Recent Researches in Electrical Engineering

Size: px
Start display at page:

Download "Recent Researches in Electrical Engineering"

Transcription

1 The importance of introducing Information Security Management Systems for Service Providers Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * Faculty of Electrical Engineering Zmaja od Bosne bb, Sarajevo 71000, Bosnia and Herzegovina ** Police Support Agency of Bosnia and Herzegovina Aleja Bosne Srebrene bb, Sarajevo 71000, Bosnia and Herzegovina *** Faculty of Electrical Engineering Zmaja od Bosne bb, Sarajevo 71000, Bosnia and Herzegovina **** Technical University of Sofia St.Kliment Ohridski Boulevard, Sofia 1756, Bulgaria atanovic@etf.unsa.ba, asmir.butkovic@psa.gov.ba, forucevic@etf.unsa.ba, mastor@tu-sofia.bg Abstract: - This paper presents the process of Information Security Management System (ISMS) implementation by taking all guidances from ISO 27001:2013 standard in one Service Provider in Bosnia and Herzegovina. This Service Provider provides to its customers a hosting and an service. The paper is divided in two parts. The first part describes a preparation of Statement of Applicability (SoA) document and Risk Treatment Plan (RTP) document with a collection of recommendations for the improvement of this system. The second part describes results after the implementation of previous recommendations and gives a final set of recommendations for the improvement of the entire system. This paper has a scientific value because it gives a set of new recommendations for the improvement of ISMS system by using a new ISO standard from The same analysis could be done not just in service providers or telecom operators but also in many other companies or organizations. Key-Words: - ISMS, SoA, RTP, Service Provider, Hosting, . 1 Introduction ISO 27001:2013 is an information security standard that was published on the 25 September It is a specification for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process [1], [2]. Organisations which meet the standard may be accredited by an independent accreditor. Annex A, which is the part of documented ISO 27001:2013, is the heart of this standard. This paper is fully based on the last version of standard from 2013 and there are no connections with the previous version of standard from 2005 [2], [4]. It contains 113 security controls which are divided in 14 groups: A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security - 6 controls that are applied before, during, or after employment A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Information security aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls) Section II. of the paper describes reference model, previous research in this field and previous papers which are published in this area. Section III. describes the risk management process which was used in this paper as the research methodology. Section IV. shows Statement of Applicability (SoA) ISBN:

