Project Update December 2, Innovation Grant Program
|
|
- Regina Reynolds
- 8 years ago
- Views:
Transcription
1 Tri-University Vulnerability Scanning/Management Solution Project Update December 2, Innovation Grant Program 1
2 Project Summary This grant application is part of a previous project report presented to ABOR to create a shared Tri-University vulnerability scanning and management solution, which was one of the recommendations of the Moran Technology Consulting IT Collaborative Opportunities study. The proposed scanning solution would allow the three universities to: Gain an external intruder s point of view by scanning through network perimeters from scanners located at a sister university Take the vantage point of an attacker located on the campus network by regularly scanning their own critical networked IT assets from the inside To create an effective vulnerability scanning and management solution, this initiative will select and install the appropriate technologies for conducting both network system and web application scans, develop methodologies and processes for staff to conduct effective scans, and provide guidance for selecting and prioritizing critical networks to scan. The ultimate goal is to provide the three universities with the tools needed to detect system and web vulnerabilities before they become exploited by intruders and reduce the risk of sensitive information loss or disruptions to the networks that support our core mission. Proposal Narrative Part 1: Description of Need or Opportunity: Vulnerability scanning on networks is the practice of using tools to automate the detection of potential weaknesses in networked computer systems, and the process of interpreting these results to determine which vulnerabilities may be the most susceptible to being leveraged by a potential intruder. Regularly conducting vulnerability scanning (henceforth referred to as scanning ) is a critical component of an overall defense-in-depth strategy, and can establish a baseline of security exposures which an intruder can exploit. This baseline can be used in tracking on-going remediation efforts and provides guidance for Information Technology (IT) system administrators regarding security issues that need to be addressed. The significant benefits of regularly scanning each university s network include: Establishing a baseline of vulnerabilities that an intruder may exploit Providing IT system administrators with an outside view of services that they may be offering on the network Acting as a safety net for routine yet critical tasks such as patching software running on networked devices; for example, a vulnerability scan may reveal a previously overlooked critical patch that is missing Providing a certain degree of review for potentially insecure configurations Helping to comply with pertinent government or industry regulations Discovering and addressing vulnerabilities in web applications in addition to network system vulnerabilities is also of significant and growing importance. Vulnerabilities in web applications 2
3 can lead to significant data leakage, alteration of data, or even the compromise of an otherwise secure networked system. Currently, each of the three universities conducts its own network vulnerability scanning with a variety of primarily open-source tools and contracted services. Significant labor costs and effort are required to deploy those tools, making regular scanning of network vulnerabilities throughout the universities problematic. Contracted vulnerability assessment services could be eliminated if the universities owned their own vulnerability scanning solution. Collaboration among the universities to share a common vulnerability scanning solution and methodologies was a recommendation of the Moran Technology Consulting IT Collaborative Opportunities study. Some of the enhanced benefits of a scanning solution shared by the three universities include: Leveraging economies of scale to improve purchasing power and reduce the need for overlapping hardware Saving the overhead cost of developing scanning methodologies multiple times for each university independently Sharing technical expertise among security staff at the three universities to gain fresh perspectives and technical synergies Standardizing best practices for vulnerability scanning Aiding central IT to gain a more consistent, current view of the types of systems on the campus network, and providing additional insights into the type of data that may be stored on given networks Gaining the perspective of both an external intruder by scanning through network perimeters from scanners located at another university and an attacker located on the campus network At the direction of the Committee after the Moran study, the three universities assembled a working group led by The University of Arizona to explore this initiative. The group put together a report and project proposal in October 2007 for the Board outlining a plan to implement a shared Tri-U vulnerability scanning solution. Part 2: Description of Intended Outcomes and Strategies: Successful implementation