Certification for Information System Security Professional (CISSP)
|
|
- Megan Dawson
- 8 years ago
- Views:
Transcription
1 Certification for Information System Security Professional (CISSP) The Art of Service
2 Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability The information in this book is distributed on an As Is basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book. The Art of Service
3 TABLE OF CONTENTS 1 INTRODUCTION INTRODUCTION TO CISSP WHERE DID CISSP COME FROM? WHAT IS CISSP? HISTORY OF INFORMATION SECURITY WHAT IS INFORMATION SECURITY? UNDERSTANDING THE CIA TRIAD CONFIDENTIALITY INTEGRITY AVAILABILITY LIMITATIONS TO CIA TRIAD WHY CERTIFY FOR CISSP? COMPANIES USING CISSP 23 2 DOMAIN ONE INFORMATION SECURITY AND RISK MANAGEMENT EXPECTATIONS FOR CISSP UNDERSTANDING SECURITY POLICIES, PROCEDURES, STANDARDS, GUIDELINES AND BASELINES WHAT ARE THE COMPLIANCE FRAMEWORKS? COSO ITIL COBIT ISO / BS CHANGING ORGANIZATIONAL BEHAVIOR RESPONSIBILITIES OF THE INFORMATION SECURITY OFFICER CREATING AN ENTERPRISE SECURITY OVERSIGHT 3
4 COMMITTEE WHY SECURITY AWARENESS TRAINING? UNDERSTANDING RISK MANAGEMENT 43 3 DOMAIN TWO ACCESS CONTROL PRINCIPLES OF ACCESS CONTROL INFORMATION CLASSIFICATION CREATING A DATA CLASSIFICATION PROGRAM UNDERSTANDING CATEGORIES TO ACCESS CONTROL UNDERSTANDING ACCESS CONTROL TYPES LOOKING MORE AT ADMINISTRATION ACCESS CONTROLS UNDERSTANDING CHANGE CONTROL UNDERSTANDING BUSINESS CONTINUITY AND DISASTER RECOVERY UNDERSTANDING THE PERFORMANCE MANAGEMENT, CONFIGURATION MANAGEMENT, LIFECYCLE MANAGEMENT AND NETWORK MANAGEMENT UNDERSTANDING VULNERABILITY MANAGEMENT UNDERSTANDING USER MANAGEMENT UNDERSTANDING PRIVILEGE MANAGEMENT UNDERSTANDING TECHNICAL CONTROLS UNDERSTANDING ACCESS CONTROL THREATS EMPLOYING DIFFERENT TYPES OF IDENTIFICATION EMPLOYING DIFFERENT TYPES OF AUTHENTICATION UNDERSTANDING MEMORY CARDS AND SMART CARDS USING BIOMETRICS PERFORMING AUDITS 87 4
5 4 DOMAIN THREE - CRYPTOGRAPHY HISTORY OF CRYPTOGRAPHY METHODS OF CRYPTOGRAPHY TYPES OF CIPHERS UNDERSTANDING ENCRYPTION MANAGEMENT USING PUBLIC KEY INFRASTRUCTURES (PKI) IDENTIFYING ATTACKS TO CRYPTOGRAPHY 99 5 DOMAIN 4 PHYSICAL (ENVIRONMENT) SECURITY IDENTIFYING THREATS AND VULNERABILITIES TO PHYSICAL SECURITY USING THE LAYERED DEFENCE MODEL IMPLEMENTING A LAYERED DEFENCE MODEL UNDERSTANDING INFORMATION PROTECTION AND MANAGEMENT DOMAIN FIVE SECURITY ARCHITECTURE AND DESIGN UNDERSTANDING DESIGN PRINCIPLES HARDWARE SOFTWARE SECURITY MODELS AND ARCHITECTURE THEORY SECURITY PRODUCT EVALUATION METHODS AND CRITERIA DOMAIN SIX BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING CONCERNS OF CONTINUITY PLANNING 129 5
6 7.2 PROJECT INITIATION PHASE CURRENT STATE ASSESSMENT PHASE DEVELOPMENT PHASE IMPLEMENTATION AND MANAGEMENT PHASES DOMAIN SEVEN TELECOMMUNICATIONS AND NETWORK SECURITY LAYER 1 PHYSICAL LAYER LAYER 2 DATA-LINK LAYER LAYER 3 NETWORK LAYER LAYER 4 TRANSPORT LAYER LAYER 5 SESSION LAYER LAYERS 6 & 7 PRESENTATION AND APPLICATION LAYERS149 9 DOMAIN EIGHT APPLICATION SECURITY USING PROGRAMMING EFFECTIVELY PROTECTING THE SOFTWARE ENVIRONMENT ENFORCING SECURITY PROTECTION AND CONTROLS IDENTIFYING MALWARE DATABASE MANAGEMENT SYSTEM (DBMS) ARCHITECTURE DOMAIN NINE OPERATIONS SECURITY MANAGING THREATS TO OPERATIONS DOMAIN TEN LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS INFORMATION TECHNOLOGY LAWS AND REGULATIONS 171 6
7 11.2 UNDERSTANDING COMPUTER CRIMES, PRIVACY AND LIABILITY REFERENCES 175 7
8 8
9 1 Introduction 1.1 Introduction to CISSP Today s businesses are faced with security threats which are becoming more complex. The use of mobile devices is becoming more widespread; the more mobile the populace, the harder to manage assets and the information on those assets. As a result, companies are increasingly concerned with the security surrounding those assets and information. In addition, the implementation of Sarbanes-Oxley is the U.S. has required focused attention on the security of financial information for companies. And finally, the worldwide scrutiny on security across the board has increased due to global concerns. Because of these reasons, companies are placing more focus on their Information Technology (IT). The IT Governance Global Status Report-200b, compiled by the IT Governance Institute (ITGI), showed 93 percent of corporate executives believed that IT was somewhat to very important to their overall corporate strategy or vision. This was a 6 percent increase from ITGI s 2005 survey. IT, telecom, and financial service-based companies are much more concerned with IT than other business sectors with 71% and 77% respectively. The bottom line: companies are putting more attention on their IT solutions. Security management and the processes supporting security 9
