CUSTOMER Information Security Audit Report
|
|
- Wilfred Dean
- 8 years ago
- Views:
Transcription
1 CUSTOMER Infrmatin Security Audit Reprt Versin 1.0 Date Wednesday, 18 January 2006 SafeCms Internet: Chartered Square Building. 20 th Fl, 152 Nrth Sathrn rd. Bangrak, Bangkk 10500, Thailand Telephne: +66(02) Fax: +66(02)
2 CUSTOMER Infrmatin Security Audit Reprt 18 January 2006 Acknwledgments Authrs: Reviewers: Publisher: Yannick Thevent CTO, SafeCms Jared Dandridge COO, SafeCms Bernard Cllin CEO, SafeCms SafeCms, 2001 Chartered Square Building Bangkk Cpyright 2006 SafeCms All rights reserved. This dcument is prduced fr the exclusive usage f the custmer and shuld nt be disclsed t unauthrised viewers. The distributin f this dcument is limited t the Management f the Custmer, the staff invlved in evaluating the recmmendatins and the staff implementing them. Distributin utside f this grup is nt authrised. Page 2 f 12
3 Table f Cntents EXECUTIVE SUMMARY. 4 CUSTOMER S CORE ASSETS AND RISKS 4 MANAGEMENT ATTITUDE, KNOWLEDGE AND AWARENESS 4 SUMMARY OF PRIMARY SECURITY THREATS.. 4 COMPILED RECOMMENDATIONS.. 8 SCOPE. 10 METHODOLOGY. 10 RISK SCORE CALCULATIONS:.. 10 NOTE ON SAFECOMS APPROACH:.. 11 CURRENT STATE 12 FINDINGS, RISKS, AND RECOMMENDATIONS SECURITY POLICY ORGANIZATION OF INFORMATION SECURITY ASSET MANAGEMENT HUMAN RESOURCES SECURITY PHYSICAL AND ENVIRONMENTAL SECURITY COMMUNICATIONS AND OPERATIONS MANAGEMENT ACCESS CONTROL INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE INFORMATION SECURITY INCIDENT MANAGEMENT BUSINESS CONTINUITY MANAGEMENT COMPLIANCE 51 Page 3 f 12
4 Executive Summary CUSTOMER s Cre Assets and Risks CUSTOMER s business depends heavily n reputatin and credibility in the industry. prducts frm clients are valuable, and must be handled apprpriately. Risks include: <Risk 1> <Risk 2> The cre prductin applicatin system is the nervus system f the entire CUSTOMER peratins. Cre activities include <mitted>. Risks include: <Risk 1> <Risk 2> <Risk 3> Peple, the prcesses they perfrm, and the expertise they acquire is critical t CUSTOMER (cmmunicatin, prject cntrls, delivery, etc). Risks include: <Risk 1> <Risk 2> Management Attitude, Knwledge and Awareness COMPANY Directrs have expressed firm cmmitment t implementing security in the rganizatin. There are slid intentins t secure the business and its peratins, and this cmmitment has served the cmpany well. <mitted> During the business and peratins analysis, there was a cmplacent feeling frm sme management and staff that we interviewed abut the security risks and liabilities at CUSTOMER. There is a mixed understanding f security and f security plicies and prcedures amngst the staff and management at CUSTOMER. The rganizatin wuld certainly benefit frm a sessin r wrkshp n security awareness. Managers need t review security risks in relatin t their divisin and respnsibilities. Summary f primary security threats A summary f the primary security threats, alng with their risk scres (1 lw t 45 high*), is utlined in the chart n the fllwing page. (*) The calculatins used t rate these threats is explained in Risk Scre Calculatins. Page 4 f 12
5 Scre Risk Level Issue 18 Medium Prir t Emplyment Emplyees are nt frmally ntified f their rle in infrmatin security, nr are they made aware f the ptential penalties fr nt cnfrming t cmpany standards. This becmes a liability t the cmpany, if any security incidents ccur 18 Medium Operatinal Prcedures and Respnsibilities Withut a list f standard sftware fr PC s and servers, bth staff and IT persnnel d nt have a clear understanding f what is cnsidered acceptable applicatins, and cnfusin and misunderstanding will fllw. Fr the weak cntrl n patching and change management, security vulnerabilities and unexpected results frm applicatins culd ccur withut the cntrl r knwledge f IT 18 Medium Backup Incnsistent prcedures fr backups culd lead t crrupted data, lst tapes, r the inability t restre lst data. It is nt knwn whether can be restred, as it has never been tested. Fr ther files, nly test files are restred, and n trial f prductin data is attempted 18 Medium Business Requirements fr Access Cntrl The lack f an access cntrl plicy leaves rm fr errr f bth users and IT staff. As there are n guidelines, changes t staffing r systems culd result in a security breach. This is already apparent in hw t many file servers are being established. This issue als cmpunds ther factrs such as server licenses (cst), patching issues (server management), and cnfiguratin and access issues (user management). <mitted> 36 High Infrmatin Security Plicy & Awareness Prgram As many staff are unaware f the wide range f ptential security issues, varius breaches in security culd ccur, and g un-nticed r un-reprted. The ptential level f damage t the cmpany culd be severe (e.g. lss f revenue, custmers, r reputatin). 36 High Internal Organizatin f Infrmatin Security A false sense f security with n directin r substance will cntinue, until a majr security event ccurs, r active steps are taken t implement security awareness in the rganizatin. The security crdinatr has nt had any frmal security training, and currently she nly has limited knwledge as t all the areas that her psitin is respnsible fr. 45 High Reprting Infrmatin Security Events and Weaknesses If emplyees are nt prperly trained, security incidents culd g unreprted and/r unnticed, causing increased risk fr the cmpany. Fr example, passwrds written n paper next t a mnitr, cnfidential dcuments left in a cpier, r ther blatant security breaches are items that shuld be alerted t the security crdinatr. Page 5 f 12
