Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz
|
|
- Stanley May
- 8 years ago
- Views:
Transcription
1 Metrics to Assess and Manage Software Application Security Risk M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz Auburn University at Montgomery (AUM) and ATILIM University, Ankara Abstract: Software application security risk is of critical importance to modern enterprises and organizations. The very existence of these entities often depends on the successful and secure operation of mission critical applications such as the outer space explorations and high assurance scenarios regarding the surgery table for one striking example. Software application security risk is concerned primarily with how security personnel, facility managers, network personnel, management, and other interested parties rate their experience with the various aspects of software security risk, and overall management and maintenance, including issues such as continuity or availability of service, security design and configuration to name a few. To address this need, the principal author has built the fundamental (probability and gametheory related) computational aspects and an associated automated software tool for quantitative risk management. This tool, the Risk-o-Meter (RoM) provides measurable risk, advice for cost and risk mitigation on vulnerabilities and threats associated with the implementation and operation of software applications. I. INTRODUCTION The identification and management of risk is a critical part of operating an IT system. While there are many approaches to identifying and managing risk, many managers focus only on the security of the software and often neglect the other aspects of system operations. Additionally, once all risks are identified, formulating a costoptimized solution to mitigate undesirable risks to a tolerable level is often an ad-hoc process. In this research, we adopt a model of software application risk that quantifies the user s experience with six crucial aspects of the software application security environment. However we will add an original concept of quantification to the existing model through a designed algorithm by the principal author to calculate the software application security risk index [1]. To accomplish this task, numerical and/or cognitive data was collected to supply the input parameters to calculate the quantitative security risk index for software applications. This paper will not only present a quantitative model but also provide a remedial cost-optimized gametheoretic analysis about how to bring
2 an undesirable risk down to a locallydetermined tolerable level. II. METHODOLOGY This applied research paper implements a methodology on how to reduce the risk associated with the Software Application Security Risk associated with implementing and operating an Information Technology (IT) system. A software-centered composite security approach is proposed to aid security personnel, facility managers, and network personnel within an organization. In order to control the risk associated with the implementation of an IT system, concepts such as continuity of operations, security design and configuration of the software, the U.S. Department of Defense s Enclave Boundary Defense construct, a system s identification and authentication process, the physical environment where the system will be operated, and the personnel associated with operating the system (to name a few), should be considered. The primary author s innovation, i.e. RoM (Risk-O-Meter), an automated software tool based on game theory, will provide IT managers a measurable assessment of the current security posture of their implemented IT system by detailing associated cost and risk mitigation suggestions for countering identified vulnerabilities and threats associated with the IT system. The RoM will greatly facilitate the assessment and enhancement of the current security of an implemented IT system. Additionally, the Risk of Operation or Unavailability metric out of 100% will be assessed to provide a remedial cost-optimized gametheoretic analysis to bring an undesirable risk down to a user determined tolerable level [2]. While the Risk-O-Meter can be applied to virtually any organization subject to systemic threats/vulnerabilities to their business operations, this particular implementation focuses on six key areas critical in ensuring Software Application security. Continuity: Regardless of the quality of a given software application, continuous and uninterrupted operations are critical for mission critical applications. In order to achieve such availability, alternate site planning, backup and restoration processes, exercises and drills, enclave boundary defense, and disaster planning have to be considered. Each of these areas must be addressed to ensure optimal user availability of the application. Security Design and Configuration: This area focuses on secure-by-design and subsequent configuration of the software itself as well as the platform you choose to run the application on. This entails industry best practices for acquisition standards and configuration specifications, as well as compliance testing, operational best security practices, and proper implementation of nonrepudiation.
3 Enclave Boundary Defense: Unless the software application operates in a stand-alone environment, the security defenses of the enclave it runs within are crucial to the overall security health of an application. This is the first line of defense and determines what barriers are in place to prevent unauthorized access to the platform running the application and to ensure authorized access is securely administered. This key area focuses on overall boundary defense, connection rules, remote access, encryption, confidentiality, and proper network and system auditing. Identification and Authentication: While boundary defenses provide an excellent defense for software systems, one key to a secure system is to ensure that individuals who are allowed access to the application can be identified and authenticated. This key area focuses on account control, use of individual accounts, key management, tokencertificate standards, and group authentication. Physical Environment: While much attention is given to keeping unauthorized/unwanted individuals from gaining access to systems via electronic means, the facilities that house these platforms must also be protected to prevent system compromise. Additionally, the facilities must also be evaluated for their ability to protect the individuals responsible for maintaining the application and ensuring the application remains online and available to users. This key area focuses on the physical protection provided to an application and covers access to the facilities, protection against data interception, emergency lighting and power, use of screen locks, and storage of data/hardware. Personnel: Personnel, in various forms, are often the biggest threat to software applications. While there are many opportunities for individuals to impact the security of an application while it is being developed, tested and fielded, this area focuses on the personnel that may impact the operational security of an application. This key area focuses on personnel access to information, maintenance personnel, IA training, rules of behavior, and background checks. While it is critical to ensure that applications are secure-by-design, the daily challenge is to ensure that a given software application remains operationally secure on a daily basis. This research focuses on the areas vital to secure application operations and provides field managers with an analysis they can use to more efficiently secure their operational environments, including cloud [3].
