USC Data Security Requirements (Standards) Guidelines for Compliance Revised 05-Jan-2015
|
|
- Barbara Robertson
- 8 years ago
- Views:
Transcription
1 USC Data Security Requirements (Standards) Guidelines for Compliance Revised 05-Jan-2015 The purpose of these Guidelines is to assist in the interpretation of USC Data Security Requirements, and in the implementation of compliant controls and practices. The standards are shown in black. Guidelines for compliance are in blue. Section 1 System Management 1.1 Define ownership and appropriate use Awareness of your inventory of assets is a critical first step in assessing your information security risk. Without a clear understanding of the assets which are at risk there can be no clear understanding of the amount of risk [i]7.1.1 Assets documented: application software used for University data [i]7.1.1 Assets documented: university data identified by sensitivity and authoritative Data Steward [i]7.1.1 Assets documented: computer equipment The purpose of asset documentation is to ensure that knowledge is shared by more than one person. In the event of staff absence or turnover, this knowledge must still be available. Any method of documentation that accomplishes this purpose is acceptable [i]7.1.2 Ownership and responsibility for assets are documented and periodically reviewed [p] Personnel with access to assets are documented Ownership, responsibility, and access should in most cases be documented by employee role or other classification, rather than by individual name. e.g. Owner: department IT manager or End-user access granted to all employees with HR-related job duties [p] Devices are labeled to indicate owner, contact info, and purpose The purpose of labeling is to facilitate identification of devices for those who do not routinely use them. Any method which achieves this result is acceptable [i]7.1.1 Assets documented: computing and communication services Computing and communication services refers to data and communication service providers and related equipment Mechanism to assist in the tracking of and discovery of sensitive data on system are implemented See UISO Data Loss Prevention Procedure. Page 1 of 13
2 1.2 Information backup [i] Backup copies of information and software are made Backups are important primarily to business continuity. As such, absence of backups should not be assessed as a risk to data exposure, and therefore of LOW risk in regard to granting of data access [i] Backup copies of sensitive data are securely encrypted Where backups are made, encryption is critical for backups containing sensitive data (Limited Access or Restricted data elements; see Data Access Requirements document in the Information Security Program website). Unencrypted backups of sensitive data should be assessed as HIGH risk in regard to granting data access [i] Backup plan includes: define level of backup information, keep accurate records of backups made, plan granularity (full/differential, frequency), keep backup media off site, protect backup media, test backup media, test restore procedures [p]9.5 Observe offsite storage facility to verify security and confirm annual review 1.3 Logging System time is accurately synchronized (e.g. with NTP) Security relevant events are logged: user activity, critical system changes, critical data changes Daily review of logs by manual or automated means Keep logs for at least 3 months Logs with accurate timestamps are important for investigation of security incidents. A lack of accurate logs may lead to a liability for notification in cases where the extent of information disclosure (breach) cannot be determined. For most Linux systems, security-relevant events are logged by default. In most Windows platforms security event logging must be enabled by an administrative user Keep logs for at least 12 months Real-time log review Free tools such as OSSEC are available for automated real-time log review [p]10.1 Establish process to link access to user id [p] Establish audit trail for all actions of admin users [p] Log creation and deletion of system objects [p]10.3 Record these data for each event logged (where relevant): user id, event type, data and time, success/failure, origination, identify affected items [p]10.7 Retain audit trails for at least 12 months For through , ideally any security-relevant action taken at the OS, service, or application level should be logged with enough information to trace the action back to the user and/or location (IP address or console) from which it was performed. Page 2 of 13
3 1.4 Password Management [i] Passwords must be stored encrypted or hashed [i] Vendor default passwords are changed as soon as practical [i] User identity is verified prior to processing password set/reset [i] Users sign statement of password confidentiality [i] Users required to follow good security practices in selecting and using passwords [i] Any passwords provided to users must be complex and unique, must be communicated to user securely, and must be changed by user on first login Safekeeping of user password data is critical because loss of credentials is one of the most frequent causes of information security incidents. Managing accounts using USC enterprise identity management services will satisfy these requirements [p]2.1 Change vendor default identifiers, such as SNMP community string, SSID, encryption keys 1.5 OS Secure Authentication This section of standards refers to administrator logins [i] OS login process includes: no display of password during entry, no cleartext transmission of password [p] Logging of OS authentication success/failure [p]8.5.13,14 Lock out account after at most 6 consecutive unsuccessful login attempts. lock out for at least 30 minutes For 1.5.3, logins performed using USC enterprise authentication services will satisfy this requirement [i] OS login process includes: no display of system/application identifiers until logon successful, displays a warning about unauthorized access, no help messages during logon, validate credentials only after all inputs are received, display previous logon upon successful logon [i] Inactive session timeout Page 3 of 13