6 Cmpiled Recmmendatins A Prtect Cre Systems and Critical Data frm Ptential Hackers Objective Prevent unauthrized access and defend against pssible data manipulatin r lss. Due t mis-cnfiguratin f the firewall, gateway antivirus, and missing patches, there is a lgical path fr intruders t access cre systems and critical data. We believe this requires utmst attentin. Actin: Review all plicies and apprpriately recnfigure the firewall Recnfigure the Virus gateway scanner Recnfigure the spam filter Ensure all servers have all apprpriate patches applied Remve any unnecessary / unused shares Requirement - Immediate <mitted> D Gain Cntrl f Data & Defend Against Pssible Disasters Objective Guarantee that any incident culd be recvered frm, including virus, fire, and accidents n manipulatin f server, disks r data, prgrams, r HD crash. Ensure that infrmatin is apprpriately cntrlled, handled, and secured, by classifying and rganizing infrmatin in a structured manner. Actin: Implement a business cntinuity plan Step A Step B Step C Develp f a plicy fr infrmatin classificatin Step A Step B Step C Cntrl f effective backup and restre peratins Step A Step B Step C Encryptin shuld be applied t the backup f sensitive data Use f vault fr temprary strage befre transfer ff site Install an apprpriate cmputer rm fire suppressin system Requirement Immediate Page 6 f 12
7 Scpe CUSTOMER required that SafeCms perfrm an audit f their IT infrastructure. The audit must cver all aspects f the IT functin at CUSTOMER, including: IT plicy and prcedure Business cntinuity f the IT functin Physical security arund IT assets Hst-based security n IT assets Results f the audit shuld prvide CUSTOMER with an understanding f their infrmatin security psitining, as well as prviding recmmendatins n hw t imprve areas that have been identified as being high security risks t CUSTOMER. Methdlgy SafeCms cnducted its audit in cnfrmity with IS Infrmatin Technlgy Cde f practice fr infrmatin security management. The basis fr this is that ISO standard prvides a cmmn basis fr develping rganizatinal security standards and effective security management practice as well as prviding cnfidence in interrganizatinal dealings. The audit cnsisted f an interview f the Management Team and sme key staff. We als bserved the IT practice and reviewed apprpriate dcumentatin when available. Selected Wrkstatins and Servers were analyzed, and system sftware and anti-virus signatures cntrlled. A full vulnerability scan was cnducted, n all servers (bth public and private) in use at CUSTOMER. Reprts are attached. Varius recmmendatins in plicies and prcedures, including hardening recmmendatins, will be issued t imprve the verall security at CUSTOMER. Risk Scre Calculatins: In this dcument, yu will see ratings indicating the risk level f ur findings. There are tw variables used t determine risk, which are Business Impact and Level f Cntrl. Business Impact Hw bad culd it be? The first bx f rankings is an indicatin f benchmarks, industry standards, and the level f imprtance placed n this item, as identified during interviews with yur staff. T calculate the Business Impact f a given risk, the tw scres fr the Ptential Impact and the Prbability f Occurrence are multiplied tgether: Ptential Impact (The level f impact t the business, f a security breach) 3 High 2 Medium 1 Lw Prbability f Occurrence (The likelihd that a security breach might ccur) 3 High 2 Medium 1 Lw Page 7 f 12
8 Business Impact (The verall assessment f hw impacting this item culd be) By multiplying the abve items, we will get the result f the Business Impact. (Ptential Impact x Prbability f Occurrence = Business Impact) 7 ~ 9 High 3 ~ 6 Medium 1 ~ 2 Lw Level f Cntrl Hw much are yu ding t prevent it? Based n the findings frm the audit, a scre is assigned t identify what the business is ding t address and prevent security breaches frm this item. The amunt f cntrls r measures in place t mitigate the security breach are ranked as: 5 Nthing Being Dne 4 N Cntrls 3 Weak Cntrls 2 Nt Cnsistent 1 High Cntrl Risk Scre (*) What is the yur ver-all rating fr this item? By cmbining the ptential business impact with the cmpany s level f cntrl fr that item, we can identify the risk