2 document and results of the realization of all security controls. Section V. describes Risk Treatment Plan (RTP) document with actions for the improvement of security controls. Section VI. shows improved results after implementation of all recommendations from RTP document. Section VII. is conclusion of paper which contains final recommendations for the improvement of ISMS. 2 Reference model and previous research Service Provider which provides to its customers a hosting service and an service is taken as the reference model for the research in this paper. All security controls will be analyzed through all three network layers which are the part of this provider. Figure 1. shows these three network layers: services layer, IP/MPLS network layer and access network layer. All measurements by using a SWOT analysis for all security controls will be done in these three network layers. The paper [6] presents a methodology that makes it possible to comply with ISO standard (for physical security) and ISO standard (for logical security). This paper presents an organizational model proposal based on ISO standard (for physical security) and ISO (for logical security) and it integrates both models in the same company. In paper [7] authors illustrated a new approach for teaching and engaging students in the context of a real experience related to the information security field using ISO Results of this paper revealed the importance of integrating international standards into the curricula of educational institutions. In paper [8] authors investigated to what extent existing security requirements engineering approaches fulfilled requirements for the development of information security management systems. The authors have developed relations between these approaches and ISO standard using a conceptual framework originally developed for comparing security requirements engineering methods. In this article [9] a method for measuring the performance of the implementation and operation of an ISMS is presented. Paper [10] presents a research which is finished in one Telecom Enterprise on Taiwan in which is shown the process of implementation of ISO and ISO standards and the influence which has achieved this implementation on keeping in secret user personal data. The paper [11] presents advantages which some organization can get after the successful implementation of integrated management system which contains benefits from the implementation of quality management system according to ISO 9001 and information security management system according to ISO The authors have explored the commonality of these two management systems and then proceed to integrate them into an effective management model. In paper [12] authors have proposed a new extension to the ISO standard including a new control objective about virtualization applicable for cloud systems. The authors have also defined a new quantitative metric and evaluated the importance of existing ISO control objectives if customer services are hosted on-premise or in cloud. In paper [13] authors have developed a new performed model of ITIL framework for Telecom operators by taking the comparative analyse with other IT Service Management frameworks and standards: CobiT, PRINCE2, etom, ISO and ISO In paper [14] authors have described the process of implementation of Supplier Management process and the result of this paper is established border of successful implementation of ITSM recommendations which was 75% and this border is also taken for the research described in this paper. 3 Risk Management process Risk management consists of defining a risk assessment approach, identifying risks, analyzing risks, and devising treatments for risks [3]. There are many risk assessment methodologies. Some concentrate on asset space like equipment, buildings, PCs, servers, etc. The business function risk assessment leads to identification of key personnel, assets, and infrastructure that support performance of the key business functions [5]. A business function approach narrows the focus to a subset of overall asset space and threat space. Prioritizing activities to address this narrower focus is an exercise in intelligent resource allocation, where the potential worst effects on the organization receive security treatments. The objectives for a risk assessment are to identify risks, vulnerabilities, and potential threats, and determine the likely realization of a threat exploiting a vulnerability, and the resulting impact to the business [4]. These objectives are: Definitions of risk assessment approach and methodology Formal risk assessment plan When risk assessment should be performed, e.g., time-of-year restrictions ISBN:

3 How often it should be performed, e.g., not more than 12 months between assessments Risk assessment approach and methodology review and update Risk assessment performance Update of statements of applicability Update of initiatives driven by risk assessment results, e.g., business continuity. We used a Swot Analysis as a technique for the measurement of actual performances with the potential performances for all security controls [14]. SWOT stands for strengths, weaknesses, opportunities and threats. It is sometimes referred as SLOT analysis with liabilities coming in place of weaknesses: Strengths Advantages the company has over other competitors Weaknesses Areas that needs improvement compare to competitors Opportunities Trends and market gaps to take advantage of Threats External factors that can threaten your business. 4 Statement of Applicability Table I. describes Statement of Applicability (SoA) which is the central document in the design of Information Security Management System. This SoA document contains: the number of security control, the name of security control and the result of the realization of all security controls [10]. All security controls with the result of implementation which is under the border of 75% of the successful implementation will be taken into a consideration for the design of Risk Treatment Plan (RTP) [9]. In all these security controls it is needed to add some new corrective actions or preventive measures to eliminate all possible deficiencies that could cause some problems on system architecture, network architecture and information systems. 5 Risk Treatment Plan Table II. describes Risk Treatment Plan (RTP) with the list of actions needed for the improvement of 33 security controls which have not achieved a positive result of the implementation in a previous step [11]. Some actions require software changes (design of a new database, adding a new module), some of them require hardware changes (defining new access lists, adding a new server, changing configurations on network elements), some of them require organizational changes (adding a new department, adding a new team) and some of them require changes in a policy with suppliers (changing a contract with supplier) [11]. All these improvement actions will be implemented and new results will be analyzed after the implementation of corrective actions. 6 Results for new implemented security controls Table III. shows results of security control realization after the implementation of corrective action. 28 security controls have achieved now a positive result of the implementation and only five od them are still under the border of 75% of the successful implementation. Results have showed that there is still an opportunity to achieve better results for reviewing user access rights, management of capacity, audit controls for information systems, security of network services and testing a security for all information systems [13]. It is very clear that missing problems are connected with organizational structure of the company and with a forming new teams which are responsible for checking security issues. 7 Conclusion Results from the previous section have showed that 28 security controls have achieved now positive results of the implementation and only 5 security controls have not achieved positive results of the implementation of all 33 security controls with the negative results from the first measurement. This means that 85% of all security controls from the first measurement with the negative results have now achieved positive results after the implementation of all recommendations which are written in Risk Treatment Plan. Totally, 108 of all 113 security controls have now the positive result of the implementation which means that 95.57% of all security controls are above positive border [13]. Five security controls still have negative results of the implementation. All these security controls should be improved before the next audit and bellow is the list of recommendations for the improvement: A Review of user access rights - A new team of employees responsible for checking user access rights is formed now. This process of checking of user access rights should be done every week in the future to increase the level of successful implementation of this control. A Capacity management Each information system inside the company should have its own: capacity reports, performance reports, forecasts and a ISBN:

4 capacity plan. In this way it will be enabled the quick and efficient planning of all hardware and software capacities for the: central information system, billing system, hosting network element and network element. A Information systems audit controls One new team responsible for checking all performances on a billing system should be formed. All four teams for information systems audit controls should have a meeting once in the month. A Security of network services Besides implemented access lists on network elements for hosting and it is also very important to form and to check all access lists on central information system and on billing system. A System security testing Previous results have showed that it is very important to finish penetration tests not just with two previous methodologies (black box and white box) but also with the third methodology gray box. This is the methodology in which an auditor simulates a real and skilled attacker. This test provides a full system inspection from both the developer's perspective and a real malicious hacker's perspective. Future research in this field will be connected to the implementation of ISO/IEC in the same organization. The aim of this research is to build an integrated management system for providing confident IT services. Some of the papers from this field could include in future the integration with some other IT service management frameworks or standards like CobiT, PRINCE2, ITIL, MoR, MoP, MoV, etom, ISO/IEC and others. References: [1] ISO International Organization for Standardization, ISO 27001:2013, October [2] ISO - International Organization for Standardization, ISO 27002:2013, October [3] A.Calder and S.Watkins, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 5 th Edition, Kogan Page, May [4] J.Hintzbergen, Foundations of Information Security Based on ISO and ISO 27002, Van Haren Publishing, April [5] A.Calder, Nine Steps to Success: An ISO27001:2013 Implementation Overview, 2 nd Edition, IT Governance Publishing, October [6] K.Pecina, R.Estremera, A.Bilbao, and E.Bilbao, Physical and Logical Security management organization based model on ISO and ISO 27001, IEEE International Carnahan Conference on Security Technology (ICCST 2011), pp. 1-5, October [7] M.A.Talib, A.Khelifi, and T.Ugurlu, Using ISO in teaching information security, 38 th Annual Conference on IEEE Industrial Electronics Safety (IECON 2012), pp , October [8] K.Beckers, S.Fassbender, M.Heisel, and H.Schmidt, Using Security Requirements Engineering Approaches to Support ISO Information Security Management Systems Development and Documentation, 7 th International Conference on Availability, Reliability and Security (ARES 2012), pp , August [9] W.Boehmer, Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001, 2 nd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 08), pp , August [10] L.L-Long, L.Che-Min, and S.Che-Jui, A Study on the Integration of ISO and ISO and the New Personal Information Protection Act in the Telecom Enterprises in Taiwan, 8 th International Conference on Broadband and Wireless Computing (BWCCA 2013), pp , October [11] W.Chi-Hsiang and T.Dwen-Ren, Integrated installing ISO 9000 and ISO management systems on an organization, 43 rd Annual International Carnahan Conference on Security Technology (ICCST 2009), pp , October [12] S.Ristov, M.Gusev, and M.Kostoska, A new methodology for security evaluation in cloud computing, 35 th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO 2011), pp , May [13] A.Tanovic and F.Orucevic, Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards The improved model of ITIL 2011 framework, 13 th International Conference on Applied ISBN:

5 Informatics and Communications (AIC 13), pp , August [14] A. Tanovic and F. Orucevic, Comparative Analysis of the Practice of Telecom Operators in the Realization of IPTV Systems Based on ITIL V3 Reccomendations for the Supplier Management Process, IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1-8, December Figure 1. Service Provider as the reference model The number of control TABLE I. STATEMENT OF APPLICABILITY (SOA) The name of security control The realization of security control A Policies for information security 96% A Review of the policies for information security 94% A Information security roles and responsibilities 98% A Segregation of duties 97% A Contact with authorities 97% A Contact with special interest groups 95% A Information security in project management 89% A Mobile device policy 77% A Teleworking 79% A Screening 87% A Terms and conditions of employment 90% A Management responsibilities 92% A Information security awareness, education and training 87% A Disciplinary process 89% A Termination or change of employment responsibilities 92% A Inventory of assets 90% A Ownership of assets Control 90% A Acceptable use of assets 87% A Return of assets 84% A Classification of information 86% A Labelling of information 86% A Handling of assets 90% A Management of removable media 94% A Disposal of media 97% ISBN:

6 A Physical media transfer 95% A Access control policy 100% A Access to networks and network services Control 92% A User registration and de-registration 48% A User access provisioning 42% A Management of privileged access rights 63% A Management of secret authentication information of 65% users A Review of user access rights 55% A Removal or adjustment of access rights 20% A Use of secret authentication information 90% A Information access restriction 95% A Secure log-on procedures 85% A Password management system 90% A Use of privileged utility programs 85% A Access control to program source code 90% A Policy on the use of cryptographic controls 78% A Key management 78% A Physical security perimeter 77% A Physical entry controls 91% A Securing offices, rooms and facilities 95% A Protecting against external and environmental 100% threats A Working in secure areas 95% A Delivery and loading areas 95% A Equipment siting and protection 90% A Supporting utilities 92% A Cabling security 96% A Equipment maintenance 95% A Removal of assets 85% A Security of equipment and assets off-premises 88% A Secure disposal or reuse of equipment 90% A Unattended user equipment 86% A Clear desk and clear screen policy 85% A Documented operating procedures 64% A Change management 46% A Capacity management 20% A Separation of development, testing and 44% operational environments A Controls against malware 10% A Information backup 0% A Event logging 20% A Protection of log information 35% A Administrator and operator logs 30% A Clock synchronisation 25% A Installation of software on operational systems 90% A Management of technical vulnerabilities 80% A Restrictions on software installation 85% A Information systems audit controls 20% A Network controls 10% A Security of network services 15% A Segregation in networks 25% A Information transfer policies and procedures 90% A Agreements on information transfer 80% A Electronic messaging 40% A Confidentiality or nondisclosure agreements 88% A Information security requirements analysis 45% and specification A Securing application services on public networks 30% A Protecting application services transactions 15% A Secure development policy 50% A System change control procedures 60% A Technical review of applications after operating 55% platform changes A Restrictions on changes to software packages 35% A Secure system engineering principles 30% A Secure development environment 50% A Outsourced development 85% A System security testing 25% A System acceptance testing 20% A Protection of test data 5% A Information security policy for supplier relationships 95% ISBN:

