WHITEPAPER FIREMON COMPLIANCE WITH THE TECHNOLOGY RISK MANAGEMENT GUIDELINES FROM MONETARY AUTHORITY OF SINGAPORE
|
|
- Bernard Ellis
- 7 years ago
- Views:
Transcription
1 WHITEPAPER FIREMON COMPLIANCE WITH THE TECHNOLOGY RISK MANAGEMENT GUIDELINES FROM MONETARY AUTHORITY OF SINGAPORE By: Jim D. Hietala, CISSP, GSEC, Open FAIR Compliance Research Group
2 Table of Contents Executive Overview...3 Overview of the Technology Risk Management Guidelines...3 FireMon Product Summary...5 and FireMon Compliance Summary...5 Conclusion...12 About the Author About FireMon... 13
3 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 3 Executive Overview Complying with the 12 guidelines and 6 appendicies of the Monetary Authority of Singapore Technology Risk Management Guidelines () requires a detailed understanding of the guidelines and implementation of security controls that can mitigate risks. These include controls that will manage, enforce, and report on compliance to policies in IT infrastructure equipment such as firewalls, routers, and switches. This whitepaper describes the, and its importance and impact in Singapore and throughout Southeast Asia. The paper also describes those security controls in the FireMon family of IT security products that provide effective mitigation of risks to ensure that enterprises meet the security guidelines found in the. By providing capabilities that facilitate compliance with a large percentage of the technical security controls identified in sections 4, 7, 9, 11, 12, 14, and Appendices A and D, FireMon s products help address half of the guidelines and add significantly to the ability of financial institutions and other organisations to comply with the and to effectively secure their customer financial information and IT systems. Overview of the Technology Risk Management Guidelines Published by the Monetary Authority of Singapore (MAS), the is aimed at financial institutions in Singapore. While not mandatory, compliance with the guidelines is something that the financial regulators consider in their risk assessments of financial institutions. In addition, given the leadership shown by the MAS in developing and issuing the guidelines, the best practices described in the have been adopted by other sectors and by organisations outside of Singapore in Southeast Asia. As such, they are a highly influential set of guidelines and recommendations with which to reduce risk in IT systems. The has three primary goals, which are to assist organisations in: Establishing a sound and robust technology risk management framework; Strengthening system security, reliability, resiliency, and recoverability; Deploying strong authentication to protect customer data, transactions, and systems. The contains 12 major sections and 6 appendicies: (3) OVERSIGHT OF TECHNOLOGY RISKS BY BOARD OF DIRECTORS AND SENIOR MANAGEMENT (4) TECHNOLOGY RISK MANAGEMENT FRAMEWORK (5) MANAGEMENT OF IT OUTSOURCING RISKS (6) ACQUISITION AND DEVELOPMENT OF INFORMATION SYSTEMS Description This section of the ensures that boards of directors and senior management are responsible for risk management. It also establishes the requirement for policies, standards, and procedures that support the risk management framework, and for compliance processes that support the framework. In addition, it suggests security awareness programs and requirements. In this section, the MAS specifies the essential elements of a risk framework to be implemented by affected financial institutions (FIs). The section describes numerous key requirements that FIs must address in their risk framework, including in the areas of protection for information system assets, identification of risks, assessment of risks, risk treatment, and risk monitoring and reporting. 5 covers best practices for due diligence when vetting outsourcing providers and understanding the particular security implications of cloud computing. This section provides requirements related to the procurement of IT hardware and software, as well as software development security issues (including code review and system test requirements) and project management requirements.