4 III. VULNERABILITY AND THREAT ASSESSMENT STRUCTURE As previously noted, six vulnerabilities are assessed: Continuity, Security Design and Configuration, Enclave Boundary Defense, Identification and Authentication, Physical and Environmental, and Personnel. Within each vulnerability category, questions pertain to specific threats and countermeasures. For example, within the Continuity vulnerability, users are asked questions regarding Alternate Sites, Backup and Restoration, and Exercises and Drills threats and countermeasures. Within the Enclave Boundary Defense vulnerability, users are asked questions regarding Boundary Defense, Connection Rules, and Remote Access threats and countermeasures. Within the Physical and Environmental vulnerability, users are asked questions regarding Access to Facilities, Data Interception, and Emergency Lighting threats and countermeasures. See Figure 1 below for the Software Application Security Risk diagram detailing vulnerabilities and threats. The user s responses are then used as input for the RoM to generate a quantitative software application security risk index using a gametheoretical mathematical algorithm. Steve Stockton CSIS6952 Continuity Alternate Site Backup & Restoration Exercises & Drills Enclave Boundary Defense Disaster Planning Security Design and Configuration Acquisition Standards Configuration Specifications Compliance Testing Best Security Practices Non-Repudiation Software Application Risk Diagram Enclave Boundary Defense Identification and Authentication Boundary Defense Connection Rules Remote Access Confidentiality - Encryption Auditing Account Control Individual Accounts Key Management Token-Certificate Standards Group Authentication Physical Environment Access to Facilities Data Interception Emergency Lighting Screen Locks Storage Personnel Access to Information Maintenance Personnel IA Training Rules of Behavior Background Checks Figure 1: Software Application Security Risk Tree Diagram
5 IV. SAMPLE ASSESSMENT QUESTIONS Questions are designed to elicit the user s response regarding the perceived risk to software application security from particular threats, and the countermeasures the users may employ to counteract those threats. For example, in the Identification and Authentication vulnerability, questions regarding Account Control include both threat and countermeasure questions. Threat questions would include: Is a comprehensive account management process unimplemented? Are controls lacking to ensure that only authorized users can gain access to workstations, applications, and networks? During the creation of a new account for a system user, does the registration process leave the required information uncollected? While countermeasure questions would include: Are default accounts removed/disabled during installation of servers and workstations? Are accounts disabled and user IDs and passwords removed within 48 hours of notification that a user no longer requires or is authorized system access? Do system administrators immediately disable any account through which unauthorized user activity has been detected? V. RISK CALCULATION AND MITIGATION Essentially, the users are responding yes or no to these questions. These responses are used to calculate residual risk. Using a game-theoretical mathematical approach, the calculated risk index is used to generate an optimization or lowering of risk to desired levels [1]. Further, mitigation advice will be generated to guide security personnel, facility managers, network personnel, management, and other interested parties. Or more specifically, in what areas can the risk be reduced to optimized or desired levels (such as from 37% to 27% in the screenshot representing the median response from the study participants). See Figure 2 below for the screenshot of the Median Software Application Security Risk Meter Results Table displaying threat, countermeasure, and residual risk indices, optimization options, as well as risk mitigation advice. For this study, a random sample of 31 respondents was taken. Their residual risk results are tabulated and presented in Appendix A at the end of this paper. Respondents experience in software application security risk included both corporate and governmental.
