How Private Industry Protects Our Country's Secrets. James Kirk
|
|
|
- Claud Montgomery
- 10 years ago
- Views:
Transcription
1 An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls: How Private Industry Protects Our Country's Secrets James Kirk
2 Outline Background DOD Agency Responsible for Interpretation and Enforcement Security Control Development Document Drafting and Approval Testing of Security Controls Enforcement The fun stuff gaps in security controls
3 Background/Disclaimer What kind of data are we talking about? National Industrial Security Program (NISP) Executive Order National Industrial Security Program Policy Advisory Committee (NISPPAC) National Industrial Security Program Operating Manual (NISPOM) 1. DoD M National Industrial Security Program: Operating Manual.
4 DOD Agency Responsible for Interpretation and Enforcement The Defense Security Service (DSS) Agency Structure Directorates (IS, CI, DISCO, and CDSE) ODAA Field Offices
5 Basics of Certification and Accreditation (C&A) What is C&A? Certification Accreditation ISSP role RDAA role 1., 2. Enough background on the DSS, lets get into security controls 1. Industrial Security Field Operations (ISFO) Process Manual for the Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) and NIST Master System Security Plan (MSSP) Template for Peer-to-Peer Networks.
6 Security Controls Where do they originate from? Linux controls 1. Audit Areas 1./bin 2./usr/bin 3./etc 4./sbin 5./usr/sbin 6./var/audit 7./usr/local 8./opt 9./home 1. ISL
7 Security Controls cont. Linux cont. 1., 2. DISA STIG vs NISPOM/DSS ISL 1. Standardization of Baseline Technical Security Configurations. 2. UNIX: Security Technical Implementation Guide.
8 DISA STIG The SA will ensure audit data files have permissions of 640, or more restrictive. - Logon (unsuccessful and successful) and logout (successful) - Process and session initiation (unsuccessful and successful) - Discretionary access control permission modification (unsuccessful and successful use of chown/chmod) DSS NISPOM/ISL (2) Audit Trail Protection. The contents of audit trails shall be protected against unauthorized access, modification, or deletion. (b) Successful and unsuccessful logons and logoffs. (a) Enough information to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved. N/A - Unauthorized access attempts to files (unsuccessful) (c) Successful and unsuccessful accesses to securityrelevant objects and directories, including creation, open, close, modification, and deletion. - Use of privileged commands (unsuccessful and N/A successful) - Use of print command (unsuccessful and successful) N/A - Export to media (successful) N/A - System startup and shutdown (unsuccessful and N/A successful) - Files and programs deleted by the user (successful and unsuccessful) N/A Unless it s considered a Security Relevant Object - All system administration actions (d) Changes in user authenticators. - All security personnel actions N/A 1. Standardization of Baseline Technical Security Configurations. 2. UNIX: Security Technical Implementation Guide.
9 ISL and Windows Baseline Standards ISL Standardization of Baseline Technical Security Configurations March 2009 This process manual is not directive in nature, but adherence to the standards in this process manual by NISP contractors is recommended in order for DSS to be able to expeditiously issue Interim Approvals to Operate (IATO) and Approvals to Operate (ATO). FISMA (NIST ) - June 2011 Linux left out (must be super secure on its own) 1. Standardization of Baseline Technical Security Configurations.
10 ISFO Manual Updates (Summary of Changes) 1 Finally 14 character passwords required for all systems and 60 day change reqs. Patching is addressed now, in a semi-ambiguous way in section The ISSM will identify ISs containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The ISSM will install security-relevant software upgrades (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. 1. ISFO Process Manual Revision 3: Summary of Changes.
11 ISFO Manual Updates (Summary of Changes) 1 USB Drives Addressed sorta. Audit requirements expanded on 1. Enough information to determine the action involved, the date and time of the action, the system on which the action occurred, the system entity that initiated or completed the action, and the resources involved (if applicable). 2. Successful and unsuccessful logins and logoffs. 3. Unsuccessful accesses to security-relevant objects and directories. 4. Changes to user authenticators. 5. The blocking or blacklisting of a user ID, terminal, or access port. 6. Denial of Access from an excessive number of unsuccessful login attempts. 1. ISFO Process Manual Revision 3: Summary of Changes.