4 1.6 System Security OS and application security patches installed as soon as practical Applications and services must be patched promptly, because unpatched application vulnerabilities are the most common avenue of system compromise [p]6.3.1 Development stage data and accounts removed before production stage [p]2.2.3 Configure system security parameters to prevent misuse OS services and policies must be configured in consultation with authoritative standards, such as those published by the Center for Internet Security (cisecurity.org) [i] Software installation controls include: updates performed only by trained administrators with management authorization, rollback strategy, audit log of code changes [i] Software installation controls include: OS limited to approved services, applications thoroughly tested, configuration control system, retain previous versions of applications for all archived data versions Limit scope of trust relationships between systems [i] Test data is selected carefully, protected, and controlled; avoid use of production data [p]2.2.4 Remove unnecessary services 1.7 Vulnerability Management [i]12.6 Vulnerability management: establish resources to identify vulnerabilities, identify risks to organization for discovered vulnerabilities, address vulnerabilities according to plan [i]12.6 Vulnerability management: establish roles for vulnerability management, establish timeline to respond to vulnerabilities, evaluate impact of vulnerability remediation before implementing, test remediation method before installing in production [p]11.2 Scan for vulnerabilities quarterly and after significant changes Applications and services must be patched promptly, because unpatched application vulnerabilities are the most common avenue of system compromise [p]11.3 Perform penetration testing yearly and after significant changes Page 4 of 13
5 1.8 Malicious Code Protections [i] Malicious code protections: policy prohibiting use of unauthorized software, periodic review of installed software, installation of anti malware software, establish procedure for responding to malware detection Software should not be installed without approval of appropriate IT staff. If malware is detected on systems that contain or process Restricted Data (see Data Access Requirements document in the Information Security Program website), contact the University Information Security Office before taking any countermeasures [i] Malicious code protections: policy restricting software sources, establish contingency plans for losses due to malware infection, maintain awareness of malware threats [p]5.2 Monitor correct function of anti malware software, and log its activity 1.9 Data Validation This section of standards applies only to software development and testing [i] input data validation: evaluate inputs for value range, valid characters, completeness, data length/volume limits [p]6.5 Design/test applications: avoid injection flaws, buffer overflow, directory traversal [p]6.5 Design/test applications: avoid insecure cryptographic storage, insecure communications, data leakage via error messages, cross site scripting and forgery, unsecured URL access [i] input data validation: establish procedures for responding to validation errors, establish procedures to test plausibility of input data, define responsibilities of personnel involved in data entry, log all data entry [i] output data validation: reconciliation controls, provide sufficient data to allow reader to verify accuracy [i] input data validation: periodic review of data, inspecting hardcopy for unauthorized changes [i] output data validation: includes test plausibility of output data values, establish procedures for responding to validation errors, define responsibilities of personnel involved in data output, log data output validation Page 5 of 13
6 1.10 Encryption [p]8.4 Passwords are encrypted during transmission or storage Safekeeping of user password data is critical because loss of credentials is one of the most frequent causes of information security incidents. Managing accounts using USC enterprise identity management services will satisfy these requirements [p]2.3 Encrypt all administrative access Administrative access must only be conducted across an encrypted connection (e.g. HTTPS, SSH, encrypted RDP) [p]4.1 Data are encrypted over public networks Public networks refers to any networks beyond university control [i] Data is encrypted in motion In motion refers to any network connection Mechanism to render unsecured sensitive information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals This refers to encryption of data at rest and in transit Production Controls [i]6.2.2 prior to customer access, these controls are addressed: asset protection, product or service is well described, requirements and benefits for customers, access control policy, procedures for reporting and investigation of inaccuracies and breaches, descriptions of all services, target level of service, disclose right to monitor, disclose liabilities of organization and customer, disclose legal responsibilities, disclose intellectual property rights Production controls are important primarily to business continuity. As such, absence of these controls (except those that are also mentioned elsewhere in this document) would not be assessed as a risk to data exposure, and therefore of LOW weight in regards to granting of data access Security Incident Reporting [p]12.9 Establish incident response plan including roles, response procedures, recovery/contingency procedures, data backup/recovery processes, document legal reporting requirements [i] Security incidents reported through appropriate command channels, including suitable feedback mechanisms to satisfy those reporting incidents and incident reporting form to ensure uniform and complete collection of details [p] Document incident response procedures The university s incident response procedure is documented on the Information Security Program website. Each business unit must understand its role in the procedure in case of its involvement in a security incident. Page 6 of 13