of a shared vulnerability scanning infrastructure in order to realize the benefits described previously requires that three intermediary goals be accomplished: 1. Development of scanning methodologies to be implemented at all three universities 2. Selection of a scanning tool which fulfills Tri-U requirements 3. Development of prioritization criteria for network sensitivity The first goal, to create uniformly adopted scanning methodologies, is critical both for ensuring a baseline of standards for scans and for facilitating communications and technical cooperation between security staff at the three universities. Also, having the same ground rules across the three universities will increase the value of the data both for internal security staff and for audit purposes. 3
4 The second goal of selecting the right scanning tool is clearly important for maximizing the benefit that the selected product can offer while minimizing the amount of time and effort required to customize the tool to fit requirements. The third goal, to determine a set of criteria used to prioritize which networks to scan, is necessary to make efficient use of staff time spent on analyzing scan results. Security staff should spend more time and resources analyzing networks that contain resources critical to the mission and well-being of the universities. This judgment would become significantly more difficult to make without the ability to differentiate between networks. To use an extreme example, a main server in the Registrar s office should have more resources committed to analyzing its vulnerabilities than a transient laptop connected to wireless. This proposal focuses on the second goal of selecting and acquiring the right scanning tool. After reviewing practices at other universities and going over Gartner recommendations, an RFI was issued to determine marketscope. Summarizing briefly, the RFI reflected requirements collected by the working group during Phase 1 of the project, and covered 19 major points ranging from technical quality of scans to compliance reporting to training support offered by the vendor. A virtualized lab environment was created at the University of Arizona which contained both systems that were well protected and systems that had known vulnerabilities, and products participating in the RFI were tested first in this isolated lab environment. After initial testing, scans of other network segments were collected to review results against a larger sample size. Also during testing, the working group concluded that none of the leading network vulnerability scanners have a sufficiently mature web scanning functionality bundled in, and that a standalone web app scanner would be necessary to have the desired results. The addition of an automated penetration testing tool to the suite will also assist in the verification of vulnerabilities discovered. Based on the information gathered during the RFI, the working group proposes a suite consisting of (1) a network vulnerability scanning/management solution, (2) a web application vulnerability scanning solution, and (3) an automated penetration testing tool. Some of the tools covered during the exploratory process include the same solutions used by the Auditor General s Office. The web application vulnerability scanning solution was not part of the Moran report, but it bears repeating that it is considered by the working group to be very important and would provide a means of addressing an expanding source of vulnerabilities. Part 3: Technical Needs: Both the web application vulnerability scanning solution and the automated penetration testing tool are software based solutions, which will require the implementation of servers with the likely reliance on virtualization in order to decrease costs and maintenance. The technical needs to implement the network vulnerability scanning/management solution will depend on the solution chosen. As an example, certain vendors provide blackbox scanning appliances and complete hosted management services, whereas other vendors require hardware to be provided for their solution. The specifics of the technical needs will be pending the vendor selection at the conclusion of the RFP. 4
5 Part 4: Work Plan/Timeline: The work plan and timeline chart below has excluded resources and personnel as well as personnel hours, as these items will vary greatly depending on the vulnerability scanning solution chosen. For example, certain vendors offer turnkey solutions whereas others require or allow significant customization. Another example is the training of systems administrators some vendors offer regular vendor-led training as part of their total cost, whereas for others more University staff time will need to be dedicated for training. Work Plan/Timeline Chart: Schedule Aug Sep 2007 (Done) Project Phase/ Key Milestone Phase 1: Conduct requirements analysis and obtain project approval. Checkpoint 1: Present report to ABOR analyzing costs and benefits Tasks and Activities Resou rces and Perso nnel Perso nnel Hours Identify members of Tri-U working group and organize Begin conducting