6 Figure 2: Median Software Application Security Risk Meter Results Table
7 VI. CONCLUSION The Software Application Security Risk Meter breaks new ground in that it provides a quantitative assessment of risk to the user as well as recommendations for mitigating that risk. As such, it will be a highly useful tool for security personnel, facility managers, network personnel, management, and other interested parties seeking to minimize and mitigate software application security risk in an objective, quantitatively based manner. Future work will involve the incorporation of new questions so as to better refine user responses and subsequent calculation of risk and mitigation recommendations. Minimization and mitigation of software application security risk will greatly benefit not only the organizations deploying the applications, but society at large through the minimization of security breaches leading to monetary loss and ID theft. The Software Application Security Risk Meter tool and its future refinement provide the means to do so as there are and always will be software application security risks in cyberspace [4,5]. VII. REFERENCES [1] M. Sahinoglu, Trustworthy Computing, John Wiley, [2] M. Sahinoglu, An Input-Output Measurable Design for the Security Meter Model to Quantify and Manage Software Security Risk, IEEE Transactions on Instrumentation and Measurement, Vol. 57, No. 6, pp , June [3] K. Hashizume, D. G. Rosdao, E. Fernandez-Medina, E. B. Fernandez, An Analysis of Security Issues for Cloud Computing, Journal of Internet Services and Applications,, 2013; doi: / t/4/1/5 (Accessed 12/18/2013) [4] 3/Top-10-Security-Risks (Accessed 12/18/2013) [5] M. Sahinoglu, L. Cueva-Parra, D. Ang, Game-theoretic computing in risk analysis, WIREs Comput. Stat 2012, doi: /wics, 1205, or/onlinelibrarytps.asp?doi= /wics.1205&ArticleID=961931
8 Appendix A: Respondent Residual Risk Results Table SURVEY TAKER RESIDUAL RISK % RANKED OVERALL (OUT OF 31) REMARKS Company A th 1 st out of 11 within Company A Company A st 11 th out of 11 within Company A Company A th 8 th out of 11 within Company A Company A th ~OVERALL 4 th out of 11 within Company A AVERAGE Company A th 5 th out of 11within Company A Company A th 10 th out of 11 within Company A Company A th 9 th out of 11 within Company A Company A th 2 nd out of 11 within Company A Company A th 7 th out of 11 within Company A Company A st 6 th out of 11 within Company A (Group Median for Company A) Company A th 3 rd out of 11 within Company A Company B th 5 th out of 11 within Company B Company B nd 2 nd out of 11 within Company B Company B th 4 th out of 11 within Company B Company B th 6 th out of 11 within Company B (Group Median for Company B) Company B st 1 st out of 11 within Company B Company B th 8 th out of 11 within Company B Company B th 7 th out of 11 within Company B Company B th 10 th out of 11 within Company B Company B rd 3 rd out of 11 within Company B Company B th 9 th out of 11 within Company B Company B th 11 th out of 11 within Company B Company C rd 8 th out of 9 within Company C Company C th 3 rd out of 9 within Company C Company C nd 7 th out of 9 within Company C Company C th 1 st out of 9 within Company C Company C th 5 th out of 9 within Company C (Group Median for Company C) Company C th = OVERALL MEDIAN 4 th out of 9 within Company C Company C th 9 th out of 9 within Company C Company C th 6 th out of 9 within Company C Company C th 2 nd out of 9 within Company C Table 1. Companies (A, B, C) Survey Results for the Risk-O-Meter study, ranked within and overall, where Median: 37.06% (C6) and Average: 38.58% (A4: 39.47% is the result that comes the closest).
UF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationChapter 6: Fundamental Cloud Security
Chapter 6: Fundamental Cloud Security Nora Almezeini MIS Department, CBA, KSU From Cloud Computing by Thomas Erl, Zaigham Mahmood, and Ricardo Puttini(ISBN: 0133387526) Copyright 2013 Arcitura Education,
More informationCLOUD Computing: Cost-Effective Risk Management with Additional Product Deployment
Available online at www.sciencedirect.com ScienceDirect Procedia Computer Science 00 (2015) 000 000 www.elsevier.com/locate/procedia The 2015 International Conference on Soft Computing and Software Engineering
More informationMCR Checklist for Automated Information Systems (Major Applications and General Support Systems)
MCR Checklist for Automated Information Systems (Major Applications and General Support Systems) Name of GSS or MA being reviewed: Region/Office of GSS or MA being reviewed: System Owner: System Manager:
More informationSecurity Risk Management and Assessment System
ABSTRACT SAGEPOT: A TOOL FOR SECURITY ASSESSMENT AND GENERATION OF POLICY TEMPLATES K. Saleh, A. Meliani, Y. Emad and A. AlHajri American University of Sharjah, Department of Computer Science Box 26666,
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationDepartment of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government
Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft
More informationPDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]
PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationQUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT
QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationAuburn Montgomery. Registration and Security Policy for AUM Servers
Auburn Montgomery Title: Responsible Office: Registration and Security Policy for AUM Servers Information Technology Services I. PURPOSE To outline the steps required to register and maintain departmental
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationBellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 1 September 2, 2015 CPSC 467, Lecture 1 1/13 Protecting Information Information security Security principles Crypto as a security
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More information3. Are employees set as Administrator level on their workstations? a. Yes, if it is necessary for their work. b. Yes. c. No.