4 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 4 Description (7) IT SERVICE MANAGEMENT In 7, service management issues such as change management, release management, incident and problem management, and capacity management are described. (8) SYSTEMS RELIABILITY, AVAILABILITY This section describes requirements for reliability, availability, and recoverability of IT systems AND RECOVERABILITY and infrastructure. It documents requirements for disaster recovery, data backup, and redundant equipment for failover. (9) OPERATIONAL INFRASTRUCTURE This section presents key requirements for technical security controls that aim to protect SECURITY MANAGEMENT customer information and other information assets. Included are requirements for user authentication, access controls, firewalls, data loss prevention, data protection both for data at rest on endpoints and for data in motion, encryption, and network and security configuration management. The section further describes requirements for wireless security, vulnerability assessments, penetration tests, vulnerability management, patch management, security monitoring, and logging and auditing. (10) DATA CENTRES PROTECTION AND 10 provides requirements for data centre protection and security. This includes CONTROLS performing threat and vulnerability risk assessments and deploying physical security controls to ensure the resiliency and operation of the facility. (11) ACCESS CONTROL This section of the describes access controls aligned with fundamental security principles (never alone principle, segregation of duties, and access control/principle of least privilege). It also mentions access management, user privilege management for both insiders and for contractors, password controls and policies, and restrictions on concurrent access to both production and backup data. 11 also describes numerous controls for privileged users. (12) ONLINE FINANCIAL SERVICES 12 is specific to online financial services. It segments online into different categories (information, interactive information, and transactional service), and guides FIs to assess risks for these services appropriately. Numerous controls specific to online services are provided to ensure the confidentiality, integrity, and availability of these systems. These include encryption, logical segmentation of networks, monitoring and surveillance of activity, anti- DDoS measures, two-factor authentication, and customer security awareness education. (13) PAYMENT CARD SECURITY 13 describes security controls specific to payment cards. From a security requirements (AUTOMATED TELLER MACHINES, CREDIT standpoint, this section recommends safeguards to protect sensitive payment card data from AND DEBIT CARDS) magnetic strips, and it calls for one-time password implementations for internet-based card transactions. It also requires ATM physical security measures and anti-fraud controls. (14) IT AUDIT The IT Audit section of the identifies how the IT audit function should be organised and governed, and it gives recommendations for audit frequency and scope. APPENDIX A: SYSTEMS SECURITY TESTING A more detailed set of recommendations and requirements regarding testing of software, AND SOURCE CODE REVIEW systems and networks is described in this appendix. APPENDIX B: STORAGE SYSTEM RESILIENCY This appendix describes requirements for the resiliency of IT storage systems. APPENDIX C: CRYPTOGRAPHY The specific recommendations regarding the use of cryptographic algorithms and standards are provided here. APPENDIX D: DISTRIBUTED DENIAL-OF- Recommendations to maintain availability and continuity of operation in the face of SERVICE PROTECTION attempted DDoS attacks are provided here. APPENDIX E: SECURITY MEASURES FOR More detailed recommendations for security controls for online services are detailed in this ONLINE SYSTEMS appendix. APPENDIX F: CUSTOMER PROTECTION AND Describes measures the FIs should undertake to educate customers on security threats. EDUCATION
5 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 5 The includes requirements that span people, processes, and technological controls. Many areas of the specify people and process controls, where technological solutions aren t useful or applicable. From the summary table on the previous page, FireMon s products provide key capabilities that help FIs to address many of the technology control requirements in the. This includes significant coverage of compliance requirements found in sections 4, 7, 9, 11, 12, 14. The FireMon products also help address compliance requirements found in appendices A and D. For reference, the complete Technology Risk Management Guidelines from MAS is available on their website 1. A helpful compliance checklist for MAS is also available on their website 2. FireMon Product Summary FireMon provides a range of products that help organisations to better manage their IT infrastructure and understand risks from network access configuration. The FireMon Security Manager platform provides constant visibility into network security enforcement, the impact of policy change, and the exposure of vulnerable systems to attack, allowing organisations to optimize their existing defenses and focus remediation on truly critical IT risks. FireMon Risk Analyzer provides attack vector analysis, continuous attack surface monitoring, pre-change risk analysis, and network security enforcement gap analysis. FireMon Policy Planner provides rule recommendations, and allows network managers to manage the rule change process, perform policy change impact analysis, and continuous policy compliance assessment. Requirements and FireMon Compliance Summary The mapping table below includes the specific reference, the requirement language, and explanatory text describing how the relevant FireMon product helps FIs to meet the requirement. Note that this table does not contain the full set of sections and requirements, focusing on 6 of the 12 where the FireMon products either directly enable compliance, or support efforts to comply. (4) TECHNOLOGY RISK MANAGEMENT FRAMEWORK b. Identification and prioritisation of information system assets c. Identification and assessment of impact and likelihood of current and emerging threats, risks, and vulnerabilities This section of the ensures that boards of directors and senior management are responsible for risk management. It also establishes the requirement for policies, standards, and procedures that support the risk management framework, and for compliance processes that support the framework. In addition, it suggests security awareness programs and requirements. FireMon risk reports help managers understand where the highest network security risks are due to reachable assets with known vulnerabilities. 1 TRM%20Guidelines%20%2021%20June% pdf 2 TRM_Checklist