market survey of vulnerability scanning service offered by peer universities and tools used Begin identifying initial requirements from working group representatives Determine criteria for priority of networks to scan (PCI, student data, credit card transactions, network backbone networks, DNS, etc?). List gathered by Tri-U effort Each university determines which of their networks (IP ranges) match which of the above defined criteria. Review if classification of data and network criticality brings up additional technical requirements not identified earlier Oct Dec 2007 (Done) Phase 2: Define network sensitivity standards and determine priority of networks to scan based on sensitivity standards. Examine need for additional requirements after network identification. Checkpoint 2: Face to face meeting for working group participants to review requirements in person and discuss progress. Dec Jan 2008 (Done) Jan Mar 2008 (Done) Phase 3: Develop product evaluation criteria based on requirements gathered. Concurrently, develop high level methodologies for conducting scans both internally and of a sister university. Checkpoint 3: Review developed product evaluation criteria and methodologies Phase 4: Conduct market survey of scanning products Checkpoint 4: In person or web meeting for working Determine product evaluation criteria for selecting a scanning product based on requirements Develop high-level, technology-independent methodologies for security staff to conduct scans of another university, in terms of notification, scanning process and handling the results Develop suggested methodologies for security staff to conduct scans of their own critical networks Conduct market survey of vulnerability scanner vendors Draft and send out RFI using requirements defined in Phases 1 and 2 above 5
6 Apr Jun 2008 Jun Jul 2008 Jul 2008-mid Aug 2008 group participants to review RFI results Phase 4b: Issue RFP for vulnerability scanning solution, and acquire most suitable solution available Checkpoint 4b: Acquire solution or suite of solutions to meet TriU needs Phase 5: Obtain and set up site(s) for vulnerability scanner selected. Develop key performance indicators (KPIs) for production system. Define scanner specific processes to supplement previously defined high-level methodologies. Start production pilot after initial training for security staff. Checkpoint 5: In person meeting to compare pilot project results against predetermined KPIs and assess lessons learned from pilot. Phase 6: Make necessary modifications from pilot results versus KPIs and conduct final kickoff training. Begin implementation of regular, full scale scanning. Checkpoint 6: In person meeting with working group to discuss next steps and follow-up. Draft and send out RFP Conduct test of select products against established product evaluation criteria Demo top product(s) to Tri-U working group for feedback and conclude solution selection Develop proposed deployment design for selected scanner Submit test results, deployment design, and recommendation for top product to ABOR pending funding Develop Key Performance Indicators (KPIs) for production system. This is different from the product evaluation criteria developed previously as it accounts for strengths and weaknesses of the actual scanner system being implemented Set up hardware/network infrastructure for scanner system Develop specific detailed technology-based scanning procedures tailored to the selected tool to supplement previously defined highlevel methodologies Conduct first training session for security staff from all three Universities Initiate pilot scanning program involving small, closely monitored network ranges Make modifications based on lessons learned from pilot program. Repeat previous steps if necessary Conduct final kickoff training session for security staff conducting the scan Begin internal training and advertising campaign for systems administrators Implement regular, full scale scanning Part 5: Key Personnel: Harper Johnson (Harper.Johnson@nau.edu) Director NAU ITS Information Security Gwen Ceylon (gwen.ceylon@nau.edu) Sr. Information Security Analyst NAU ITS Information Security Greg Wilson (Greg.Wilson@ASU.EDU) Systems Analyst, Principal ASU UTO Ops Systems and Security 6
7 Jeremy Glassman Network Systems Analyst, Graduate Assistant UA UITS Security Operations Laura Corcoran Network Systems Analyst, Senior UA UITS Security Operations Abraham Kuo Network Systems Analyst, Principal UA UITS Security Operations Sylvia Johnson UA University Information Security Officer Part 6: Milestones, Performance Measures, and Deliverables: Phase and Checkpoint 1: (Scheduled for Sep 2007, Done) Conduct requirements analysis on project, and obtain project approval. Checkpoint 1 is to present report to ABOR analyzing costs and benefits regarding overall Tri-U Vulnerability Scanning/Management Infrastructure collaboration and project. Phase and Checkpoint 2: (Scheduled for Nov 2007, Done) Define network sensitivity standards and priority of networks to scan based on sensitivity standards. Examine additional requirements which may have