fr that item. Therefre: Business Impact x Level f Cntrl = Risk Scre; Risk Scre is divided int three pssible categries, as fllws: 31 ~ 45 High Risk 16 ~ 30 Medium Risk 1 ~ 15 Lw Risk Fr each finding abve, the fllwing table is used t represent the Risk Scre f that item: Indicatr Scre Lw Risk High Risk Business Impact PI x PO = BI (Level) Level f Cntrl LC (Level) Risk Scre RS (Level) 1~15 16~30 31~45 (*) T be issued a certificate f cmpliance, the cmpany must nly Rate in the Lw Risks. Nte n SafeCms apprach: IT Security is nt an abslute; that is t say that n rganisatin can be cmpletely secure. Further measures can always be taken t imprve the security f an rganisatin, and t minimise the risk t that rganizatin f an IT security breach. Hwever nt all security measures represent a gd investment f IT resurces. IT security is therefre a risk management prcess, which aims t reach a delicate balance between required functinality, security and cst. The SafeCms apprach t cnducting IT security audits is based n this philsphy. Page 8 f 12
9 Current State CUSTOMER has many services such as <mitted> that are handled by a cmputerized cntrl system. In additin, service time is ffered 24 hurs a day and 365 days a year t supprt the custmer needs. CUSTOMER gal is t be ne f the best service prviders in Asia with advanced technlgy and well-maintained facilities such as <mitted> n the Wrld Wide Web in rder t ensure that custmers will be able t access directly t receive real time infrmatin. Currently, there are a number f significant applicatins n the cmputer systems such as <mitted> that are running n UNIX and Windws Server 2003, respectively. Recgnizing the criticality f rle f the cmputer systems in the peratin f the cmpany, CUSTOMER management is cncerned with adequacy f cntrls t ensure accuracy, integrity and reliability f the cmputer systems. Findings, Risks, and Recmmendatins In cmpliance with ISO-17799, the audit results at CUSTOMER are rganized int the eleven security cntrl clauses f the ISO standard. Within each f the ISO clauses, the identified items are represented with their assciated findings, risks, and recmmendatins. The 11 security cntrl clauses are as fllws: 1. Security Plicy 2. Organizatin f Infrmatin Security 3. Asset Management 4. Human Resurces Security 5. Physical and Envirnmental Security 6. Cmmunicatins and Operatins Management 7. Access Cntrl 8. Infrmatin Systems Acquisitin, Develpment and Maintenance 9. Infrmatin Security Incident Management 10. Business Cntinuity Management 11. Cmpliance Nte: The rder f the clauses des nt imply their imprtance. Depending n the circumstances, all clauses culd be imprtant, therefre SafeCms will identify applicable clauses, hw imprtant these are and their applicatin t individual business prcesses. Page 9 f 12
10 1. Security Plicy Infrmatin Security Plicy Business Impact Objective: T prvide management directin and supprt fr infrmatin security in accrdance with business requirements and relevant laws and regulatins. Management shuld set a clear plicy directin in line with business bjectives and demnstrate supprt fr, and cmmitment t, infrmatin security thrugh the issue and maintenance f an infrmatin security plicy acrss the rganizatin. Indicatr Scre Lw Risk High Risk Ptential Impact High Prbability f Occurrence High Business Impact High Cntrl Infrmatin security plicy dcument An infrmatin security plicy dcument shuld be apprved by management, and published and cmmunicated t all emplyees and relevant external parties. <mitted> Finding There is n frmal, dcumented security plicy in existence at CUSTOMER. During interviews, sme staff assumed a plicy was in place, due t their understanding that security was nly abut passwrds. In the prcedure manuals, we fund that <mitted> Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl N Cntrls Risk As many staff are unaware f the wide range f ptential security issues, varius breaches in security culd ccur, and g un-nticed r un-reprted. The ptential level f damage t the cmpany culd be severe (e.g. lss f revenue, custmers, r reputatin). Indicatr Scre Lw Risk High Risk Risk Scre 36 - High 1~15 16~30 31~45 Recmmendatin Immediate actin shuld be taken t develp and implement a cmprehensive infrmatin security plicy that will define and cmmunicate the management s cmmitment t infrmatin security t the entire rganizatin. Page 10 f 12