10 management is one of the top concerns of this increasing attention. Information Security Certifications are becoming more valuable for IT security professionals and companies concerned with IT. According to the 2008 (ISC) 2 Global Information Security Workforce Study, compiled by (ISC) 2, 78% of respondents involved in the hiring process claim certifications are either Very Important or Somewhat Important. This is a diverse change from twenty, even ten years ago when securing a network was a new discipline and not well-understood. According to the 2008 survey, 15 different security certifications were available, which is in contrast to the 40 vendor-neutral and more than 25 vendorspecific certifications available in the marketplace. Of all these certifications, the Certification for Information System Security Professional (CISSP) has become highly recognized. 1.2 Where did CISSP come from? The Certification for Information System Security Professional is administered by the International Information Systems Security Certification Consortium (ISC) 2. First available in 1989, the certification demonstrates the qualifications of information systems security practitioners. 10
11 The CISSP is accredited by the American National Standards Institute (ANSI). The ANSU has been coordinating a voluntary standardization system in the United States since It is a private, non-profit membership organization representing the interests of over 125,000 companies and 3.5 million professionals. The ANSI does not develop standards; rather they facilitate the development of American National Standards (ANS). They also assist in ensuring that ANS complement the standards used internationally, allowing American products to be recognized and used in the global market. Accreditation means that the standard complies with the ANSI Essential Requirements, a set of requirements or procedures used by standard developers. These requirements focus on: Openness Lack of dominance Balance Coordination and harmonization Notification of standards development Consideration of views and objections Consensus vote Appeals Written procedures Compliance with normative American National Standards policies and procedures. 11
12 The ANSI accredits CISSP to ISO/IEC Standard 17024:2003. The purpose of the standard is for organizations and entities wishing international recognition for certifying the competence of individuals through education, knowledge, skills, and experience. It was developed by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC). Fully enacted on April 2003, 17024:2003 is considered a benchmark for organizations responsible for certifying personnel. In short, the CISSP has become a globally recognized standard of achievement for the Information Systems Security Professional. CISSP is the baseline for the U.S. National Security Agency s ISSEP (Information Systems Security Engineering Professional) program. The U.S. Department of Defence Directive requires every defence worker, military or civilian, with privileged access to a DoD system to obtain a certification credential, of which CISSP is fully accepted. 1.3 What is CISSP? CISSP is a credential for persons working in the field of information security. It requires at least five years experience in information security. A person can take an exam based on the CISSP Common Book of Knowledge (CBK), a common framework of information security terms and principles. 12
13 The CISSP CBK is based on the CIA triad, the core information security and assurance tenets: confidentiality, integrity, and availability. It works with ten areas of interest, or domains. Those domains are: Access control Application Security Business Continuity and Disaster Recovery Planning Cyptography Information Security and Risk Management Legal, regulations, compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security For CISSP credential, professional experience must be in two or more of the domains listed above. Fortunately for those lacking the experience required for the certification, the certification administrator, (ISC)2, has a program for those who pass the exam, called Associate of (ISC)2. Each certification is valid for three years and a professional must be recertified at the end of that period. In addition, a CISSP credential holder in good standing is also completing the minimum annual number of Continuing Professional Education credits (CPEs). 13
14 As information security continues to evolve, additional credentials have been developed beyond the foundational CISSP to meet the specific needs of the business. These credentials concentrate on key areas of information security: Architecture (ISSAP) appropriate for persons who develop, design, or analyze a business overall security plan, such as Chief Security Architects and Analysts. Engineering (ISSEP) developed in conjunction with the U.S. National Security Agency, this Concentration serves as a guide for integrating security into all areas of operations. Management (ISSMP) provides deeper elements into managing security policies and procedures that support the overall goals of a business. Each Concentration has its own (CBK) domains. Of course additional experience must be proven as well as the successful passing of the examination for each Concentration. 1.4 History of Information Security Before moving forward, it would be wise to understand the discipline of information security, what it is and how it evolved. Since the invention of writing, messages from heads of state and military leaders have been intercepted or stolen, even forged. Julius Caesar used the Caesar cipher to ensure that his messages did not fall into enemy 14