12 ISFO Manual Updates (Summary of Changes) cont. 1 Security Seals Approved tamper-proof, pre-numbered seals should be used on hardware components (to include monitors and keyboards) anytime the hardware may be subject to access by uncleared personnel (i.e. used for periods-processing, or relocation). 1. ISFO Process Manual Revision 3: Summary of Changes.
13 Document Drafting and Approval ISFO Process Manual and Standardization Documents drafting Linux document development, and its death.
14 Security Setting Testing Inadequate Labs Test Resources Limited
15 Enforcement The Special Agent The 0080 (Industrial Security Specialist) and 2210 Specialties (IT Specialist) Training and authority Subjectivity
16 Enforcement cont. Inspection selection and process Size of facility and complexity Partners with Industry What happens if non-compliance
17 Inadequate Controls - Windows Patching 1. USB Virtual Environments UAC Admin actions not audited Classified data not audited Tamper Controls 1. Standardization of Baseline Technical Security Configurations.
18 Inadequate Controls - *nix Lack of expertise and training in agency leads to ostrich effect. 1. Job listings do not require any Unix or Linux experience. List is too long to list of files/services/versions that are not addressed. Make it easy on themselves and use one of the configuration guides already in use. Auditing Rules not required to be in use in Red Hat really? 1. Standardization of Baseline Technical Security Configurations.
19 Inadequate Controls- *nix cont. Same issues affecting Windows, affect the Unix/Linux environment as well. 1. Patching USB Virtualized Environments Auditing Tamper Controls 1. Standardization of Baseline Technical Security Configurations.
20 Wrap-up So why the talk? Education how many actually know how the U.S. protects classified data at the collateral level? Enlightenment I think it s important to bring issues that are detrimental to the nations security to the forefront. These issues have been brought up to the agency, and ignored. STUXNET and Flame
21 References DoD M National Industrial Security Program: Operating Manual. Department of Defense: Under Secretary of Defense for Intelligence. (2006). Industrial Security Field Operations (ISFO) Process Manual for the Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) and NIST Washington DC: Department of Defense: Defense Security Service. (2011). ISFO Process Manual Revision 3: Summary of Changes. Defense Security Service Office of the Designated Approving Authority. (2011). ISL Department of Defense: Defense Security Service, Industrial Security Program Office. (2007). Master System Security Plan (MSSP) Template For Peer-to-Peer Networks. Defense Security Service Office of the Designated Approving Authority. (2011). SIPRNet Contractor Approval Process (SCAP). Department of Defense: Office of the Designated Approving Authority. (2011). Standardization of Baseline Technical Security Configurations. Defense Security Service Office of the Designated Approving Authority. (2009). UNIX: Security Technical Implementation Guide. Defense Information Systems Agency. (2006).