surfaced after network identification. Checkpoint 2 is to review requirements collection from Phase 1 in person and discuss progress. Phase and Checkpoint 3: (Scheduled for Jan 2008, Done) Develop product evaluation criteria. Checkpoint 3 is to meet and review developed product evaluation criteria and methodologies Phase and Checkpoint 4: (Scheduled for Mar 2008, Done) Conduct market survey (RFI) of scanning products, demo and compare top products using pre-defined product evaluation criteria. Checkpoint 4 is to meet to review market survey. Phase and Checkpoint 4b: (Scheduled for Jun 2008, In Progress) Conduct RFP for vulnerability scanning/management solutions using previously defined metrics. Checkpoint 4b is to have acquired a solution that meets the TriU needs. The conclusion of Checkpoint 4b will also include the generation of the Reimbursement Report. Phase and Checkpoint 5: (Scheduled for Jul 2008, In Progress) Develop key performance indicators for the deployment of the solution selected, and implement the scanning procedures in a pilot production network. Checkpoint 5 is to meet to compare pilot project results against pre-determined KPIs and assess lessons learned from pilot. Phase and Checkpoint 6: (Scheduled for mid August 2008) Finalize training for security staff, begin mass adoption of scanning solution and methodology, and begin advertising and training campaign for systems administrators. Checkpoint 6 concludes with a meeting with the working group to review progress, discuss any next steps, and generate the Interim Progress Report. 7
8 The Final Project/Financial Report is proposed to be submitted in July of 2009, roughly one year after the initial implementation of the vulnerability scanning/management solution. Part 7: Evaluation Plan: The fundamental success of this project revolves around the detection and remediation of vulnerabilities on critical networks. As such, the success of the project should be measured by how accurate, how precise, and how actionable the information gathered is. In the near term, trending should be kept for critical networks on how many of the vulnerabilities detected were high priority, how many were actionable and quickly remediated, and how many were either false positives or had other compensating measures reducing the exposure caused by the vulnerability. Budget Justification Network Vulnerability Scanning/Management Solution $120,000 Web Application Vulnerability Scanning Tool $48,000 Vulnerability Penetration Testing Tool $27,000 Total cost $195,000 The range of costs varies considerably for the network vulnerability scanning solutions tested by the working group. As a result, the actual initial first year costs may be considerably less than the maximum cost expressed above. 8
9 ATTACHMENT D: IT INNOVATION FUND GRANT PROJECT TIMELINE AND PROGRESS REPORT Reporting Period: From April 2008 Through November 2008 Project #: Project Name: Institution: Tri-University Vulnerability Scanning/Management Solution PI Name: PI Phone: PI Key Milestones, Performance Measures, and/or Deliverables (from original proposal): Target Date Status:* Progress During This Time Period/Notes/Explanations Phase 4b: RFP and solution selection. Present Reimbursement Report Phase 5: Solution-specific process development and pilot deployment Jun 08 3 Three products are in process for selection: 1. Network Vulnerability Scanning/Management Solution The software tool QualysGuard was selected in July 08 and access was acquired in Oct. /08. A delay occurred due to a change in the procurement process. 2. Web Application Vulnerability Scanning Tool The software tool IBM Rational AppScan was selected in August 08 and access was acquired in Oct. 08. The selection of this tool is dependent upon the network vulnerability tool, thus the delay in acquisition. 3. Vulnerability Penetration Testing Tool An initial market survey was completed in March 08 but no tool has been selected. The final selection has been intentionally deferred to allow time to implement network and web vulnerability tools listed above. Jul 08 3 For the three products to be selected: 1. Network Vulnerability Scanning/Management Solution This phase is in progress. A kick-off meeting took place in Oct. 08 with vendor training in Nov. 08 for 17 attendees from the 3 universities. 2. Web Application Vulnerability Scanning Tool This phase is in progress. Solution deployment began in Nov. 08 and vendor training is scheduled for Dec. 08 and/or Jan Vulnerability Penetration Testing Tool 9
10 This tool is deferred as stated above. Phase 6: General implementation w/ focus on critical networks. Present Interim Progress Report Final report and one year later followup Aug 08 July 09 To come. To come. If appropriate, please attach a brief description and explanation of any planned modifications to the original project timeline, budget, or work plan. *For Status, enter: 1 = Ahead of schedule 2 = On track to meet schedule 3 = Behind schedule 10
NAU, UA, and ASU seek funding to implement and deploy a vulnerability scanning and management solution. Funding amount requested: $195,000.