11 Secure Areas Business Impact 5. Physical and Envirnmental Security Objective: T prevent unauthrized physical access, damage, and interference t the rganizatin s premises and infrmatin. Critical r sensitive infrmatin prcessing facilities shuld be hused in secure areas, prtected by defined security perimeters, with apprpriate security barriers and entry cntrls. They shuld be physically prtected frm unauthrized access, damage, and interference. The prtectin prvided shuld be cmmensurate with the identified risks. Indicatr Scre Lw Risk High Risk Ptential Impact High Prbability f Occurrence Medium Business Impact Medium Cntrl Physical security perimeter Security perimeters (barriers such as walls, card cntrlled entry gates r manned receptin desks) shuld be used t prtect areas that cntain infrmatin and infrmatin prcessing facilities. <mitted> Prtecting against external and envirnmental threats Physical prtectin against damage frm fire, fld, earthquake, explsin, civil unrest, and ther frms f natural r man-made disaster shuld be designed and applied. Finding <mitted> A primary cncern is the fact that there is n fire suppressin system in the cmputer rm. Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl Weak Risk A fire in the cmputer rm culd destry all current supprt activities, as well as destry the servers f the ther cmpany hsted in the CUSTOMER cmputer rm. CUSTOMER culd be liable fr damages incurred t bth cmpanies, including lst assets and time t recver frm the lss. Indicatr Scre Lw Risk High Risk Risk Scre 18 - Medium 1~15 16~30 31~45 Recmmendatin Cntinue regular maintenance n the perimeter, entry cntrls, and facilities. An apprpriate cmputer rm fire suppressin system shuld be installed as sn as pssible t prevent a fire disaster. <mitted> Page 11 f 12
12 7. Access Cntrl Netwrk Access Cntrl Business Impact Objective: T prevent unauthrized access t netwrked services. Access t bth internal and external netwrked services shuld be cntrlled. User access t netwrks and netwrk services shuld nt cmprmise the security f the netwrk services by ensuring: a) apprpriate interfaces are in place between the rganizatin s netwrk and netwrks wned by ther rganizatins, and public netwrks; b) apprpriate authenticatin mechanisms are applied fr users and equipment; c) cntrl f user access t infrmatin services is enfrced. Indicatr Scre Lw Risk High Risk Ptential Impact High Prbability f Occurrence High Business Impact High Cntrl Plicy n use f netwrk services Users shuld nly be prvided with access t the services that they have been specifically authrized t use. <mitted> Netwrk ruting cntrl Ruting cntrls shuld be implemented fr netwrks t ensure that cmputer cnnectins and infrmatin flws d nt breach the access cntrl plicy f the business applicatins. Finding Custmers and suppliers are able t access CUSTOMER data/applicatin. There is n cntrl r lgs mnitring n what they d remtely. PC Anywhere was still pened n a server during the audit when the supplier had requested t access during a previus timeframe. <mitted> Security breach pssible During an external scan, we fund that the Virus scanning interface is pen and available withut the need f a username r passwrd. We have access t cntrl this service. In additin, we believe that with a small amunt f effrt, we culd penetrate this machine and thereby gain access t the CORE system via a hle identified in the firewall. Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl N Cntrls Risk Prductin systems are vulnerable t attack and security breaches frm multiple channels (Internet and Wireless) and there is n true cntrl r knwledge f what is passing thrugh the netwrk n a daily basis. Indicatr Scre Lw Risk High Risk Risk Scre 36 - High 1~15 16~30 31~45 Recmmendatin <mitted> Page 12 f 12
HIPAA HITECH ACT Compliance, Review and Training Services
Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical
More informationPersonal Data Security Breach Management Policy
Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner
More informationChapter 7 Business Continuity and Risk Management
Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity
More informationSystems Support - Extended
1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets
More informationPOLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014
State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)
More informationCASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT
CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT Plicy Number: 2.20 1. Authrity Lcal Gvernment Act 2009 Lcal Gvernment Regulatin 2012 AS/NZS ISO 31000-2009 Risk Management Principles
More informationGUIDANCE FOR BUSINESS ASSOCIATES
GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.
More informationCOPIES-F.Y.I., INC. Policies and Procedures Data Security Policy
COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus
More informationAudit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd
Audit Cmmittee Charter St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Versin 2.0, 22 February 2016 Apprver Bard f Directrs St Andrew
More informationInformation Services Hosting Arrangements
Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based
More informationRisk Management Policy AGL Energy Limited
Risk Management Plicy AGL Energy Limited AUGUST 2014 Table f Cntents 1. Abut this Dcument... 2 2. Plicy Statement... 2 3. Purpse... 2 4. AGL Risk Cntext... 3 5. Scpe... 3 6. Objectives... 3 7. Accuntabilities...