INDUSTRIAL SECURITY LETTER
DEPARTMENT OF DEFENSE DEFENSE SECURITY SERVICE, INDUSTRIAL SECURITY PROGRAM OFFICE 1340 Braddock Place, Alexandria, VA 22314-1651 INDUSTRIAL SECURITY LETTER Industrial Security letters will be issued periodically
Defense Security Service
Defense Security Service Industrial Security Field Operations Office of the Designated Approving Authority Manual for the Certification and Accreditation of Classified Systems under the NISPOM Version
Windows 7 / Server 2008 R2 Configuration Overview. By: Robert Huth Dated: March 2014
Windows 7 / Server 2008 R2 Configuration Overview By: Robert Huth Dated: March 2014 Expectations This Windows 7 / Server 2008 R2 (Win7-2K8) presentation is a general overview of the technical security
Office of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
DSS Secret Internet Protocol Router Network (SIPRnet) Processing Procedures
DSS Secret Internet Protocol Router Network (SIPRnet) Processing Procedures Introduction DSS is the Cognizant Security Authority (CSA) for contractors participating in the National Industrial Security
2015 Cybersecurity Awareness
2015 Cybersecurity Awareness CDSE Cybersecurity Thomas N. LeBaron, CISSP Cybersecurity Curriculum Manager Mr. LeBaron has been the Cybersecurity Curriculum Manager for CDSE since October 2012 Mr. LeBaron
FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
Office of Inspector General
Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures
Whitesheet Navigate Your Way to Compliance The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an American federal law that requires organizations that handle personal health information
Requirements For Computer Security
Requirements For Computer Security FTA/IRS Safeguards Symposium & FTA/IRS Computer Security Conference April 2, 2008 St. Louis 1 Agenda Security Framework Safeguards IT Security Review Process Preparing
Outside Director and Proxy Holder Training: Module 1: Intro to DSS and Foreign Ownership, Control, or Influence (FOCI) Defense Security Service
Outside Director and Proxy Holder Training: Module 1: Intro to DSS and Foreign Ownership, Control, or Influence (FOCI) Defense Security Service February 2014 Training Objectives DSS Agency DSS Mission
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer [email protected] The Foundation http://www.owasp.org
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
FISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
Computer and Network Security Policy
Coffeyville Community College Computer and Network Security Policy Created By: Jeremy Robertson Network Administrator Created on: 6/15/2012 Computer and Network Security Page 1 Introduction: The Coffeyville
Standard: Event Monitoring
Standard: Event Monitoring Page 1 Executive Summary The Event Monitoring Standard defines the requirements for Information Security event monitoring within SJSU computing resources to ensure that information
EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
What s New in Centrify Server Suite 2013 Update 2
CENTRIFY SERVER SUITE 2013.2 DATA SHEET What s New in Centrify Server Suite 2013 Update 2 The new Centrify Server Suite 2013 Update 2 (2013.2) builds on the core enhancements Centrify introduced in Server
Defense Security Service Office of the Designated Approving Authority
Defense Security Service Office of the Designated Approving Authority Baseline Technical Security Configuration of Microsoft Windows 7 and Microsoft Server 2008 R2 Version 1.0 Title Page Document Name:
The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data
The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data An EiQ Networks White Paper The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event
Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
Did you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
Reference Guide for Security in Networks
Reference Guide for Security in Networks This reference guide is provided to aid in understanding security concepts and their application in various network architectures. It should not be used as a template
Mapping EventTracker Reports and Alerts To FISMA Requirements NIST SP 800-53 Revision 3 Prism Microsystems, August 2009
Mapping Reports and Alerts To FISMA Requirements NIST SP 800-53 Revision 3 Prism Microsystems, August 2009 Access Control AC-2 Account Management *Security: User Account disabled *Security: User Account
Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009
Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009 Users If I [user] am doing my job, then they [DOIM] are not doing theirs!
POSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
In this topic we will cover the security functionality provided with SAP Business One.
In this topic we will cover the security functionality provided with SAP Business One. 1 After completing this topic, you will be able to: Describe the security functions provided by the System Landscape
Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000.