Technology Oversight Committee April 23, 2008 Item 5 Page 1 of 1 EXECUTIVE SUMMARY ACTION ITEM Tri-University Vulnerability Scanning/Management Solution ISSUE NAU, UA, and ASU seek funding to implement
More informationEnterprise Projects Fiscal Year 2011/2012 Third Quarter Report
Enterprise Projects Fiscal Year 2011/2012 Third Quarter Report Enterprise Projects Fiscal Year 2011/2012 Third Quarter Report The Enterprise Program Investment Council (EPIC) is responsible for governance
More informationSNS Funding and IT Strategic Plan
FY 07-08 IT Budget Proposal IST: Systems & Network Security (SNS) ABBA Category One: Institutional Effectiveness ABBA Category Two: Information Technology For more information about this proposal, contact:
More informationContinuous compliance through good governance
PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationNETWORK PENETRATION TESTING
Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes
More informationAT&T Global Network Client for Windows Product Support Matrix January 29, 2015
AT&T Global Network Client for Windows Product Support Matrix January 29, 2015 Product Support Matrix Following is the Product Support Matrix for the AT&T Global Network Client. See the AT&T Global Network
More informationWEB APPLICATION SECURITY TESTING GUIDELINES
WEB APPLICATION SECURITY TESTING GUIDELINES 1 These guidelines were developed to support the Web Application Security Standard. Please refer to this standard for additional information and/or clarification
More informationNYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011
NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011 Executive Summary BACKGROUND The NYS Local Government Vulnerability Scanning Project was funded by a U.S. Department of Homeland Security
More informationAccenture Cyber Security Transformation. October 2015
Accenture Cyber Security Transformation October 2015 Today s Presenter Antti Ropponen, Nordic Cyber Defense Domain Lead Accenture Nordics Antti is a leading consultant in Accenture's security consulting
More informationCost effective methods of test environment management. Prabhu Meruga Director - Solution Engineering 16 th July SCQAA Irvine, CA
Cost effective methods of test environment management Prabhu Meruga Director - Solution Engineering 16 th July SCQAA Irvine, CA 2013 Agenda Basic complexity Dynamic needs for test environments Traditional
More informationGTA Board of Directors September 4, 2014
GTA Board of Directors September 4, 2014 Our Strategic Vision Our Mission A transparent, integrated enterprise where technology decisions are made with the citizen in mind To provide technology leadership
More informationCOMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*
COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) 2 Fixed Rates Variable Rates FIXED RATES OF THE PAST 25 YEARS AVERAGE RESIDENTIAL MORTGAGE LENDING RATE - 5 YEAR* (Per cent) Year Jan Feb Mar Apr May Jun
More informationCOMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*
COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) 2 Fixed Rates Variable Rates FIXED RATES OF THE PAST 25 YEARS AVERAGE RESIDENTIAL MORTGAGE LENDING RATE - 5 YEAR* (Per cent) Year Jan Feb Mar Apr May Jun
More informationVulnerability Threat Management
Vulnerability Threat Management Project Proposal Form Project Title Vulnerability Threat Management Agency/Entity Security Architecture Work Group Form Version: 20070910 Notes about this form: 1. USE.