7 Section 2 Policy and Documentation 2.1 Third Party Access 3P access (third party access) refers to any access to university data by a external contractor or other entity, either accessing data contained in a university system, or by receiving a copy of university data [i]6.2.1 Evaluate 3P access requirements: enumerate types of access and assess the sensitivity of data to be accessed [i]6.2.3 Terms included in 3P agreements: controls for asset protection, responsibilities regarding hardware and software, access controls, incident reporting process, establish process for problem resolution [i]6.2.3 Terms included in 3P agreements: information security policy, training in security issues, awareness of information security responsibilities, provision for transfer of personnel, clear reporting structure and reporting formats, clear process of change management, description of product or service to be provided, target level of service, definition of performance criteria, disclose right to monitor, disclose right to audit, service continuity requirements, liabilities of parties, legal responsibilities, intellectual property rights, involvement with subcontractors, conditions of renegotiation or termination [i]6.2.1 Evaluate 3P access requirements: enumerate facilities a 3P is required to access, enumerate 3P personnel, document controls for secure storage and exchange of data with 3P [i]6.2.1 Evaluate 3P access requirements: document controls to limit access, document how 3P personnel identity can be verified, assess impact of loss of access by 3P, establish procedures for incident response involving 3P, document legal requirements regarding 3P, document impact to stakeholders for use of 3P 2.2 Operational Procedure [i] Document operating procedures: processing and handling of information, backup, scheduling and interdependency, handling of errors and exceptions, support contracts, special output and media handling, restart and recovery procedures, management of audit trail and logging [p]12.2 Document daily operational security procedures For and 2.2.2, these controls are important primarily to business continuity. As such, absence of these controls (except those that are also mentioned elsewhere in this document) would not be assessed as a risk to data exposure, and therefore of LOW weight in regards to granting of data access. Page 7 of 13
8 2.3 Access Control Policy [i] Access control policy: enumerate all data and risks [p]8.2 In addition to unique id, require at least one factor of authentication, e.g. password, hardware token, biometric Use of username and password for authentication satisfies item 2.3.2, as does username plus key-pair authentication [p]8.5.1 Control and audit creation, modification, and deletion of user credentials [p] Require passwords to contain at least 7 characters [p] Require passwords to contain alphabetic and numeric characters Complex passwords are important to reduce the risk of password guessing or cracking. Complexity requirements should be enforced through automated means. Requiring punctuation as an alternative to one of the character types described in is acceptable. Managing accounts using USC enterprise identity management services will satisfy these requirements [i] Access control policy: security requirements of individual applications, data classifications and policies for dissemination consistent across all systems, document legal requirements for data, document user profiles by role, document management of access rights, segregate access control roles, require formal authorization of access requests, periodic review of access controls, proper and timely removal of access rights [p]7.1 limit access rights to least necessary [p]7.2 establish access controls for system components Multifactor authentication mechanism to substantiate the claimed identity of a user Multifactor authentication requires a 2 step verification process prior to granting access. 2.4 Regulatory Compliance [i] Identify requirements of all applicable laws, contracts, and other regulation e.g. FERPA, HIPAA, GLBA, PCI DSS [i] Managers ensure compliance with all applicable security policies Managers must ensure that all employees are aware of security policies, and agree to follow them. 2.5 User Registration and Deregistration [i] User registration: unique user id, verify access authorization with system owner, give user written statement of access rights, immediate removal or blocking of access when job duties no longer require it, periodic audit of user ids and access rights [p]7.1.3 Formal documented approval of user access and level of privileges by appropriate system manager [i] User registration: level of access matches business needs, user signs statement of access conditions, ensure authorization process is complete before access is granted, formal record of all registered users Page 8 of 13
9 Access to university systems must be approved by Data Stewards, either individually (e.g. user John Smith) or by blanket authorization (e.g. all students, all supervisors, all employees in department X, etc.) Page 9 of 13
10 2.6 Support Processes [i] change control procedures: record of agreed change authorization levels, ensure changes are submitted by authorized users, identify all components that require change, maintain version control for software updates, ensure change timing has minimal impact on business [i] change control procedures: review controls to ensure integrity is not compromised by change, obtain formal approval before change is made, ensure authorized users accept change prior to implementation, ensure system documentation is updated, audit trail of all change requests [i] technical review for system changes: review application integrity controls, ensure timing of change will allow for testing [i] technical review for system changes: verify vendor support plans will continue, ensure business continuity plans are updated [p]6.4 change control includes: separate development/test and production environments, separation of duties for dev/test and production, production data not used for dev/test, test data removed before production For through 2.6.5, these controls are important primarily to business continuity. As such, absence of these controls (except those that are also mentioned elsewhere in this document) would not be assessed as a risk to data exposure, and therefore of LOW risk in regard to granting of data access. 