accordance with ASU s Data Handling Standard. Web site data rating is determined by the data classification as follows: If a web site has access to Highly Sensitive data or can modify Sensitive or Highly Sensitive data at the authoritative source, the site s data rating is High. If a web site has access to Sensitive data but is not rated high, the site s data rating is Medium. If a web site has access to Internal data, but not Sensitive or Highly Sensitive data, the site s data rating is Medium-Low. The expectation is that this rating (or higher) applies to all sites that are protected by passwords or other forms of authentication. If a web site has no access to data other than Public data, the site s data rating is Low. These sites do not prompt for a password or use other types of authentication. Decentralized A decentralized Web application is a Web application that is owned, developed, hosted, or managed through individual departments or units at ASU and is not centrally coordinated by UTO. Financial Applications The ASU financial applications are defined as the ASU Advantage system and specific modules within the Oracle/PeopleSoft Student Administration System and HR/Payroll System as defined and reviewed in the 2008 Auditor General Financial Audit. All of these systems except Advantage are Web applications. Legitimate purpose A web site on ASU s network should further some aspect of the University s mission, such as providing education or services to students, supporting funded research projects, or enabling University business administrative functions. Official Scan An official scan is a scan that has been performed by a member of the Web Scanning Team. The Web Scanning Team is composed of the following two groups: UTO Operations Information Security Office These groups provide the service of conducting official scans on Centralized Web Applications, Decentralized Web Applications and Hosted Web Applications in the production and QA environments. Decentralized departments may be approved to conduct their own official scans provided that the tool that will be utilized is comparable to the current, University-designated scanning tool and the request is approved by the Information Security Office. Production Instance The production instance of a web site is the one that is intended to be available for business use. QA Instance The QA (Quality Assurance) instance of a web site is intended for final testing before a new web site or significant change is released to the production instance. It is expected that the QA site will be as identical to the current or proposed production site as possible, with the exception that the QA site uses test data. Also, a QA site is expected to deliver test communications, including , to test users. Security Testing Security testing seeks to uncover any vulnerabilities that were previously unseen and confirm that mitigation plans and strategies have been successful. Significant Change A significant change is any change, including a code fix, that creates or alters executable code, whether the code runs on a server, a Web browser, or elsewhere. A cosmetic change, including changes in text, formatting, or color is typically not considered significant for the purposes of this definition.
4 4 Steward An ASU employee who is responsible for a web site on ASU s network from a business perspective, and who ensures that the site exists for a legitimate purpose and meets ASU s security requirements. Technical Administrator An ASU employee or contracted third party with the skill and availability to maintain a web site, including timely and effective response to security issues. The Technical Administrator is the lead technician for a web site, and could also serve in the role of lead developer or system administrator. Threat Modeling Threat modeling is a process to identify potential risks in an application and potential steps to mitigate those risks. URL Path The URL Path is the portion of the URL before the? and query string, or before the # and fragment identifier. If neither the? or # are present, the URL Path is the entire URL. Web Application A Web application is any Web site that uses server side logic to determine what information is sent to the user s Internet browser based on data from a database or a Web service. A site with a URL that receives data from a form typically includes server side logic to process that data, and is considered a web application. Web Site A Web Site is a collection of one or more URLs that respond to requests using the hypertext transfer protocol. A typical web site will have a starting URL that provides links allowing authorized users to navigate, directly or indirectly, to the other URLs available on the site. Many web sites reside entirely on a single web server or even within a single subdirectory on a web server. 4 STANDARD ASU has a broad set of security standards for web applications including security testing, the Web application criticality review and governance process, and the Web application sign-off/approval process. All ASU web sites should have: A legitimate purpose, An identified steward from the appropriate department, A technical administrator, Reasonable security measures in place. Sites that do not meet these criteria may be removed from ASU s network. ASU maintains a web application inventory that is modified as applications are added or decommissioned and reviewed periodically. Stewards, technical administrators and developers should be clearly identified by department heads and updated as staffing or functional roles are changed. Web site stewards or technical administrators should ensure that their applications are accurately reflected in the web app inventory. 4.1 Security Testing All web sites should undergo security testing commensurate with their criticality ratings and any risk a security breach may pose to the site or to other ASU systems. Every URL Path should be tested. If it accepts parameters through a query string or HTTP POST, the URL Path should be tested with a representative sample of valid, invalid, and potentially malicious parameters. Testing may be automated or manual but there are many advantages to automated testing including lower labor costs. Manual testing should be at least as thorough as automated testing would be. An example of automated testing is running a web scanning tool that is designed to test for a broad spectrum of potential security risks.