6 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore d. Implementation of appropriate practices and controls to mitigate risks e. Periodic update and monitoring of risk assessment to include changes in systems, environment or operating conditions that would affect risk analysis Information system assets are adequately protected from unauthorised access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure The criticality of information system assets is ascertained and appropriate plans are developed to protect them Mutating and growing risks are monitored vigilantly A threat and vulnerability matrix is developed to assess the impact of threat to the organisation s IT environment, and to prioritise IT risks For each type of risk identified, risk mitigation and control strategies that are consistent with the value of the information system assets and level of risk tolerance are developed and implemented. Controls and security policies deployed through FireMon Security Manager are intended to mitigate risks. These include policies and firewall rulesets and baseline configurations that are deployed to network firewalls. New rules can be pretested for compliance before deploying them. The product also reports on changes to rules that have moved firewalls out of compliance with policy. Baseline policies are assessed in real time, and managed and controlled before any new implementation of a service or application. FireMon Security Manager reports on firewall rule changes, as well as changes to risks over time. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed. Attack path analysis and identification reports from FireMon can be used in the face of attacks to determine which assets are at risk and to plan network changes and new firewall rules to protect assets. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help network security risks, and plan effective mitigation.
7 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Priority is given to threat and vulnerability pairings with high-risk ranking which could cause significant harm or impact to the organisation s operations Risks of the highest severity are accorded top priority and monitored closely with regular reporting on the actions that have been taken to mitigate them. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. A monitoring and review process for continuous assessment and treatment of risks is instituted IT risk metrics are developed to highlight the systems, processes, or infrastructure that have the highest risk exposure Past risk-control methods are re-evaluated with renewed testing and assessment of the adequacy and effectiveness of risk management processes. (7) IT SERVICE MANAGEMENT A change management process is established to ensure that changes to production systems are assessed, approved, implemented, and reviewed in a controlled manner The change management process applies to changes pertaining to system and security configurations, patches for hardware devices, and software updates. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices.
8 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Prior to deploying changes to the production environment, an assessment of whether the introduced change would spawn security implications or software compatibility problems to affected systems or applications is performed Separate physical or logical environments for systems development, testing, staging, and production are established A root-cause and impact analysis is performed for major incidents which result in severe disruption of IT services. Remediation actions are taken to prevent the recurrence of similar incidents a. ii. Root cause analysis where did it happen? a. iii. Why and how did the incident happen? c. ii. Measures to address the root cause of the incident c. iii. Measures to prevent similar or related incidents from occurring. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Firewalls typically are used to maintain separation between test and production environments. FireMon helps manage rules for both environments and can evaluate network security policies and the impacts of changes across both. FireMon reporting capabilities, including attack path analysis, risky protocols, ports, and services, devices with failed controls, and firewall verification reports, provide the deep view into network security policy configuration required to perform root cause analysis of network traffic. FireMon reporting capabilities, including attack path analysis, risky protocols, ports, and services, devices with failed controls, and firewall verification reports, provide the deep view into network security policy configuration required to perform root cause analysis of network traffic. (9) OPERATIONAL INFRASTRUCTURE SECURITY MANAGEMENT Security solutions are implemented at the data, application, database, operating systems, and network layers to adequately address and contain threats. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed.
9 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Security solutions are implemented at the data, application, database, operating systems, and network layers to adequately address and contain threats. Measures are implemented to protect sensitive or confidential information such as customer personal, account, and transaction data that are stored and processed in systems Important data are identified and adequate measures are adopted to detect and prevent unauthorised access, copying, or transmission of confidential information Measures are implemented to address risks of data theft, data loss and data leakage from endpoint devices, customer service locations, and call centres Measures are implemented to prevent and detect the use of unsafe internet services within the organisation Confidential information stored on IT systems, servers and databases are encrypted and protected through strong access controls, bearing in mind the principle of least privilege An up-to-date inventory of software and hardware components used in the production and disaster recovery environments is maintained. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. This can include blocking unsafe internet services across the network. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. The FireMon asset inventory report provides information on all security and network assets in use across the entire network.