2.7 Information Exchange [p]9.7.2 For physical shipment of data, courier has established tracking methods [i] information exchange policies: procedures designed to prevent interception, copying, modification, misrouting, or destruction; procedures for detection and protection from malicious code; policy outlining acceptable use; procedures outlining secure usage of wireless technology; retention and disposal guidelines for correspondence [i] information exchange policies: procedures for protecting sensitive data attachments; statement of employee/contractor responsibilities; encryption where appropriate; prompt retrieval of sensitive data from shared printers; restrictions on forwarding of ; caution personnel about protection from eavesdropping; caution personnel about leaving voice messages with sensitive information; cautions about usage of fax; cautions about giving demographic data to vendors [i] Establish exchange agreements with external parties, to include responsibilities for coordinating exchange, procedures for exchange notification, procedures to ensure auditability, minimum standards for packaging and transmission, escrow agreements, courier identification, responsibilities and liabilities in case of incidents, agreed labeling for sensitive/critical data, responsibilities for data protection, copyright, and licensing, standards for recording/reading software, special controls for sensitive data [i] Physical media in transit includes reliable courier, list of authorized couriers, procedure to check courier id, packaging to physically protect contents, protection of sensitive data Page 10 of 13
11 Section 3 Unauthorized Access Prevention 3.1 Physical Controls [i]9.1.1 Locked cabinet or room To qualify for control 3.1.1, the guidelines in the Physical Security Guidelines document in the Information Security Program must be followed cc Alternative for requirement 3.1.1: If data are encrypted at rest, and decryption keys are securely managed, these provisions may serve as a compensating control for lack of compliance with requirement To qualify for compensating control 3.1.1cc, the guidelines in the Whole Disk Encryption Guidelines document in the Information Security Program must be followed [p]9.1.2 Restrict physical access to network jacks [p]9.1.3 Restrict physical access to wireless hardware [p]9.1.1 Video camera or other auditable access record 3.2 Sanitization of Equipment [i]9.2.6 Storage media securely erased or destroyed prior to disposal Secure erasure must accomplish at least one full pass of overwriting with zero or random data [p] Shred or incinerate hardcopy of data Shredding must be crosscut. If shredding service is contracted, it must be through a certified contractor, using locked shred bins. 3.3 Protection of Media [i] Management of removable media: prior to disposal, removable media are securely erased or destroyed [p]9.6 Physically secure hardcopy of data Hardcopy of sensitive data must never be placed where it is visible to those who are not authorized to see it [i] Management of removable media includes removable media are securely erased or destroyed, authorization required for removal of media from premises, media stored in physically secured location, consider expected lifetime of media when designing retention plan, maintain records of removable media, removable media drives only enabled if needed [p]9.9.1 Conduct annual physical audit of removable media Page 11 of 13
12 3.4 Mobile Security [i] Establish formal policy for information security as regards mobile computing Employees must understand their responsibilities for data security when accessing university systems or data via mobile devices [i] Establish formal policy for working from remote locations, including physical security of remote site, communications security requirements, consider risk of unauthorized physical access, establish policy on use of privately owned equipment, require anti malware and firewall Employees must understand their responsibilities for data security when accessing university systems or data from remote locations. Section 4 Networking 4.1 Network Management Controls [i] Require authentication for remote access Authentication by VPN qualifies for control 4.1.1, as will authenticated connections via HTTPS, SSH, or encrypted RDP [i] Segregate network segments by services, users, or system function Ideally network segments should be separated using VLANS or router ACLs. 4.2 Restriction of Network Access [i] Restrict access to network segments based on business need A system containing sensitive data must not be placed on a subnet that permits connection of non-employee devices, unless that system is protected by firewall or other method that blocks all but the necessary inbound connections. Page 12 of 13
13 4.3 Isolation of Services and Data [i] Sensitive systems use isolated resources [p]2.2.1 Servers are dedicated to single services (e.g. web server, db server) For and the most important issue is that any server handling sensitive data must not be used for high risk services such as public information websites (or content management systems), file shares, , FTP, or similar. The isolation requirement may be satisfied by using separate physical or virtual servers University data stored, received, or processed by this system is not shared with any other system unless that system also undergoes a security assessment and receives Data Steward approval. Data Stewards grant permission only for a specific usage of university data on a specific system. If a different usage of the data is desired, that new usage must be requested. If that usage involves a different computer, that computer must undergo a separate security assessment. 