15 hands, one of the earliest known encryption techniques. To ensure authenticity of a message, persons of importance would use a wax seal with their families crest on messages. Throughout the ages, different techniques were used to maintain the security of information. However, the professional field of information security started during World War II, where information, both physical and intellectual, needed protection. A formalized classification of data was introduced that described the sensitivity of the information and identified those individuals who had access to it. Background checks started to be conducted during WWII. The years after WWII, particularly the McCarthy era, showed governments increased concern with the protection of intelligence, information concerning the workings, military build-ups, and technological advancements of government and the country, both domestic and foreign. The Cold War struggle between the United States and the Soviet Union perpetuated the need for information security. But even then, the number of professionals who were dedicated to the tenets of this disciplined were few. Not until the widespread emergence of the Internet did information security have such a strong presence in our society. With the rapid advancements of telecommunications and computers, the availability of smaller, more powerful equipment became less expensive. Now the small business owner, the home owner, and the 15
16 underage computer geek had access to information from every area of the world. Electronic data processing and electronic business is rapidly growing because of the Internet, along with more occurrences of global terrorism. As a result, information security is now an academic discipline designed to insure the security and reliability of information security. But information security is not just a concern for the business owner, but everyone. The rise of ID theft has required more attention on the security of information on the individual, as well. Currently every software package being released, specifically office productivity software, has to be concerned with providing features for securing information. 1.5 What is Information Security? Information security is simply the methods used to protect information and information systems. Using the tenets of the CIA triad, information security is concerned with protecting data regardless of form: electronic, print, film, or any other form. Information is being collected everywhere by everyone. An individual is compiling information about themselves and others nearly every moment. And information, such as credit ratings, police records, financial holdings, and trivial facts are being collected on every individual over time. As individuals connect or forced together into a network, such 16
17 as a business, the amount of data being collected increases exponentially. Most of this information is being collected, processed, and stored electronically and transmitted across networks to other computers. Some information is so sensitive, that unauthorized access to it could result in financial loss, loss in credibility, and legal problems. For businesses, protecting sensitive information is a requirement, in many cases an ethical or legal requirement. Several concerns are presented to the information security professional dealing with the protection of data. The foremost concern is ensuring the appropriate access to data by authorized personnel, while restricting all or part of the information from unauthorized persons. While some information may not be confidential, disclosure of the information must be regulated. How data is used or even modified has been a concern for information security professionals. The disruption of data transmissions from one computer to another, even one network to another, has had increasing concerns with the growth of the Internet. And finally, even the proper disposal or destruction of information, or prevention against destruction, is a concern for the information security professional. 17