More informationChange Management Process
Change Management Prcess B1.10 Change Management Prcess 1. Intrductin This plicy utlines [Yur Cmpany] s apprach t managing change within the rganisatin. All changes in strategy, activities and prcesses
More informationVersion: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013
Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch
More information2008 BA Insurance Systems Pty Ltd
2008 BA Insurance Systems Pty Ltd BAIS have been delivering insurance systems since 1993. Over the last 15 years, technlgy has mved at breakneck speed. BAIS has flurished in this here tday, gne tmrrw sftware
More informationInternal Audit Charter and operating standards
Internal Audit Charter and perating standards 2 1 verview This dcument sets ut the basis fr internal audit: (i) the Internal Audit charter, which establishes the framewrk fr Internal Audit; and (ii) hw
More informationTrustED Briefing Series:
TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers
More informationData Protection Act Data security breach management
Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing
More informationSystem Business Continuity Classification
Business Cntinuity Prcedures Business Impact Analysis (BIA) System Recvery Prcedures (SRP) System Business Cntinuity Classificatin Cre Infrastructure Criticality Levels Critical High Medium Lw Required
More informationService Level Agreement
Template SDSU-TPL-11085 v1.3 18/1/11 IT Services Service Level Agreement Staff Email and SMTP Accunts (EMSF) Versin: 0.1 01/11/2010 Service Level Agreement: Staff Email and SMTP Accunts (EMSF) Cntents
More informationSession 9 : Information Security and Risk
INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin
More informationVCU Payment Card Policy
VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this
More informationPOSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position
Psitin Title I.T Prject Officer Classificatin Higher Educatin Wrker, Level 7 Respnsible t The Psitin I.T Manager The psitin assists with the cmpletin f varius IT prjects intended t enable the nging administratin
More informationHIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337
HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders
More informationexpertise hp services valupack consulting description security review service for Linux
expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS
More informationKey Steps for Organizations in Responding to Privacy Breaches
Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins
More informationSystem Business Continuity Classification
System Business Cntinuity Classificatin Business Cntinuity Prcedures Infrmatin System Cntingency Plan (ISCP) Business Impact Analysis (BIA) System Recvery Prcedures (SRP) Cre Infrastructure Criticality
More informationUnified Infrastructure/Organization Computer System/Software Use Policy
Unified Infrastructure/Organizatin Cmputer System/Sftware Use Plicy 1. Statement f Respnsibility All emplyees are charged with the security and integrity f the cmputer system. Emplyees are asked t help
More informationMulti-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company, 2014-2021
Multi-Year Accessibility Plicy and Plan fr NSF Canada and NSF Internatinal Strategic Registratins Canada Cmpany, 2014-2021 This 2014-21 accessibility plan utlines the plicies and actins that NSF Canada
More informationHillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network
2361/Page 1 f 6 Hillsbrugh Bard f Educatin Acceptable Use Plicy fr Using the Hillsbrugh Twnship Public Schls Netwrk It is the gal f the HTPS (Hillsbrugh Twnship Public Schls) Netwrk t prmte educatinal
More informationThe Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future
The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents
More informationSupport Services. v1.19 / 2015-07-02
Supprt Services v1.19 / 2015-07-02 Intrductin - Table f Cntents 1 Intrductin... 3 2 Definitins... 4 3 Supprt Prgram Feature Overview... 5 4 SLA fr the Supprt Services... 6 4.1 Standard Supprt... 6 4.2
More informationRequest for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply
Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t
More informationResearch Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013
Research Reprt Abstract: Advanced Malware Detectin and Prtectin Trends By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm, Senir Prject Manager September 2013 2013 by The Enterprise Strategy Grup,
More informationENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY Plicy N. 10014 Review Date Octber 1, 2014 Effective Date March 1, 2014 Crss- Respnsibility Vice President, Reference Administratin Apprver Executive Cuncil 1. 1. Plicy
More informationOITS Service Level Agreement
OITS Service Level Agreement Objective A Service Level Agreement (SLA) describes the IT Service, dcuments Service Level Targets, and specifies the respnsibilities f the IT Service Prvider and the Custmer.
More informationRemote Working (Policy & Procedure)
Remte Wrking (Plicy & Prcedure) Publicatin Scheme Y/N Department f Origin Plicy Hlder Authrs Can be published n Frce Website Prfessinal Standards Department (PSD) Ch Supt Head f PSD IT Security Officer
More informationPhi Kappa Sigma International Fraternity Insurance Billing Methodology
Phi Kappa Sigma Internatinal Fraternity Insurance Billing Methdlgy The Phi Kappa Sigma Internatinal Fraternity Executive Bard implres each chapter t thrughly review the attached methdlgy and plan nw t
More informationVersion Date Comments / Changes 1.0 January 2015 Initial Policy Released
Page 1 f 6 Vice President, Infrmatics and Transfrmatin Supprt APPROVED (S) REVISED / REVIEWED SUMMARY Versin Date Cmments / Changes 1.0 Initial Plicy Released INTENT / PURPOSE The Infrmatin and Data Gvernance
More informationImproved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1
Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues
More informationPENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK
Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs
More informationService Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S
Service Level Agreement (SLA) Hsted Prducts Netp Business Slutins A/S Cntents 1 Service Level Agreement... 3 2 Supprt Services... 3 3 Incident Management... 3 3.1 Requesting service r submitting incidents...