5 Potential security risks include: * Risks identified by industry security standards such as the Top Ten Web Application Vulnerabilities identified by the Open Web Application Security Project (OWASP). * If it is possible for a web browser, hacker, or user to send requests that cause a web server to crash, hang, or otherwise stop providing service. * If a web site accepts and stores data or other changes that are harmful to the database or to other users of the site. * If there is no way to audit or recover from malicious changes to data. * If a web page can be abused to send SPAM or other excess volumes of . * If a web page deliberately or inadvertently prevents scanners or penetration testers from effectively testing the page. * Other risks as identified by business rules or the project team. If an issue is not assigned a severity by a scanning tool or an external penetration testing firm, by default the issue severity is "Medium". Security testing should commence: 5 Before the launch of a new web site Before a significant change to a web site Upon request from the CIO, CISO, scanning team, sponsors, technical administrators, or developers of a web site When there are security concerns including active threats, security events or security incidents 4.2 Security Testing Routine Maintenance Schedule Ongoing testing should occur throughout the life of an application. The minimum scanning schedule includes: Criticality Data Rating Availability Rating High High - Highly or Sensitive/Sensitive data (Update authoritative source) Tier 1 - Mission Critical Medium Medium Sensitive data or Tier 2 - Enterprise Applications Medium- Low Medium-Low Internal data and Tier 3 - All other Low Low Public data and Tier 3 - All other Scanning Schedule Every 6 months Once a year Periodic Periodic The Web Scanning Team should select web sites for scanning according to the schedule above. For sites with a data rating of Medium-Low or Low and an availability rating of Tier 3, the Web Scanning Team should randomly select and scan sites on a regular basis. If a selected web site cannot be scanned, the required security testing should be conducted through other tools or handled manually. If a production site is not able to be scanned, a QA instance that meets the definition of a QA instance from the ASU Web Application Security Standard or a clone of the production site should be scanned or manually tested. If a web site is hosted by a third party service provider, (not hosted on ASU s network), an automated or manual test should be coordinated with the third party service provider. The results of the scan should be submitted to InfoSec@asu.edu upon completion.
6 4.3 Threat Modeling and Security Testing 6 All new Web applications or significant changes to an existing Web application should use a set of threat modeling procedures during development and require security testing prior to a production migration. For a Web application with a Criticality rating of High, security testing should include an official scan or third party penetration test. For medium Criticality Web applications, an official scan is highly recommended. A Web application rated Medium-Low or Low may use scanning as the means of security testing or its documented security testing plan. Packaged applications, while still requiring security testing, may have modified security testing requirements. An example is Web applications where the architecture inherently protects the application from potential security risks and generally do not require official scanning as part of the security testing process. See the Web Application Security Testing Guidelines for details about scanning. Web applications should pass security testing, preferably in a QA environment, before being released to production. All threat modeling and security testing should include a documented plan describing the tests that were performed and the results of those tests. The procedures for these development steps will be identified by the development groups to include their products and/or project teams. See the Web Application Security Testing Guidelines for more details regarding suggested threat modeling and security testing procedures. The Information Security Office will approve procedures by using standard security guidelines, such as the OWASP Top 10 Vulnerabilities, as a baseline for approval. Development groups, project and/or product teams are responsible for submitting new or altered security procedures as required by the Information Security Office. Details on Threat Modeling and Security Testing should be submitted to InfoSec@asu.edu. 4.4 Web Application Criticality and Availability Review Process Initial classification Applications are initially classified by the Technical Administrators or responsible developers. Those who participate in the creation or support of an ASU Web application should perform an initial self-evaluation and propose an initial data and availability classification based on this document. Criticality rating of new applications should be recommended prior to the scheduled go-live date Classification Review The Core Application Security Review Team is to act as an oversight committee for the periodic review of Web application criticality, updating classifications as necessary. The Core Application Security Review Team should include the appropriate decentralized development community members during the classification review of decentralized Web application to ensure that proper classification occurs. A Web application should be reviewed and updated off cycle if its Data Classification changes due to a code migration or if there are changes in the criteria documented in this standard. The review would typically be initiated by the project team, or technical administrator. 4.5 Web Application Sign-Off / Approval For all High Criticality Web applications or any financial Web application, proper development documentation and approval steps are required during the sign-off/approval process prior to migrating new Web applications or significant changes to the production environment. Technical approvals should include the necessary level of security testing as described in Section Threat Modeling and Security Testing of this standard, and all issues identified by security testing and not classified as low risk should be addressed.