18 1.6 Understanding the CIA Triad Information security is based on three fundamental tenets, called the CIA triad. Those tenets are confidentiality, integrity, and availability. As a security model, the CIA triad has been used to identify possible problems in a system and discover appropriate solutions for information security Confidentiality Whether the information is considered confidential, or a person would simply like it to be private requires systems and processes to be put into place preventing unauthorized access and use. For this reason, one leg of the CIA triad model is confidentiality. The first step in this area is to provide an ability to identify a specific piece of data as confidential. Not all information is confidential, and not all information has the same level of confidentiality. Therefore, a simple task of identifying the level of privacy data should have can become a rather complex project. However, once the information has been declared confidential appropriately, the next step is to identify who has access to that information. File permissions, access control lists, and encryption methods are all means by which to control access to data. A information security professional is concerned with managing, monitoring, and 18
19 verifying those means constantly, enforcing access based on policies given from management Integrity One of the most important concerns in data control is the integrity of the data; that is, the ability of the data to be accurate, reliable, and available at any given time. In order to maintain a world class business, it is a necessity to have a solid ability to modify the data available to the business, whether that data is customer and employee records, intellectual property, company policies and procedures, press releases, or the like. At the same time, it is important to ensure that the data isn t changed by unauthorized personnel. The CIA triad leg of integrity focuses on these concerns. Sarbanes-Oxley forced the business community into understanding the need for integrity within financial records, requiring the need to track financial transactions in detail to understand exactly where money was coming and where it was going. As businesses started adapting to those requirements, they also started recognizing the value this commitment to integrity had on other information groups used in the business. The concerns became apparent. A) The slightest change in the most sensitive information could result in service disruptions or breaches in security. 19
20 B) Unapproved changes to policy information could pose concerns to customer relations and possible loss of business. C) Possible deletion of information, through accident or malicious conduct, could render a business paralyzed in its ability to conduct business. These are just a few examples of the important concerns for information security. The more popular techniques for managing integrity of data is version control systems, backups, and file permissions Availability When information is not available, it might as well be useless. This is the concern of the third leg of the CIA triad: availability. In this area, the information security professional is focused on creating and maintaining a computer architecture that allows for the greater availability to the information housed on the system. One major concern is to manage the computer infrastructure from possible threats, such as malicious viruses, power outages, and failures in hardware. The second major concern is ensuring that components are maintained appropriately, providing the required health checks, and making upgrades to hardware and software as required. Approaches to maintaining availability include, but not limited to, clustering, redundancy systems and capabilities 20
IT Security Management 100 Success Secrets
IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management
More informationDisaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know
Disaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know Copyright by Gladys Noel Notice of rights All rights reserved. No part of this
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationSecurity Transcends Technology
INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP Paul.Wang@ch.pwc.com
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationIT Security Training. Why Security Certification? A Serious Business - Fear Drives the Demand High Demand Freedom to Make and Break Rules
IT Security Training Why Security Certification? A Serious Business - Fear Drives the Demand High Demand Freedom to Make and Break Rules Benefits of Certification Provides Assurance to Employers Certification
More informationThe Value of Information Security Certifications
The Value of Information Security Certifications Ed Zeitler, CISSP Executive Director, (ISC) 2 www.isc2.org Overview Why professional certificate for information security? About (ISC) 2 and its credentials
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationCertified Software Development Associate (CSDA)
Certified Software Development Associate (CSDA) Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Software Development Associate (CSDA) Certified Job 1 2 Write a review to
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationAn expert s tips for cracking tough CISSP exam
35 / 83 Chapter 6 An expert s tips for cracking tough CISSP exam Rahul Kokcha, an experienced instructor for CISSP explains how to prepare for the CISSP exam, what are important topics, and what you do