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationHow To Implement Itil V3
2009 NMCI Conference: Implementing ITIL Session 1: ITSM Process ITSM COE Agenda Background ITSM Overview ITIL and Service Delivery Adopting ITIL to NGEN SE&I Activities 2 Background Develop Government
More informationRelease of the Draft Cybersecurity Procurement Language for Energy Delivery Systems
Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More information2011 Forrester Research, Inc. Reproduction Prohibited
1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester
More informationTECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR
TECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR (BUY VS BUILD) APRIL 17, 2015 LEVERAGING TECHNOLOGY FOR AUDIT Utilizing Software to Administrate Audit Process 40% 35% 30% 37% Tools Leveraged 32% 36% Yes
More informationBusiness Idea Development Product production Services. Development Project. Software project management
Page 1, 1/20/2003 Ivica Crnkovic Mälardalen University Department of Computer Engineering ivica.crnkovic@mdh.se Development Project Product Lifecycle Business Idea Development Product production Services
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationUniversity of Wisconsin System Strategic Initiatives
University of Wisconsin System Strategic Initiatives April 27,2015 Sasi K. Pillay UWSA CIO 1 Principles Mission Enablement Reduction of Risk Cost-effective Operations 2 The Four Tenets A. Elevate the Professionalism
More informationCommittee of the Whole. January 22, 2014
Committee of the Whole January 22, 2014 Drivers for 2003 IT Outsourcing Cost savings - privatization model ($2- $3MM/year) Cost avoidance Data center lease with County expiring ($3.5MM) Disaster recovery
More informationAsset management guidelines
Asset management guidelines 1 IT asset management (ITAM) overview Objective Provide a single, integrated view of agency assets in order to allow agencies to identify the asset location and assess the potential
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationAnatomy of an Enterprise Software Delivery Project
Chapter 2 Anatomy of an Enterprise Software Delivery Project Chapter Summary I present an example of a typical enterprise software delivery project. I examine its key characteristics and analyze specific
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationManaging Open Source Code Best Practices
Managing Open Source Code Best Practices September 24, 2008 Agenda Welcome and Introduction Eran Strod Open Source Best Practices Hal Hearst Questions & Answers Next Steps About Black Duck Software Accelerate
More informationPatch Management Policy
Patch Management Policy L2-POL-12 Version No :1.0 Revision History REVISION DATE PREPARED BY APPROVED BY DESCRIPTION Original 1.0 2-Apr-2015 Process Owner Management Representative Initial Version No.:
More informationProgram Lifecycle Methodology Version 1.7
Version 1.7 March 30, 2011 REVISION HISTORY VERSION NO. DATE DESCRIPTION AUTHOR 1.0 Initial Draft Hkelley 1.2 10/22/08 Updated with feedback Hkelley 1.3 1/7/2009 Copy edited Kevans 1.4 4/22/2010 Updated
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationintegrate 2: Business Process Redesign
Nevada System of Higher Education integrate 2: Business Process Redesign Executive Summary TABLE OF CONTENTS I. BACKGROUND AND OBJECTIVES 2 II. METHODOLOGY AND APPROACH 3 III. PROJECT OUTCOMES 5 IV. MAJOR
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationCase 2:08-cv-02463-ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8
Case 2:08-cv-02463-ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138 Exhibit 8 Case 2:08-cv-02463-ABC-E Document 1-4 Filed 04/15/2008 Page 2 of 138 Domain Name: CELLULARVERISON.COM Updated Date: 12-dec-2007
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationAUTOMATED PENETRATION TESTING PRODUCTS
AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate
More informationDeep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison
Deep Security/Intrusion Defense Firewall - IDS/IPS Trend Micro, Incorporated A technical brief summarizing vulnerability coverage provided by Deep Security and Intrusion Defense Firewall. The document
More informationCommercial Crew Program Status
National Aeronautics and Space Administration Commercial Crew Program Status for the NAC Presenter Title Date Philip McAlister of Presentation Acting Director, Commercial Spaceflight Development NASA HQ
More informationCurrent IBAT Endorsed Services
Current IBAT Endorsed Services Managed Network Intrusion Prevention and Detection Service SecureWorks provides proactive management and real-time security event monitoring and analysis across your network