7 The documentation requirements for financial applications consist of the following items: 7 A user request Functional specification Test plan with results Functional approval Technical approval For High Criticality applications that are not financial applications the documentation requirements are: Functional approval Technical approval For all other Web applications a functional and technical review and approval process is recommended. 4.6 Scanning During Critical Processing Freeze Since a scan does not change a web application, it may be scanned during university-wide critical processing periods. However, High criticality and Tier 1 web applications should not be scanned in production during times that would impact business continuity, for example, the semester startup period, which typically consists of the first two weeks of the fall or spring semesters. Application scanning should also take other critical processing periods into account prior to the launch of a scan. 4.7 Responsibility for Security Issues A web site's steward has primary responsibility for the security of the web site. This includes the responsibility to timely address all security issues within a reasonable time. Suggested workflows and timelines for addressing discovered issues can be found in the Web Application Security Testing Guidelines. Teams may adopt these guidelines, or develop their own. (See Section 5.) Unless a team has established its own guidelines, approved by ISO, the Web Application Security Testing Guidelines apply. When a web site is developed and/or hosted by a third party, to avoid a conflict of interest an independent entity should evaluate the third party's work. The independent entity may be an ASU employee or a separate third party. This separate evaluation should be submitted to InfoSec@asu.edu. 5 GUIDELINES Project or product teams may define procedures to implement the standards above. Such procedures should be submitted for approval to the Information Security Office, who in turn will review supplied procedures periodically. Web Application Security Testing Guidelines can be used as a reference for departments and teams to establish their own procedures. 6 ENFORCEMENT If a Web application does not comply with this standard and a waiver or extension has not been granted, the Information Security Office may escalate the matter through the appropriate management channels up to the executive level. Furthermore, applications may be shut down until the matter is resolved. Violations of this standard may lead to disciplinary actions. In some circumstances, compliance may not be immediately possible. Under those circumstances, academic or business units should confer with the Information Security Office to develop a plan for moving into compliance with this standard within a reasonable amount of time.
8 If a department or entity does not agree with this standard, a formal document should be submitted to the Information Security Office via infosec@asu.edu describing the concern. The concern or issue will be raised to the executive level for resolution. 8 7 STANDARD REVISION This standard is subject to review and revision at the direction and approval of the Chief Information Security Officer. To offer suggestions and/or recommendations, contact the Information Security Office at infosec@asu.edu.
WEB APPLICATION SECURITY TESTING GUIDELINES
WEB APPLICATION SECURITY TESTING GUIDELINES 1 These guidelines were developed to support the Web Application Security Standard. Please refer to this standard for additional information and/or clarification
More informationInformation Security Incident Management Guidelines
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationThe data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
Privacy and Security FAQ Privacy 1. Who owns the data that organizations put into Google Apps? 2. When can Google employees access my account? 3. Who can gain access to my Google Apps administrative account?