More informationCertification and Training
Certification and Training CSE 4471: Information Security Instructor: Adam C. Champion Autumn Semester 2013 Based on slides by a former student (CSE 551) Outline Organizational information security personnel
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationSafeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals
Safeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals The U.S. government stands at a critical juncture in its cybersecurity efforts. As a country we face increasingly
More informationPCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationRARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals
RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY 229 Information Security Fundamentals I. Basic Course Information A. Course Number & Title: CISY-229 Information Security Fundamentals B. New or Modified
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationSNAP WEBHOST SECURITY POLICY
SNAP WEBHOST SECURITY POLICY Should you require any technical support for the Snap survey software or any assistance with software licenses, training and Snap research services please contact us at one
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationTechnical Proposition. Security
Technical Proposition ADAM Software NV The global provider of media workflow and marketing technology software ADAM Software NV adamsoftware.net info@adamsoftware.net Why Read this Technical Proposition?
More informationContingency Plan 32 Success Secrets. Copyright by Philip Downs
Contingency Plan 32 Success Secrets Copyright by Philip Downs Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical,
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security- Perspective for Management Information Security Management Program Concept
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationISO 27001: Information Security and the Road to Certification
ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks
More informationInfoSec Academy Application & Secure Code Track
Fundamental Courses Foundational Courses InfoSec Academy Specialized Courses Advanced Courses Certification Preparation Courses Certified Information Systems Security Professional (CISSP) Texas Security
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationIT Security. Securing Your Business Investments
Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information
More informationCareer Survey. 1. In which country are you based? 2. What is your job title? 3. Travel budget. 1 of 28. Response Count. answered question 88
Career Survey 1. In which country are you based? 88 answered question 88 skipped question 0 2. What is your job title? 88 answered question 88 skipped question 0 3. Travel budget not at all 21.0% 17 somewhat
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationBellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
More informationCESG Certification of Cyber Security Training Courses
CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security
More informationEncyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.
Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Administrative Awareness Case Study: Government Offices Certification and Accreditation:
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationInformation Systems Security Certificate Program
Information Technologies Programs Information Systems Security Certificate Program Accelerate Your Career extension.uci.edu/infosec University of California, Irvine Extension s professional certificate
More informationService Support 123 Success Secrets. Copyright by Jonathan Hammond
Service Support 123 Success Secrets Copyright by Jonathan Hammond Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical,
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationKey Performance Indicator 26 Success Secrets. Copyright by Benjamin Hodges
Key Performance Indicator 26 Success Secrets Copyright by Benjamin Hodges Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic,
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationCyber Security solutions
Cyber Security solutions The scenario IT security has become a highly critical issue for all businesses as a result of the growing pervasiveness and diffusion of ICT technology. Risks can arise both inside
More informationhave adequate policies and practices for secure data disposal have not established a formal 22% risk management program
do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationWHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
More informationFull-Speed Ahead: The Demand for Security Certification by James R. Wade
Full-Speed Ahead: The Demand for Security Certification by James R. Wade It s no secret that technology is creating a more connected world every day. But as new technologies are released and adopted, the
More informationCertified Information Security Manager
Certified Information Security Manager Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Information Security Manager Certified Job 1 2 Write a review to receive any FREE