More informationOPTIMIZING THE USE OF VHA s FEE BASIS CLAIMS SYSTEM (FBCS)
VA-CASE VISN 11 VA Center for Applied Systems Engineering OPTIMIZING THE USE OF VHA s FEE BASIS CLAIMS SYSTEM (FBCS) The Fee Basis Claims System (FBCS) Optimization initiative aims to improve, standardize,
More informationHow To Use Qqsguard At The University Of Minneapolis
Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased
More informationWHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION
WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationWeb Application Security
About SensePost SensePost is an independent and objective organisation specialising in information security consulting, training, security assessment services and IT Vulnerability Management. SensePost
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR
More informationMcAfee Endpoint Protection Products
McAfee Total Protection Security Overview for MEEC Sumeet Gohri, CISSP Sr. Sales Engineer GovED + Healthcare McAfee, Inc. Agenda Protection Challenges McAfee Protection Products McAfee epo walkthrough
More informationA Comprehensive Cyber Compliance Model for Tactical Systems
A Comprehensive Cyber Compliance Model for Tactical Systems Author Mark S. Edwards, CISSP/MSEE/MCSE Table of Contents July 28, 2015 Meeting Army cyber security goals with an IA advocate that supports tactical
More informationDevelopment, Acquisition, Implementation, and Maintenance of Application Systems
Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of
More informationDeep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison
Deep Security Intrusion Detection & Prevention (IDS/IPS) Trend Micro, Incorporated A technical brief summarizing vulnerability coverage provided by Deep Security. The document also outlines a comparison
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationProject Management Plan for
Project Management Plan for [Project ID] Prepared by: Date: [Name], Project Manager Approved by: Date: [Name], Project Sponsor Approved by: Date: [Name], Executive Manager Table of Contents Project Summary...
More informationCompleted and Current Projects
Completed and Current Projects This project list is updated regularly with the current status of each project and the milestones that have been achieved. You can see the latest information on each project
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationAgriLife Information Technology IT General Session January 2010
AgriLife Information Technology IT General Session January 2010 Agenda Topics Year in Review Enterprise IT Services Update FirstCall Overview and Next Steps Sophos Antivirus Initiative Update Information/
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationQ&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015
Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/2015 10/30/2015 11/5/2015 Questions submitted by Proposers All proposers should reference the following
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationSTATEMENT OF WORK (SOW) for CYBER VULNERABILITY ASSESSMENT
1.0 Introduction UTILITIES desires to contract with a CONTRACTOR to conduct an in-depth cyber vulnerability assessment and physical penetration vulnerability assessment of our IT Infrastructure as outlined
More informationPROJECT MANAGEMENT PLAN <PROJECT NAME>
PROJECT MANAGEMENT PLAN TEMPLATE This Project Management Plan Template is free for you to copy and use on your project and within your organization. We hope that you find this template useful and welcome
More informationPenetration Testing. Request for Proposal
Penetration Testing Request for Proposal Head Office: 24 - The Mall, Peshawar Cantt, 25000 Khyber Pakhtunkhwa, Islamic Republic of Pakistan UAN: +92-91-111-265-265, Fax: +92-91-5278146 Website: www.bok.com.pk
More informationAnalysis One Code Desc. Transaction Amount. Fiscal Period
Analysis One Code Desc Transaction Amount Fiscal Period 57.63 Oct-12 12.13 Oct-12-38.90 Oct-12-773.00 Oct-12-800.00 Oct-12-187.00 Oct-12-82.00 Oct-12-82.00 Oct-12-110.00 Oct-12-1115.25 Oct-12-71.00 Oct-12-41.00
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures Version 1.1 Release: September 2006 Table of Contents Purpose...1 Introduction...1 Scope of PCI Security Scanning...1 Scanning
More informationGOVERNMENT USE OF MOBILE TECHNOLOGY
GOVERNMENT USE OF MOBILE TECHNOLOGY Barriers, Opportunities, and Gap Analysis DECEMBER 2012 Product of the Digital Services Advisory Group and Federal Chief Information Officers Council Contents Introduction...