7 A Addressing security within supplier agreements 85% A Information and communication technology 88% supply chain A Monitoring and review of supplier services 93% A Managing changes to supplier services 84% A Responsibilities and procedures 93% A Reporting information security events 88% A Reporting information security weaknesses 95% A Assessment of and decision on information security 92% events A Response to information security incidents 78% A Learning from information security incidents 75% A Collection of evidence 92% A Planning information security continuity 84% A Implementing information security continuity 86% A Verify, review and evaluate information security 80% continuity A Availability of information processing facilities 84% A Identification of applicable legislation and contractual 92% requirements A Intellectual property rights 86% A Protection of records 95% A Privacy and protection of personally identifiable 92% Information A Regulation of cryptographic controls 96% A Independent review of information security 94% A Compliance with security policies and standards 90% A Technical compliance review 80% The number of control The realization of security control TABLE II. RISK TREATMENT PLAN (RTP) Actions for the improvement of security control A % It is needed to create a log file for each user where it should be written all new addresses when a user creates them on his registered domains A % It is necessary to develop a new provisioning system which will enable the automatic switching of users from a central application of information system to network elements for hosting and A % It is necessary to create a new relational database which should be a backup database and which should be responsible for storing all usernames and passwords from privileged users A % All usernames of users should always be encrypted after loging of users A % A % A % A % A % because of creating a new domain or a new address It is important to create a new team of employees which should be responsible for checking user access rights. This process of checking of user access rights should be finished once during the month It is necessary to create a new team of employees which should control the process of removal or adjustment of users from the Hosting network element and network element All customer reclamations and complaints should be recorded in a new designed and implemented application. There should be created new roles in a company which should be responsible for monitoring and solving of all customer reclamations and complaints It should be created a new Change Advisory Board inside the company which should be responsible for: recording requests of change, assessing and evaluating the change, authorizing the change build, authorizing change development and finally coordinating change deployment It should be created a new Capacity Management Information System which should contain: capacity and performance reports, forecasts and a capacity plan A % The team, which is responsible for the development of new systems, should be divided in three groups: the group for development of new information systems, the group for testing new and existing information systems and the group for all operational activities with existing information systems A % A new anti-malware & internet security software should be installed on all A % A % workstations in the company It is necessary to create a new database and migration scripts which will be responsible for copying all data from the central application of information system, hosting network element and network element in this database It is important to install a new Service Desk application which should be responsible for: logging, detection, categorization, prioritization and ISBN:

8 solving all possible events, incidents and problems A % One new employee inside the company should be responsible for monitoring of creating of all possible logs from the central information system and both network elements A % Administrator's and operator's logs should be divided in two separate categories because of easier administration A % It is necessary that all clocks are synchronized including clocks on servers and PC workstations inside the company A % Three teams inside the company should be formed: team for checking all performances on central information system, team for checking all performances on network elements for hosting and and team for checking all security issues inside the company A % It is needed to check and test all implemented access lists on all routers inside the Local Area Network especially for FTP, SMTP and SNMP protocols A % It is needed to check and test all implemented access lists connected to the hosting and network elements A % It is necessary to reconfigure some parts of LAN especially the order of IP addresses for servers for hosting and network element A % Results on network element have showed that 99.6% of all messages between two nodes have been successfully delivered but 0.4% of all messages have not been successfully delivered which should be improved by checking all SMTP performances on network element A % Information security policy document should be written and all A % information assets should be included in this document The company should choose one specific methodology for the assessment of risks (management of risks methodology or business function risk assessment methodology) and investigate all possible risks connected to the application services on public network A % It is necessary to create new access lists for the Billing system which collects all payments from all users A % Information security policy document should be written and all information assets should be included in this document A % Five new change procedures should be included and documented: the procedure for assessing and evaluating changes, the procedure for authorizing change builds, the procedure for coordinating change builds, the procedure for authorizing change deployment and the procedure for coordinating change deployment A % One employee should be responsible for reviewing of applications after A % A % A % operating platform changes All changes to software packages should always be recorded, assessed, evaluated and authorized, it should be the part of Change Management process Meetings between all members of security team should take place once in month and all problems connected to security should be explained during these meetings Meetings between all members of security team should take place once in month and all problems connected to security should be explained during these meetings A % It is important to finish the penetration test with both methodologies (black box and white box) and to find out are there any threats for information assets inside the company A % It is necessary to include one new procedure connected to acceptance tests A % of all new systems delivered from some suppliers It is necessary to create a new relational database which should be a backup database and which should be responsible for storing all usernames and passwords from all users (not just from privileged users) TABLE III. RESULTS OF SECURITY CONTROLS AFTER THE IMPLEMENTATION OF CORRECTIVE ACTIONS The number of control The realization of security control before the implementation of corrective action The realization of security control after the implementation of corrective action A % 78% A % 80% A % 77% A % 78% A % 68% A % 80% A % 86% A % 76% A % 50% A % 79% A % 85% ISBN:

9 A % 80% A % 80% A % 75% A % 90% A % 75% A % 60% A % 90% A % 45% A % 75% A % 90% A % 85% A % 95% A % 80% A % 85% A % 90% A % 85% A % 80% A % 90% A % 100% A % 50% A % 100% A % 85% ISBN:

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

Recent Researches in Electrical Engineering

Recent Researches in Electrical Engineering Improvement of ISO/IEC 20000 standard through the combination with ISO/IEC 27001 Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * Faculty of Electrical Engineering Zmaja od

More information

INFORMATION SYSTEMS. Revised: August 2013

INFORMATION SYSTEMS. Revised: August 2013 Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology

More information

Design and implementation of new ITIL Service Desk for insurance companies

Design and implementation of new ITIL Service Desk for insurance companies Design and implementation of new ITIL Service Desk for insurance companies Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * American University in Bosnia and Herzegovina Mije

More information

Recent Advances in Automatic Control, Information and Communications

Recent Advances in Automatic Control, Information and Communications Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards The implementation of IT Service Management frameworks and standards Anel Tanovic*,

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Advantage of using Service Desk Management Systems in real organizations

Advantage of using Service Desk Management Systems in real organizations Advantage of using Service Desk Management Systems in real organizations Anel Tanovic*, Nikos E. Mastorakis** *Department of Computer Science and Informatics University of Sarajevo, Faculty of Electrical

More information

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA ^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS KOGAN PAGE London and Sterling, VA Contents Foreword by Nigel Turnbull How to use this book

More information

Key-Words: - The improved model of ITIL 2011 framework, new process model, Cabinet Office, final upgrade of ITIL, Service Portfolio Management.

Key-Words: - The improved model of ITIL 2011 framework, new process model, Cabinet Office, final upgrade of ITIL, Service Portfolio Management. Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards The improved model of ITIL 2011 framework Anel Tanovic*, Fahrudin Orucevic** *Department

More information

Advantages of the implementation of Service Desk based on ITIL framework in telecommunication industry

Advantages of the implementation of Service Desk based on ITIL framework in telecommunication industry Advantages of the implementation of Service Desk based on ITIL framework in telecommunication industry Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * American University

More information

Security and Privacy Controls for Federal Information Systems and Organizations

Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

ISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum 20.01.2014

ISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum 20.01.2014 ISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum 20.01.2014 Legende: gering mittel hoch Änderungsgrad A.5 Information security policies

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6 to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Development of a new improved model of the ITIL V3 framework for the information system of Telecom operator

Development of a new improved model of the ITIL V3 framework for the information system of Telecom operator Development of a new improved model of the ITIL V3 framework for the information system of Telecom operator A. Tanovic*, F. Orucevic**, I. Androulidakis*** *Department for IT development of muldia services,

More information

Improvement of the Etom Standard Throught the Comparison with Itil V3 Best Practices

Improvement of the Etom Standard Throught the Comparison with Itil V3 Best Practices Middle-East Journal of Scientific Research 13 (11): 1533-1543, 2013 ISSN 1990-9233 IDOSI Publications, 2013 DOI: 10.5829/idosi.mejsr.2013.13.11.479 Improvement of the Etom Standard Throught the Comparison

More information

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11 Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen

More information

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15 Acceptance Page 2 Revision History 3 Introduction 14 Control Categories 15 Scope 15 General Requirements 15 Control Category: 0.0 Information Security Management Program 17 Objective Name: 0.01 Information

More information

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds Original Article Healthc Inform Res. 2010 June;16(2):89-99. pissn 2093-3681 eissn 2093-369X Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds Woo-Sung

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

Advantages of the new ITIL V3 model in the implementation of the IMS system

Advantages of the new ITIL V3 model in the implementation of the IMS system Advantages of the new ITIL V3 model in the of the IMS system A. Tanovic*, I. Androulidakis**, F. Orucevic*** *Department for IT development of multimedia services, BH Telecom d.d. Sarajevo Obala Kulina

More information

This is a free 15 page sample. Access the full version online.