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationService Oriented Architecture 68 Success Secrets. Copyright by Irene Gray
Service Oriented Architecture 68 Success Secrets Copyright by Irene Gray Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic,
More informationLINUX / INFORMATION SECURITY
LINUX / INFORMATION SECURITY CERTIFICATE IN LINUX SYSTEM ADMINISTRATION The Linux open source operating system offers a wide range of graphical and command line tools that can be used to implement a high-performance,
More informationC ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY
CSCSS / ENTERPRISE TECHNOLOGY + SECURITY C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CENTRE FOR STRATEGIC CSCSS CYBERSPACE + SECURITY SCIENCE CSCSS / ENTERPRISE TECHNOLOGY + SECURITY GROUP Information
More informationCANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD
CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD 2013 CANADIAN PAYMENTS ASSOCIATION 2013 ASSOCIATION CANADIENNE DES PAIEMENTS This Rule is copyrighted
More informationState of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO
Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationDisaster Recovery 100 Success Secrets
Disaster Recovery 100 Success Secrets Disaster Recovery 100 Success Secrets - IT Business Continuity, Disaster Recovery planning and Services Gerard Blokdijk Disaster Recovery 100 Success Secrets Copyright
More informationGetting and Finding Computer Network, Systems, and Database Administrators Jobs. The Ultimate Guide for Job Seekers and Recruiters
Getting and Finding Computer Network, Systems, and Database The Ultimate Guide for Job Seekers and Recruiters Copyright Notice of Rights All rights reserved. No part of this book may be reproduced or transmitted
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationFundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals
Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.
More informationWCA WEBINAR SERIES: The Case for Cyber Security Training
WCA WEBINAR SERIES: The Case for Cyber Security Training PLEASE NOTE: IN ORDER TO HEAR THE AUDIO FOR THIS WEBCAST YOU WILL NEED TO USE YOUR TELEPHONE TO DIAL INTO THE FOLLOWING CONFERENCE LINE: Conference
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationThe Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency
logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011
More informationHow To Improve Security Awareness In Organizations
This story appeared on Information Management Journal at http://www.entrepreneur.com/tradejournals/article/print/189486076.html Nov-Dec, 2008 How to create a security culture in your organization: a recent
More informationInformation Systems Security Engineering Professional (ISSEP)
Information Systems Security Engineering Professional (ISSEP) 1 Presentation Outline What is ISSE Why ISSEP Development of the ISSEP Concentration Content Certification Specifics 2 Systems Security Engineering
More informationExecutive Management of Information Security
WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationEnsuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
More informationThe Second National HIPAA Summit
HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice
More informationHP Security Solutions for Microsoft
HP Security Solutions for the Microsoft Environment Achieving a secure adaptive enterprise How secure is your Microsoft environment? Enterprise boundaries are expanding, creating the need for faster, easier
More informationChapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers 2012. Your Interactive Guide to the Digital World
Chapter 11 Manage Computing Securely, Safely and Ethically Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define the term, computer security risks, and briefly
More informationEnsuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
More informationPoint of sale 22 Success Secrets - 22 Most Asked Questions On Point of sale - What You Need To Know. Copyright by Henry Alford
Point of sale 22 Success Secrets - 22 Most Asked Questions On Point of sale - What You Need To Know Copyright by Henry Alford Notice of rights All rights reserved. No part of this book may be reproduced
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More information(ISC) 2 2012 Career Impact Survey Executive Summary. The Double Edged Sword: Security Career Opportunities Spike While Hiring Challenges Grow
(ISC) 2 2012 Career Impact Survey Executive Summary The Double Edged Sword: Security Career Opportunities Spike While Hiring Challenges Grow Skilled security professionals enjoy job stability and mobility,
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationHIPAA DATA SECURITY & PRIVACY COMPLIANCE
HIPAA DATA SECURITY & PRIVACY COMPLIANCE This paper explores how isheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification. Learn
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More information