More informationPractical Approaches for Securing Web Applications across the Software Delivery Lifecycle
Across the Software Deliver y Lifecycle Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle Contents Executive Overview 1 Introduction 2 The High Cost of Implementing
More informationManaged Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014
Managed Service Solutions Catalogue MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014 1 MANAGED SERVICES SOLUTIONS CATALOGUE Managed Services Solutions Catalogue Managed Service Solutions
More informationManagement (CSM) Capability
CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE
More informationEnhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017
From -JAN- To -JUN- -JAN- VIRP Page Period Period Period -JAN- 8 -JAN- 8 9 -JAN- 8 8 -JAN- -JAN- -JAN- 8-JAN- 9-JAN- -JAN- -JAN- -JAN- -JAN- -JAN- -JAN- -JAN- -JAN- 8-JAN- 9-JAN- -JAN- -JAN- -FEB- : days
More informationState of South Carolina Policy Guidance and Training
DRAFT For Discussion Purposes Only State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Information Systems (IS) Acquisitions, Development, and Maintenance Policy April/May
More informationAn Introduction to Network Vulnerability Testing
CONTENTS Introduction 3 Penetration Testing Overview 4 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and Delivering Results 6 VeriSign SecureTEST 7 Common Vulnerability
More informationVulnerability Assessment & Compliance
www.pwc.com Vulnerability Assessment & Compliance August 3 rd, 2011 Building trust through Information security* Citizen-Centric egovernment state Consultantion workshop Agenda VAPT What and Why Threats
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationExecutive Branch IT Reorganization Project Plan
Office of Information Resource Management Executive Branch Project Plan Work Program Funded by for IT Appropriations Reorganization 2007, 2009 and Five Small Projects Date: August 2009 Version: 1.3 Revision
More informationCertification Programs
Certification Programs 2014 The SBS Institute serves community banks by providing educational programs that will certify a banker has the knowledge and skills to protect against todays information security
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationVulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationDepartment of Information Technology Software Change Control Audit - Mainframe Systems Final Report
Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report March 2007 promoting efficient & effective local government Introduction Software change involves modifications
More informationSecurity solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.
Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?
More informationNICE and Framework Overview
NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationRoles: Scrum Master & Project Manager
Roles: Scrum Master & Project Manager Scrum Master: Facilitate collaborative meetings Track team performance Remove impediments (Risk, Issue) Validate team alignment to Agile framework and scope Drive
More informationEnterprise Projects Fiscal Year 2009/2010 Third Quarter Report
Enterprise Projects Fiscal Year 2009/2010 Third Quarter Report Enterprise Projects Fiscal Year 2009/2010 - Third Quarter Report The Enterprise Program Investment Council (EPIC) is responsible for governance
More informationCPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Cyber Security Assessments of Industrial Control Systems Good Practice
More informationManaging Vulnerabilities For PCI Compliance
Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF
More informationEvery Student I Every Day I Every Possibility
For the Facilities Master Plan March 4, 2015 1 Introduction This has been prepared to describe a proposed process to be implemented in order to develop comprehensive Facility Master Plans for all schools
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationAUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938
More informationCA Vulnerability Manager r8.3
PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL
More informationCEI Document Management in S/4 Initial Call
CEI Document Management in S/4 Initial Call, SAP Labs India Dec 2015 Disclaimer The information in this document is confidential and proprietary to SAP and may not be disclosed without the permission of
More information