More informationSecurity Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview
Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the
More informationTHE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM
THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant
More informationPrivacy Breach and Complaint Protocol
Privacy Breach and Cmplaint Prtcl Effective: December 31, 2012 Apprved by: Le McKenna, CFO 1.0 General Privacy breaches and privacy cmplaints will be handled in accrdance with this prtcl. This prtcl is
More informationPURPOSE The purpose of this Position Description (PD) is to assist the employee in the following areas:
PURPOSE The purpse f this Psitin Descriptin (PD) is t assist the emplyee in the fllwing areas: 1. Prvide them with a clear understanding f their rle within RCR Tmlinsn Ltd t assist the Cmpany reach its
More informationCMS Eligibility Requirements Checklist for MSSP ACO Participation
ATTACHMENT 1 CMS Eligibility Requirements Checklist fr MSSP ACO Participatin 1. General Eligibility Requirements ACO participants wrk tgether t manage and crdinate care fr Medicare fee-fr-service beneficiaries.
More informationResearch Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012
Research Reprt Abstract: The Emerging Intersectin Between Big Data and Security Analytics By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm Nvember 2012 2012 by The Enterprise Strategy Grup, Inc.
More informationOnline Learning Portal best practices guide
Online Learning Prtal Best Practices Guide best practices guide This dcument prvides Micrsft Sftware Assurance Benefit Administratrs with best practices fr implementing e-learning thrugh the Micrsft Online
More informationUnified Communications
Office f Infrmatin Technlgy Services Service Level Agreement Unified Cmmunicatins Nvember 7, 2013 v2.2 Service Descriptin Unified Cmmunicatins Service Descriptin ITS Unified Cmmunicatins ffers a number
More informationHelp Desk Level Competencies
Help Desk Level Cmpetencies Level 1 Take user calls and manage truble tickets Ability t staff and manage the rganizatins helpdesk and effectively respnd t rutine custmer calls Ability t use prper grammar
More informationCHANGE MANAGEMENT STANDARD
The electrnic versin is current, r when printed and stamped with the green cntrlled dcument stamp. All ther cpies are uncntrlled. DOCUMENT INFORMATION Descriptin Dcument Owner This standard utlines the
More informationCreating an Ethical Culture and Protecting Your Bottom Line:
Creating an Ethical Culture and Prtecting Yur Bttm Line: Best Practices fr Crprate Cdes f Cnduct Nte: The infrmatin belw and all infrmatin n this website is nt meant t be taken as legal advice. Please
More informationAccident Investigation
Accident Investigatin APPLICABLE STANDARD: 1960.29 EMPLOYEES AFFECTED: All emplyees WHAT IS IT? Accident investigatin is the prcess f determining the rt causes f accidents, n-the-jb injuries, prperty damage,
More informationSymantec User Authentication Service Level Agreement
Symantec User Authenticatin Service Level Agreement Overview and Scpe This Symantec User Authenticatin service level agreement ( SLA ) applies t Symantec User Authenticatin prducts/services, such as Managed
More informationData Protection Policy & Procedure
Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015
More informationA96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015
A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY
More informationChristchurch Polytechnic Institute of Technology Access Control Security Standard
CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin
More informationRequest for Proposal Technology Services
Avca Schl District 37 Wilmette, IL Request fr Prpsal Technlgy Services Netwrk and Systems Infrastructure Management Services December 5, 2013 Avca Schl District 37 is seeking an IT cnsulting firm t manage
More informationnbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.
Incident & Hazard Reprting Overview At nbn we are safe, disciplined and reliable. nbn is cmmitted t preventing injury, illness and envirnmental harm by prviding a safe and healthy wrking envirnment fr
More informationNetwork Security Trends in the Era of Cloud and Mobile Computing
Research Reprt Abstract: Netwrk Security Trends in the Era f Clud and Mbile Cmputing By Jn Oltsik, Senir Principal Analyst and Bill Lundell, Senir Research Analyst With Jennifer Gahm, Senir Prject Manager
More informationFirst Global Data Corp.
First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First
More informationProcess of Setting up a New Merchant Account
Prcess f Setting up a New Merchant Accunt Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am
More informationConsiderations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag
Autmating Wrkflws with KwikTag by ImageTag Cnsideratins fr Success in Wrkflw Autmatin KwikTag balances cmprehensive, feature-rich Transactinal Cntent Management with affrdability, fast implementatin, ease
More informationInformation Security Incident Response Plan
Infrmatin Security Incident Respnse Plan Agency: Date: Cntact: 1 TABLE OF CONTENTS Intrductin... 3 Authrity... 4 Terms and Definitins... 4 Rles and Respnsibilities... 5 Prgram... 6 Educatin and Awareness...
More informationMSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER
MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER This Audit Cmmittee Charter has been amended as f July 17, 2015. The Audit Cmmittee shall review and reassess this Charter annually and recmmend
More informationWHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy
WHAT YOU NEED TO KNOW ABOUT Prtecting yur Privacy YOUR PRIVACY IS OUR PRIORITY Credit unins have a histry f respecting the privacy f ur members and custmers. Yur Bard f Directrs has adpted the Credit Unin
More informationWoodstock Multimedia, INC. Software/Hardware Usage Policy
Wdstck Multimedia, INC. Sftware/Hardware Usage Plicy POLICY PURPOSE The purpse f the Wdstck Multimedia, INC. Sftware / Hardware Usage Plicy is t ensure that Wdstck Multimedia, INC. emplyees are prperly
More informationAHI. Foreign Pre-Approval Inspections (PAIs) Points to Consider
AHI Freign Pre-Apprval Inspectins (PAIs) Pints t Cnsider The fllwing suggestins are intended t prvide spnsr guidance fr timeliness and predictability f freign PAIs. The FDA Center fr Veterinary Medicine
More informationCorporate Standards for data quality and the collation of data for external presentation
The University f Kent Crprate Standards fr data quality and the cllatin f data fr external presentatin This paper intrduces a set f standards with the aim f safeguarding the University s psitin in published
More informationTO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel
AL 96-7 Subject: Credit Card Preapprved Slicitatins TO: Chief Executive Officers f all Natinal Banks, Department and Divisin Heads, and all Examining Persnnel PURPOSE The purpse f this advisry letter is
More informationSuccession Planning & Leadership Development: Your Utility s Bridge to the Future
Successin Planning & Leadership Develpment: Yur Utility s Bridge t the Future Richard L. Gerstberger, P.E. TAP Resurce Develpment Grup, Inc. 4625 West 32 nd Ave Denver, CO 80212 ABSTRACT A few years ag,
More information2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No.
HIPAA Technical Risk Security Assessment 1. Will yu be issuing additinal directins fr the frmatting f the final prpsal due Nvember 21 st? There is nt specific frmatting requirements, just submit the prpsal
More informationDatabase Services - Extended
1 General Overview This is a Service Level Agreement ( SLA ) between and Database Services t dcument: The technlgy services Database Services prvides t the custmer. The targets fr respnse times, service
More informationBusiness Continuity Management Policy
The Public Trustee Business Cntinuity Management Plicy Octber 2015 Business Cntinuity Management Plicy Octber 2015 Page 1 f 6 Dcument Infrmatin Apprved Name Psitin Signature Date Mark Crftn A/Public Trustee
More informationLATROBE COMMUNITY HEALTH SERVICE MANAGER, MARKETING AND COMMUNICATION JOB & PERSON SPECIFICATION
LATROBE COMMUNITY HEALTH SERVICE MANAGER, MARKETING AND COMMUNICATION JOB & PERSON SPECIFICATION JANUARY 2014 POSITION TITLE : MANAGER, MARKETING AND COMMUNICATION CLASSIFICATION : GRADE 5 AWARD : HEALTH,
More informationTITLE: Supplier Contracting Guidelines Process: FIN_PS_PSG_050 Replaces: Manual Sections 6.4, 7.1, 7.5, 7.6, 7.11 Effective Date: 10/1/2014 Contents
TITLE: Supplier Cntracting Guidelines Prcess: FIN_PS_PSG_050 Replaces: Manual Sectins 6.4, 7.1, 7.5, 7.6, 7.11 Cntents 1 Abut university supplier cntracting... 2 2 When is a cntract required?... 2 3 Wh
More informationLINCOLNSHIRE POLICE Policy Document
LINCOLNSHIRE POLICE Plicy Dcument 1. POLICY IDENTIFICATION PAGE POLICY TITLE: ICT CHANGE & RELEASE MANAGEMENT POLICY POLICY REFERENCE NO: PD 186 POLICY OWNERSHIP: ACPO Cmmissining Officer: Prtfli / Business-area
More informationSTANDARDISATION IN E-ARCHIVING
STANDARDISATION IN E-ARCHIVING R E Q U I R E M E N T S A N D C O N T R O L S F O R D I G I T I S AT I O N A N D E - A R C H I V I N G S E R V I C E P R O V I D E R S Alain Wahl 1 Requirements and cntrls
More informationBIBH Duty Statements and Governance chart reviewed and approved April 2014. BIBH Executive Governance & Management Arrangements
BIBH Duty Statements and Gvernance chart reviewed and apprved April 2014 BIBH Executive Gvernance & Management Arrangements BIBH COMMITTEE CEO - Paul O Cnnell Executive Secretary - Brian Firth Executive
More informationResident Assistant Application JOB DESCRIPTION
Requirements and Cmpensatin Resident Assistant Applicatin JOB DESCRIPTION Must have cmpleted at least 24 credit hurs at the time f emplyment. Must have a clear judicial recrd with Husing and Residential
More informationIT Help Desk Service Level Expectations Revised: 01/09/2012
IT Help Desk Service Level Expectatins Revised: 01/09/2012 Overview The IT Help Desk team cnsists f six (6) full time emplyees and fifteen (15) part time student emplyees. This team prvides supprt fr 25,000+
More informationOnline Banking Agreement
Online Banking Agreement 1. General This Online Banking Agreement, which may be amended frm time t time by us (this "Agreement"), fr accessing yur Clrad Federal Savings Bank accunt(s) via the Internet
More informationUniversity of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments
University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department
More informationBackupAssist SQL Add-on
WHITEPAPER BackupAssist Versin 6 www.backupassist.cm 2 Cntents 1. Requirements... 3 1.1 Remte SQL backup requirements:... 3 2. Intrductin... 4 3. SQL backups within BackupAssist... 5 3.1 Backing up system
More informationISO Management Systems. Guidance on understanding the benefits of an ISO Management System
ISO Management Systems Guidance n understanding the benefits f an ISO Management System Welcme & Intrductins 4031 University Drive, 206, Fairfax, VA 22030 3 Grant Square, 243, Hinsdale, IL 60521 www.radiancmpliance.cm
More informationAuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit
AuditNet Survey f Bring yur wn Device (BYOD) - Cntrl, Risk and Audit The pace f technlgy mves much faster than managers and auditrs can understand and react, with updated plicies, prcedures and cntrls.