10 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Effective risk mitigation controls are established where necessary IT systems and devices are configured with security settings that are consistent with the expected level of protection. Baseline standards are established to facilitate consistent application of security configurations to operating systems, databases, network devices, and enterprise mobile devices within the IT environment Regular enforcement checks are conducted to ensure that baseline standards are applied uniformly and noncompliances are detected and raised for investigation Network security devices, such as firewalls as well as intrusion detection and prevention systems, are installed at critical junctures to protect network perimeters. Network security devices, such as firewalls as well as intrusion detection and prevention systems, are installed at critical junctures to protect network perimeters. Rules on network security devices are regularly backed up. Rules on network security devices are regularly reviewed to determine their appropriateness and relevancy. FireMon Risk Measurement, Risk Recommendations, and Risk Scoring reports help identify where risk exists, and how best to mitigate it. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure they are consistently applied throughout the IT infrastructure. FireMon continuous assessment reports including traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services details and can determine regular baseline security behaviors checks. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure they are consistently applied throughout the IT infrastructure. FireMon also provides backups for firewall rules, and manages deployment of rulesets to network devices. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can inform needed and planned changes to firewall rules.
11 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Rules on network security devices are regularly reviewed to determine their appropriateness and relevancy Automated tools and manual techniques are used to perform a vulnerability assessment Penetration tests on internet-facing systems are conducted at least annually Security monitoring tools which enable the detection of changes to critical IT resources such as databases, system or data files and programs, are implemented to facilitate the identification of unauthorised changes. (11) ACCESS CONTROL User access to IT systems and networks is granted on a need-to-use basis and within the period when the access is required. (12) ONLINE FINANCIAL Risks associated with SERVICES different types of services provided over the internet are clearly identified in the risk management process A security strategy is devised and measures are put in place to ensure the confidentiality, integrity, and availability of data and systems. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure that they are consistently applied throughout the IT infrastructure. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can inform needed and planned changes to firewall rules. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can help to identify vulnerabilities that exist at the network layer, as a part of a larger vulnerability assessment. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can help to identify vulnerabilities that exist at the network layer. While not a direct part of a penetration test, these reports will be critical to understanding how penetration tests were successful, and how best to address the security weaknesses. For network security devices, FireMon monitors and flags changes to firewall rule configurations, and manages changes to firewall rulesets. Logical access to IT resources is controlled at the network layer through the deployment of firewalls. FireMon Security Manager manages the access rules in firewalls across the network. FireMon risk reports describe network access risks, including those related to assets supporting online services. Fundamental to ensuring CIA for online services is understanding risks and attack paths for assets used in online IT systems. FireMon identifies these through extensive reporting, and provides the ability to consistently deploy security policies to network devices throughout the network.
12 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore Physical and logical access security are implemented to allow only authorised staff to access systems Adequate safeguards are implemented to protect sensitive or confidential information used for mobile online services and payments. FireMon manages the network access to IT systems to ensure that only authorised staff are allowed access to systems. FireMon ensures that consistent security policies are deployed throughout the network to secure access to sensitive data. The processing of sensitive or confidential information is performed in a secure environment. (14) IT AUDIT The scope of IT audit is comprehensive and includes all critical IT operations. APPENDIX A: SYSTEMS A.1.1 Rigorous testing of SECURITY TESTING AND systems is conducted to SOURCE CODE REVIEW verify the security, reliability and availability of systems under normal and extreme conditions. APPENDIX D: DISTRIBUTED D2.2 Devices such as DENIAL-OF-SERVICE application and network PROTECTION firewalls, network and hostbased intrusion detection/ preventions systems, routers and other specialised equipment are installed and configured to alert security staff and divert and/or filter network traffic in real-time once an attack is suspected or confirmed. FireMon supports effective IT audits through numerous reports that describe attack paths, network audit logs, risk measurement and visibility, risky protocols, services and ports, and firewall rule reporting. FireMon supports systems security testing by documenting access and attack paths to network devices. FireMon reports provide visibility into attack vectors/paths, and to the firewall rules that may need modification as a result of attacks. Conclusion Management of network security devices and network access is fundamental to securing IT systems and customer information. It is also a core capability that is critical in meeting the explicit technical control requirements found in the, and in providing supporting information necessary to comply with many of the process-related control requirements of the. FireMon s security products provide extensive capabilities across the requirements. They provide comprehensive coverage of compliance requirements found in s 4, 7, 9, 11, and 12, and Appendices A and D of the.