As your trusted financial partner, Maps Credit Union is committed to helping you assess and manage risks associated with your business online banking. We recommend that you do a periodic risk assessment
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationCloud Database Storage Model by Using Key-as-a-Service (KaaS)
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 4 Issue 7 July 2015, Page No. 13284-13288 Cloud Database Storage Model by Using Key-as-a-Service (KaaS) J.Sivaiah
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationSecuring Information in LiveBackup
. Atempo, Inc. Securing Information in LiveBackup How LiveBackup secures data in transmission and storage Date: December 7, 2007 Author: Amy Gracer, Version: alb.lbsg.311.2 en Copyright 2008 Atempo Inc.
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationPointsec Enterprise Encryption and Access Control for Laptops and Workstations
Pointsec Enterprise Encryption and Access Control for Laptops and Workstations Overview of PC Security Since computer security has become increasingly important, almost all of the focus has been on securing
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationCybersecurity Practices of Ohio Investment Advisers; A Summary of Survey Responses
Cybersecurity Practices of Ohio Investment Advisers; A Summary of Survey Responses October 2014 A Pilot Survey to Compile Cybersecurity Information In July 2014, the Ohio Division of Securities participated
More informationNeoscope www.neoscopeit.com 888.810.9077
Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your practice without IT. Today,
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationIT Security Standard: Computing Devices
IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More information10 Hidden IT Risks That Might Threaten Your Business
(Plus 1 Fast Way to Find Them) Your business depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationThis policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.
STATE OF OHIO SUBJECT: PAGE 1 OF 9 DRC Sensitive Data Security Requirements NUMBER: 05-OIT-23 DEPARTMENT OF REHABILITATION AND CORRECTION RULE/CODE REFERENCE: RELATED ACA STANDARDS: SUPERSEDES: 05-OIT-23
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationFour Top Emagined Security Services
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
More informationDynamic Query Updation for User Authentication in cloud Environment
Dynamic Query Updation for User Authentication in cloud Environment Gaurav Shrivastava 1, Dr. S. Prabakaran 2 1 Research Scholar, Department of Computer Science, SRM University, Kattankulathur, Tamilnadu,
More informationBALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN
BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN FEBRUARY 2011 TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 INTRODUCTION... 4 SECTION 1: IT Security Policy... 5 SECTION 2: Risk Management
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationCLOUD MIGRATION. Celina Alexandre M6807
CLOUD MIGRATION M6807 S Content 1. Introduction 2. Methodology 3. Requirements Definition Phase 3.1. Strategy 3.2. Knowledge 06/05/15 2 Content 4. Analysis Phase 4.1. Aplications and Systems 4.2. Development
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationCompilation of Results of a Pilot Survey of Cybersecurity Practices of Small and Mid Sized Investment Adviser Firms
Compilation of Results of a Pilot Survey of Cybersecurity Practices of Small and Mid Sized Investment Adviser Firms September 2014 rth American Securities Administrators Association www.nasaa.org About
More informationWIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION
United States Department of Agriculture Marketing and Regulatory Programs Grain Inspection, Packers and Stockyards Administration Directive GIPSA 3140.5 11/30/06 WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION
More informationPolicy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors
TITLE: Access Management Policy #: Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors Purpose The purpose of this policy is to describe
More informationNational Information Assurance Certification and Accreditation Process (NIACAP)
NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT
More information10 Hidden IT Risks That Threaten Your Practice
(Plus 1 Fast Way to Find Them) Your practice depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine
More informationNetwork Detective. PCI Compliance Module Using the PCI Module Without Inspector. 2015 RapidFire Tools, Inc. All rights reserved.
Network Detective PCI Compliance Module Using the PCI Module Without Inspector 2015 RapidFire Tools, Inc. All rights reserved. V20150819 Ver 5T Contents Purpose of this Guide... 4 About Network Detective
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationBest Practices for Protecting Laptop Data
Laptop Backup, Recovery, and Data Security: Protecting the Modern Mobile Workforce Today s fast-growing highly mobile workforce is placing new demands on IT. As data growth increases, and that data increasingly
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationThe Commonwealth of Massachusetts
A. JOSEPH DeNUCCI AUDITOR The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH ONE ASHBURTON PLACE, ROOM 1819 BOSTON, MASSACHUSETTS 02108 TEL. (617) 727-6200 No. 2008-1308-4T OFFICE OF THE STATE
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More information