U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098
Security Self-Assessment Tool
Security Self-Assessment Tool State Agencies Receiving FPLS Information, 7/15/2015 Contents Overview... 2 Access Control (AC)... 3 Awareness and Training (AT)... 8 Audit and Accountability (AU)... 10 Security
Improvements Needed With Host-Based Intrusion Detection Systems
Report No. DODIG-2012-050 February 3, 2012 Improvements Needed With Host-Based Intrusion Detection Systems Warning This report is a product of the Inspector General of the Department of Defense. Its contents
NetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
How To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors. By Ipswitch, Inc. Network Managment Division
Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors By Ipswitch, Inc. Network Managment Division www.whatsupgold.com September 2010 Table of Contents Compliance
Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft [email protected] 703-437-9451 ext 12 The Foundation
Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft [email protected] 703-437-9451 ext 12 The Foundation
Security Certification & Accreditation of Federal Information Systems A Tutorial
29 Jun 2009 Security Certification & Accreditation of Federal Information Systems A Tutorial An Introduction to NIST s 800-37 Dr. Vijay Madisetti Professor, Georgia Tech - ECE [email protected] Tutorial Outline
How To Manage A System Vulnerability Management Program
System Vulnerability Management Definitions White Paper October 12, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows
EAC Decision on Request for Interpretation 2008-03 (Operating System Configuration)
EAC Decision on Request for Interpretation 2008-03 (Operating System Configuration) 2002 VSS Volume1: 2.2.5.3, 4.1.1, 6.2.1.1, Volume2: 3.5 2005 VVSG Volume1: 2.1.5.2, 5.1.1, 7.2.1, Volume2: 3.5 Date:
Defense Security Service (DSS)
Defense Security Service (DSS) Center for Development of Security Excellence (CDSE) ADMINISTRATIVE INQUIRY (AI) PROCESS JOB AID July 2011 TABLE OF CONTENTS 1. INTRODUCTION... 1 1.1 Scope... 1 2. PRELIMINARY
UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series. Secure Baseline Attachment
UNITED STATES PATENT AND TRADEMARK OFFICE AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series Secure Baseline Attachment Date of Issuance: Effective Date: TABLE OF CONTENTS I. Purpose
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4
Security Best Practice
Security Best Practice Presented by Muhibbul Muktadir Tanim [email protected] 1 Hardening Practice for Server Unix / Linux Windows Storage Cyber Awareness & take away Management Checklist 2 Hardening Server
IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
GE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007
DIACAP Presentation Presented by: Dennis Bailey Date: July, 2007 Government C&A Models NIST SP 800-37 - Guide for the Security Certification and Accreditation of Federal Information Systems NIACAP - National
PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.
PCI Compliance Can Make Your Organization Stronger and Fitter Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc. Today s Agenda PCI DSS What Is It? The Regulation 6 Controls 12 Requirements
AHS Flaw Remediation Standard
AGENCY OF HUMAN SERVICES AHS Flaw Remediation Standard Jack Green 10/14/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements
Evaluation of DHS' Information Security Program for Fiscal Year 2015
Evaluation of DHS' Information Security Program for Fiscal Year 2015 January 5, 2016 OIG-16-08 (Revised) DHS OIG HIGHLIGHTS Evaluation of DHS Information Security Program for Fiscal Year 2015 January 5,
Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
PUBLIC REPORT. Red Team Testing of the ES&S Unity 3.0.1.1 Voting System. Freeman Craft McGregor Group (FCMG) Red Team
PUBLIC REPORT Red Team Testing of the Voting System Freeman Craft McGregor Group (FCMG) Red Team Prepared for the California Secretary of State by: Jacob D. Stauffer, FCMG Red Team Project Manager Page
Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities
Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities Wireless Infrastructure, Article 3-15-2012 The federal government recognizes that standards based
DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release 1. 14 February 2014
DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release 1 14 February 2014 Trademark Information Names, products, and services referenced within this document may be the trade
Information Technology Internal Controls Part 2
IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part
2015 Security Training Schedule
2015 Security Training Schedule Risk Management Framework Course (RMF) / $1,950.00 Per Student Dates June 1-4 Location 4775 Centennial Blvd., Suite 103 / Colorado Springs, CO 80919 July 20 23 444 W. Third
ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture
BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014 Contents The Configuration Security Compliance