This is a free 15 page sample. Access the full version online. AS/NZS ISO/IEC 17799:2001 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology. It was approved on behalf

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013

Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 ISO/IEC 27001 Mapping guide Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 Introduction This document presents a mapping between the requirements of ISO/IEC 27001:2005 and

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Proposal of a new model for ITIL framework based on comparison with ISO/IEC 20000 standard

Proposal of a new model for ITIL framework based on comparison with ISO/IEC 20000 standard Proposal of a new model for ITIL framework based on comparison with ISO/IEC 20000 standard ANEL TANOVIC*, FAHRUDIN ORUCEVIC ** * Department for IT development of multimedia services, BH Telecom d.d. Sarajevo

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Technical Report Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 2: Guidelines for Assessors

Technical Report Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 2: Guidelines for Assessors TR 101 533-2 V1.2.1 (2011-12) Technical Report Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 2: Guidelines for Assessors 2 TR 101 533-2 V1.2.1 (2011-12) Reference

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

I n f o r m a t i o n S e c u r i t y

I n f o r m a t i o n S e c u r i t y We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments.

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

BCS Certificate in Information Security Management Principles Syllabus

BCS Certificate in Information Security Management Principles Syllabus BCS Certificate in Information Security Management Principles Syllabus Version 7.6 March 2015 Contents Change History... 3 Background... 4 Aims and Objectives... 4 Objectives... 4 Target Group... 4 Prerequisite

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

How To Manage Security On A Networked Computer System

How To Manage Security On A Networked Computer System Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy. Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security- Perspective for Management Information Security Management Program Concept

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Compliance Services CONSULTING. Gap Analysis. Internal Audit

Compliance Services CONSULTING. Gap Analysis. Internal Audit Compliance Services Gap Analysis The gap analysis is a fast track assessment to establish understanding on an organization s current capabilities. The purpose of this step is to evaluate the current capabilities

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

A Comparison of Oil and Gas Segment Cyber Security Standards

A Comparison of Oil and Gas Segment Cyber Security Standards INEEL/EXT-04-02462 Revision 0 Control Systems Security and Test Center A Comparison of Oil and Gas Segment Cyber Security Standards Prepared by the Idaho National Engineering and Environmental Laboratory

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

IT Networking and Security

IT Networking and Security elearning Course Outlines IT Networking and Security powered by Calibrate elearning Course Outline CompTIA A+ 801: Fundamentals of Computer Hardware/Software www.medallionlearning.com Fundamentals of Computer

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

IT Governance: The benefits of an Information Security Management System

IT Governance: The benefits of an Information Security Management System IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

Information security management systems Specification with guidance for use

Information security management systems Specification with guidance for use BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009 Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in

More information

Information Security Awareness Training

Information Security Awareness Training Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

Information Security Policy version 2.0

Information Security Policy version 2.0 http://kfu.edu.sa KING FAISAL UNIVERSITY Information Security Policy version 2.0 Prepared & Presented by: M. Shahul Hameed, MBA, M.Sc.IT, C\MA, CIA, PMP, CGEIT, CISA, CISM, ITSM(ITIL), ISO27001LA, Head

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

ISO 27001: Information Security and the Road to Certification

ISO 27001: Information Security and the Road to Certification ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

IT Audit in the Cloud

IT Audit in the Cloud IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust

More information

Security Controls in Service Management

Security Controls in Service Management Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Security

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO

More information

C015 Certification Report

C015 Certification Report C015 Certification Report NexCode National Security Suite Release 3 File name: Version: v1a Date of document: 15 June 2011 Document classification: For general inquiry about us or our services, please

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

Technology Risk Management

Technology Risk Management 1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact

More information