4.4 Network Security [p]11.4 Use intrusion detection/prevention systems Systems located on the Columbia campus are in most cases monitored by the UISO s network intrusion detection system, which meets requirement Qualifying host-based protection may be available with some free products such as OSSEC [i] Network management: establish controls to secure sensitive data traffic, log activity as necessary to record security relevant events For systems on the Columbia campus, UISO s network logging facilities meet this requirement In other locations, firewall logs and network flow logs may be used to meet this requirement [i] Network management: network management responsibilities separated from computer management, establish responsibilities for management of remote equipment, ensure network is configured to perform optimally and consistently Network administrators must understand network security issues and be able to effectively implement measures to reduce the risk of such threats as rogue routers, open wireless, and malicious ARP and DHCP activity. Any network management plan that addresses these needs will meet requirement [p]1.1.6 Review firewall and router rule sets every 6 months [p]6.6 Review public facing web interfaces at least annually, to find vulnerabilities Page 13 of 13
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationTEXAS AGRILIFE SERVER MANAGEMENT PROGRAM
TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM Policy Compliancy Checklist September 2014 The server management responsibilities described within are required to be performed per University, Agency or State
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationControls for the Credit Card Environment Edit Date: May 17, 2007
Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit
More informationWindows Azure Customer PCI Guide
Windows Azure PCI Guide January 2014 Version 1.0 Prepared by: Neohapsis, Inc. 217 North Jefferson St., Suite 200 Chicago, IL 60661 New York Chicago Dallas Seattle PCI Guide January 2014 This document contains
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationPayment Card Industry (PCI) Compliance. Management Guidelines
Page 1 thehelpdeskllc.com 855-336-7435 Payment Card Industry (PCI) Compliance Management Guidelines About PCI Compliance Payment Card Industry (PCI) compliance is a requirement for all businesses that
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationPCI DSS Compliance the Rocky Road. Colin Dixon Head of Risk and Compliance
PCI DSS Compliance the Rocky Road Colin Dixon Head of Risk and Compliance Planning is everything If you don't know where you're going, you'll wind up somewhere else Yogi Berra 2 Agenda Approaches to the
More informationPCI DSS requirements solution mapping
PCI DSS requirements solution mapping The main reason for developing our PCI GRC (Governance, Risk and Compliance) tool is to provide a central repository and baseline for reporting PCI compliance across
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationChapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents
Chapter 84 Information Security Rules for Street Hail Livery Technology System Providers Table of Contents 84-01 Scope of the Chapter... 2 84-02 Definitions Specific to this Chapter... 2 83-03 Information
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationThis policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
- 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More information1B1 SECURITY RESPONSIBILITY
(ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationCOLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
More informationTEXAS AGRILIFE SERVER MANAGEMENT PROGRAM
TEXAS AGILIFE SEVE MANAGEMENT POGAM Policy Compliancy Checklist July2012 The server management responsibilities described within are required to be performed per University, Agency or State policy. Each
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationGeorgia Institute of Technology Data Protection Safeguards Version: 2.0
Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationINFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationISO 27001 PCI DSS 2.0 Title Number Requirement
ISO 27001 PCI DSS 2.0 Title Number Requirement 4 Information security management system 4.1 General requirements 4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS 4.2.1.a 4.2.1.b 4.2.1.b.1
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationPCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationCredit Card Security
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationThe University of Texas at El Paso
The University of Texas at El Paso Payment Card Industry Standards and Procedures Standards, Procedures, and Forms That Conform to PCI DSS version 2.0 Policy Version 2.0 March 2012 About this Document
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationThe Contractor's Responsibility - Preventing Improper Information Process
BRIGHT HORIZONS BASELINE THIRD PARTY SECURITY REQUIREMENTS Version 1.0 (updated March 2015) Contents SECTION 1:... 3 REQUIREMENTS INTRODUCTION AND BACKGROUND... 3 1. SUMMARY... 3 2. DEFINITIONS... 3 3.
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationCodes of Connection for Devices Connected to Newcastle University ICT Network
Code of Connection (CoCo) for Devices Connected to the University s Author Information Security Officer (Technical) Version V1.1 Date 23 April 2015 Introduction This Code of Connection (CoCo) establishes
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationPolicies and Procedures
Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationPayment Application Data Security Standards Implementation Guide
Payment Application Data Security Standards Implementation Guide 062212 PADSS 2012 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means,
More informationmodules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:
SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY POLICY Name Of Policy: Security Audit Logging Policy Domain: Security Date Issued: 05/23/11 Date
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationBKDconnect Security Overview
BKDconnect Security Overview 1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More information