AUTOMATING THE 20 CRITICAL SECURITY CONTROLS
AUTOMATING THE 20 CRITICAL SECURITY CONTROLS Wolfgang Kandek, CTO Qualys Session ID: Session Classification: SPO-T07 Intermediate 2012 the Year of Data Breaches 2013 continued in a similar Way Background
Industrial Security Field Operations
Defense Security Service Industrial Security Field Operations NISP Authorization Office (NAO) (Formerly Office of the Designated Approving Authority) NISPOM to NIST (800-53r4) Security Control Mapping
White Paper Levels of Linux Operating System Security
White Paper Levels of Linux Operating System Security Owl Approach to the Hardening of Linux Abstract Cross Domain Solutions produced by Owl Computing Technologies, Inc., running on Security Enhanced (SE)
WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0
WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of
EMC Smarts Network Configuration Manager
EMC Smarts Network Configuration Manager Version 9.4.1 Advisors User Guide P/N 302-002-279 REV 01 Copyright 2013-2015 EMC Corporation. All rights reserved. Published in the USA. Published October, 2015
FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
The Operating System Lock Down Solution for Linux
The Operating System Lock Down Solution for Linux The Challenge: Meeting Organizational Security Requirements Linux Operating System Security Operating system (OS) security is a priority for System Administrators
An Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
Office of Inspector General Audit Report
Office of Inspector General Audit Report USMMA SECURITY CONTROLS WERE NOT SUFFICIENT TO PROTECT SENSITIVE DATA FROM UNAUTHORIZED ACCESS Maritime Administration Report Number: FI-2012-138 Date Issued: May
CHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
INSIDER THREAT PROGRAM DEVELOPMENT TRAINING (INSIDER THREAT SECURITY SPECIALIST COURSE)
INSIDER THREAT PROGRAM DEVELOPMENT TRAINING (INSIDER THREAT SECURITY SPECIALIST COURSE) Presented by: Jim Henderson, CISSP, CCISO CEO, Insider Threat Defense, TopSecretProtection.com, Inc. Counterespionage-Insider
White Paper. Support for the HIPAA Security Rule PowerScribe 360
White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as
<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.
PR11 - Log Review Procedure Document Reference PR11 - Log Review Procedure Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 12 January 2010 - Initial release. 1.1 14 September
Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities
Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities Wireless Infrastructure, Article 12-29-2011 The federal government, and the Department of
Achieving PCI Compliance: How Red Hat Can Help. Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl.
Achieving PCI Compliance: How Red Hat Can Help Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl. Agenda Understanding Compliance Security Features within Red Hat Backporting Choice
SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION
CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION Directive Current as of 19 November 2014 J-8 CJCSI 8410.02 DISTRIBUTION: A, B, C, JS-LAN WARFIGHTING MISSION AREA (WMA) PRINCIPAL ACCREDITING AUTHORITY
Implementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
UNCLASSIFIED. Trademark Information
SAMSUNG KNOX ANDROID 1.0 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 1 3 May 2013 Developed by Samsung Electronics Co., Ltd.; Fixmo, Inc.; and General Dynamics C4 Systems,
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD Trademark Information Names, products, and
Network Working Group. S. Crocker Trusted Information Systems, Inc. B. Fraser. Software Engineering Institute. November 1991
Network Working Group Request for Comments: 1281 R. Pethia Software Engineering Institute S. Crocker Trusted Information Systems, Inc. B. Fraser Software Engineering Institute November 1991 Status of this
FSIS DIRECTIVE 1306.3
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS
DEPARTMENT OF DEFENSE DeCAD 35-31 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee, VA 23801-1800 August 1, 1996. Information Management
DEPARTMENT OF DEFENSE DeCAD 35-31 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee, VA 23801-1800 August 1, 1996 Information Management DeCA AUTOMATED INFORMATION SYSTEMS SECURITY (INFOSEC) PROGRAM BY ORDER
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
Managing Windows Environments with Group Policy
3 Riverchase Office Plaza Hoover, Alabama 35244 Phone: 205.989.4944 Fax: 855.317.2187 E-Mail: [email protected] Web: www.discoveritt.com Managing Windows Environments with Group Policy Course: MS50255C
IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
Introduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
e-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
SMSe Privacy Impact Assessment
1. Contact Information Department of State Privacy Coordinator Margaret P. Grafeld Bureau of Administration Global Information Services Office of Information Programs and Services 2. System Information