More informationInformation Technology Services Information Security Incident Response Plan
Information Technology Services Information Security Incident Response Plan Authors: Peter Hamilton Security Manager Craig Collis Head of Risk, Quality and Continuity Date:1/04/2014 Version:1.3 Status:Final
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationCHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationCISM (Certified Information Security Manager) Document version: 6.28.11
CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed
More informationState of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard
State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna
More informationSTATE OF ARIZONA Department of Revenue
STATE OF ARIZONA Department of Revenue Douglas A. Ducey Governor September 25, 2015 David Raber Director Debra K. Davenport, CPA Auditor General Office of the Auditor General 2910 North 44 th Street, Suite
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationWright State University Information Security
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationOffice of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits
Office of the Inspector General United States Office of Personnel Management Statement of Michael R. Esser Assistant Inspector General for Audits before the Committee on Appropriations United States Senate
More informationT141 Computer Systems Technician MTCU Code 50505 Program Learning Outcomes
T141 Computer Systems Technician MTCU Code 50505 Program Learning Outcomes Synopsis of the Vocational Learning Outcomes * The graduate has reliably demonstrated the ability to 1. analyze and resolve information
More informationVulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationMaruleng Local Municipality
Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationDepartment of Education. Network Security Controls. Information Technology Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL
More informationADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities
Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationPolicy Title: HIPAA Security Awareness and Training
Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:
More informationCSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office Last Revised: 09/17/2015 Final REVISION CONTROL Document Title: Author: File Reference: CSUSB Vulnerability
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationInformation Technology Policy
ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose
More informationCITY UNIVERSITY OF HONG KONG Change Management Standard
CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in September 2015) PUBLIC Date of Issue:
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationG-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service
G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service 1 Table of contents 1. Scope of our services... 3 2. Approach... 4 a. HealthCheck Application Scan... 4
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationAchieving Security through Compliance
White Paper Achieving Security through Compliance Policies, plans, and procedures Part I By Jeff Tucker, Principal Security Consultant McAfee Foundstone Professional Services Table of Contents Overview
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationAcunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.
Acunetix Web Vulnerability Scanner Getting Started V8 By Acunetix Ltd. 1 Starting a Scan The Scan Wizard allows you to quickly set-up an automated scan of your website. An automated scan provides a comprehensive
More informationOnline Compliance Program for PCI
Appendix F Online Compliance Program for PCI Service Description for PCI Compliance Monitors 1. General Introduction... 3 2. Online Compliance Program... 4 2.1 Introduction... 4 2.2 Portal Access... 4
More informationSimply Sophisticated. Information Security and Compliance
Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.
ICSA Labs Web Application Firewall Certification Testing Report Radware Inc. V5.6.4.1 May 30, 2013 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com WAFX RADWAREINC-2013-0530-01
More informationINFORMATION TECHNOLOGY RISK MANAGEMENT PLAN
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
More informationVulnerability Management Policy
Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully
More informationSpecific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationIntel Security Certified Product Specialist Security Information Event Management (SIEM)
Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking
More informationProtect the data that drives our customers business. Data Security. Imperva s mission is simple:
The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent
More informationComputer Security Incident Reporting and Response Policy
SECTION: 3.8 SUBJECT: Computer Security Incident Reporting and Response Policy AUTHORITY: Executive Director; Chapter 282.318, Florida Statutes - Security of Data and Information Technology Resources;
More informationDecember 21, 2012. The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.
Justification for a Contract Amendment to Contract 2012-01: Interim Hosting and Jurisdiction Functionality for the Compliance Instrument Tracking System Service (CITSS) December 21, 2012 Introduction WCI,
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationManagement and Use of Information & Information Technology (I&IT) Directive. Management Board of Cabinet
Management and Use of Information & Information Technology (I&IT) Directive Management Board of Cabinet February 28, 2014 TABLE OF CONTENTS PURPOSE... 1 APPLICATION AND SCOPE... 1 PRINCIPLES... 1 ENABLE
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationInformation Security Awareness Training and Phishing
Information Security Awareness Training and Phishing Audit Report Report Number IT-AR-16-001 October 5, 2015 Highlights The Postal Service s information security awareness training related to phishing
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationMobile Device Management for CFAES
Mobile Device Management for CFAES What is Mobile Device Management? As smartphones and other mobile computing devices grow in popularity, management challenges related to device and data security are
More informationWhite Paper: Consensus Audit Guidelines and Symantec RAS
Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with
More informationPDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]
PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More information