13 FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 13 About the Author Jim D. Hietala, CISSP, GIAC GSEC, and Open FAIR, heads security standards activities for a major IT industry standards group, where he has led the development of a number of IT security and risk industry standards. He is also a principal with Compliance Research Group, a risk and compliance consulting organisation. Jim is an active participant in the SANS Analyst/Expert program. A frequent speaker at industry conferences, he has published numerous articles on information security, risk, and compliance topics in publications including the ISSA Journal, Risk Factor, Bank Accounting & Finance, SC Magazine, and Cutter IT Journal. A security industry veteran, he has held leadership roles at a number of security technology startups. He holds a B.S. in Marketing from Southern Illinois University. About FireMon FireMon is the industry leader in providing enterprises, governments and managed services providers with proactive security intelligence solutions that deliver deeper visibility and tighter control over their network security infrastructure. The FireMon Security Intelligence Platform, including Security Manager, Policy Planner and Risk Analyzer, enables customers to identify network risk, proactively prevent access to vulnerable assets, clean up firewall policies, automate compliance, strengthen security throughout the organization, and reduce the cost of security operations. For more information, visit CONTACT FIREMON: 8400 W. 110th Street, Suite 400 Overland Park, KS USA Phone: Fax: info@firemon.com
14 Follow us on Like us on Facebook: W. 110th Street, Suite 400 Overland Park, KS USA Phone: FireMon and the FireMon logo are registered trademarks of FireMon, LLC. All other product or company names mentioned herein are trademarks or registered trademarks of their respective owners. Copyright FireMon, LLC 2014 rev031914
Technology Risk Management
1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationProactive Security through Effective Management
Proactive Security through Effective Management COMPANY Overview There are fundamental flaws in the way enterprises manage their network security infrastructures. We created FireMon, an enterprise security
More informationFIREMON SECURITY MANAGER
FIREMON SECURITY MANAGER Regain control of firewalls with comprehensive firewall management The enterprise network is a complex machine. New network segments, new hosts and zero-day vulnerabilities are
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationAppendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
More informationTest du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.
Test du CISM Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais. 1. Which of the following would BEST ensure the success of information security governance within an organization?
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationKeyfort Cloud Services (KCS)
Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency
More informationSecurity Overview. BlackBerry Corporate Infrastructure
Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security
More informationMonetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES
Monetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 TABLE OF CONTENTS 1 INTRODUCTION... 4 2 APPLICABILITY OF THE GUIDELINES... 5 3 OVERSIGHT OF TECHNOLOGY RISKS BY BOARD OF
More informationEA-ISP-012-Network Management Policy
Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationIs Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting
Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationManaging internet security
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationKeyLock Solutions Security and Privacy Protection Practices
KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationUsing Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes
Using Skybox Solutions to Ensure PCI Compliance Achieve efficient and effective PCI compliance by automating many required controls and processes WHITEPAPER Executive Summary The Payment Card Industry
More informationBalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance
GUARDING YOUR BUSINESS BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance www.balabit.com In 2008, the Monetary Authority of Singapore (MAS),
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationSecurity solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.
Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationHow To Buy Nitro Security
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
More informationIT Security. Securing Your Business Investments
Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationUnderstanding Sage CRM Cloud
Understanding Sage CRM Cloud Data centre and platform security whitepaper Document version 2016 Table of Contents 1.0 Introduction 3 2.0 Sage CRM Cloud Data centre Infrastructure 4 2.1 Site location 4
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationCloudCheck Compliance Certification Program
CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More information