More informationIT CHANGE MANAGEMENT POLICY
IT CHANGE MANAGEMENT POLICY Effective Date May 19, 2016 Crss-Reference 1. IT Operatins and Maintenance Plicy 2. IT Security Incident Management Plicy Respnsibility Apprver Review Schedule 1. Plicy Statement
More informationBusiness Plan Overview
Business Plan Overview Organizatin and Cntent Summary A business plan is a descriptin f yur business, including yur prduct yur market, yur peple and yur financing needs. Yu shuld cnsider that a well prepared
More informationUNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES
UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES REFERENCES AND RELATED POLICIES A. UC PPSM 2 -Definitin f Terms B. UC PPSM 12 -Nndiscriminatin in Emplyment C. UC PPSM 14 -Affirmative
More informationThe ADVANTAGE of Cloud Based Computing:
The ADVANTAGE f Clud Based Cmputing: A Web Based Slutin fr: Business wners and managers that perate equipment rental, sales and/r service based rganizatins. R M I Crpratin Business Reprt RMI Crpratin has
More informationPurpose Statement. Objectives
Apprved by Academic Affairs Cuncil, June 24, 2014 Faculty Handbk Part VI: Other Plicies and Prcedures Sectin R. Intellectual Prperty Classified Emplyee Handbk Part VI: Other Plicies and Prcedures Sectin
More informationEJttilb Health. The University of Texas Medical Branch Audit Services. Audit Report. Epic In-Basket Management Audit. Engagement Number 2015-008
',. -... : t'f" ' EJttilb Health The University f Texas Medical Branch Audit Reprt Audit Engagement Number 2015-008 July 2015 nie University f Texas Medical Branch 301 University Bulevard, Suite 4.100
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT Draft Regulatry Cmpliance Management Guideline Released by the Office f the Superintendent f Financial Institutins May 5, 2014 On April 30, 2014, the Office f the Superintendent
More informationCustomer Support & Software Enhancements Policy
Custmer Supprt & Sftware Enhancements Plicy Welcme t Manhattan Assciates Custmer Supprt Organizatin (CSO). Staying current n Custmer Supprt & Sftware Enhancements and n a supprted versin f the licensed
More informationIn addition to assisting with the disaster planning process, it is hoped this document will also::
First Step f a Disaster Recver Analysis: Knwing What Yu Have and Hw t Get t it Ntes abut using this dcument: This free tl is ffered as a guide and starting pint. It is des nt cver all pssible business
More informationElectronic and Information Resources Accessibility Compliance Plan
Electrnic and Infrmatin Resurces Accessibility Cmpliance Plan Intrductin The University f Nrth Texas at Dallas (UNTD) is cmmitted t prviding a wrk envirnment that affrds equal access and pprtunity t therwise
More informationSOFTWARE DEVELOPER POSITION BY RIOMED LTD. SAFE. EFFICIENT. QUALITY WORLD CLASS HEALTHCARE SOLUTION
SOFTWARE DEVELOPER POSITION BY RIOMED LTD. SAFE. EFFICIENT. QUALITY WORLD CLASS HEALTHCARE SOLUTION JOB DESCRIPTION POSITION: EXPERIENCED SOFTWARE DEVELOPER LOCATION: INDIA REPORTING TO: COMPANY DIRECTOR
More informationProcess for Responding to Privacy Breaches
Prcess fr Respnding t Privacy Breaches 1. Purpse 1.1 This dcument sets ut the steps that ministries must fllw when respnding t a privacy breach. It must be read in cnjunctin with the Infrmatin Incident
More information