SECURITY. Risk & Compliance Services
|
|
- Prudence Cunningham
- 8 years ago
- Views:
Transcription
1 SECURITY Risk & Compliance s V1 8/2010
2 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize risk, improve operational efficiency, and satisfy regulatory mandates. We will provide your organization with metrics needed to make critical business decisions on where to spend valuable time and money protecting your assets while maintaining industry-best practices and regulatory compliance. Features & Benefits Features & Benefits Approach Approach Key Deliverables Key Deliverables Requirements Requirements TRACE3 Trace3 Security s provide provide the following the following features features and benefits: and benefits: Provides your management team team with with a rapid a rapid top top down- down- big picture big picture of current of current security security posture. posture. Proactively identify possible or potential security risks, or vulnerabilities, that may allow access to Proactively confidential identify areas of possible a network, or allow potential a denial security of service risks, to be or vulnerabilities, performed, or obtain that information may allow access from your to confidential network. areas of a network, allow a denial of service to be performed, or obtain information This exercise from will produce your network a deliverable cataloguing potential vulnerabilities in the environment This and exercise outline a will remediation produce strategy a deliverable to resolve cataloguing the identified potential issues. vulnerabilities in the environment Benchmarks current and outline environment a remediation against industry strategy best to resolve practices. the identified issues. Benchmarks current environment against industry best practices Reveals and quantifies network infrastructure weaknesses and provides both tactical and Reveals strategic and opportunities quantifies network to remedy infrastructure these weaknesses. weaknesses and provides both tactical and strategic opportunities to remedy these weaknesses. Identifies risks to the confidentiality, integrity and availability of information and information Identify systems. and understand risks to the confidentiality, integrity and availability of information and information systems. Provide recommendations for gaps in policy by strengthening of current policy or addition of Provide new policies. recommendations for gaps in policy by strengthening of current policy or addition of new policies. Trace3 will gather and organize the data necessary to make informed conclusions and TRACE3 will gather and organize the data necessary to make informed conclusions and recommendations through on-site interviews, walkthroughs, asset inventories, device configuration recommendations review, document review, through and on-site hands-on interviews, equipment walkthroughs, evaluation. All asset areas inventories, of the network device configuration infrastructure review, can be reviewed document including review, WAN/LAN and hands-on protocols equipment and topology, evaluation. operating All systems, areas of routing the network and switching, infrastructure remote/internet can be reviewed connectivity, by including cabling, and WAN/LAN network/systems protocols management and topology, tools. Within operating these areas, systems, Trace3 routing will focus and on switching, security posture remote/internet as it relates to connectivity, People, Process cabling, and and Technology network/systems in accordance management with best practices. tools. Within these areas, TRACE3 will focus on security posture as it relates to People, process and Technology in accordance with best practices. Security s delivers the following: Security Formal discovery s report including delivers executive the following: summary and detailed facts and finding from the Formal discovery Discovery phase of Report assessment. including executive summary and detailed facts and finding from Specific the recommendations, discovery phase of including assessment. justification and benefits. Specific recommendations, including justification and benefits Detailed vulnerability reports with one step remediation plans. Detailed Vulnerability reports with one step remediation plans. A A comprehensive security standards and and compliance compliance matrix matrix will be will provided be provided in accordance in with best practices. accordance with best practices. Collaborative Feedback feedback report Report to your to your IT organization IT organization through through an interactive an interactive presentation or workshop. presentation or workshop. To To conduct a a Network Technology Infrastructure service, service, Trace3 TRACE3 requires requires the following: the following: Network drawings depicting your environment. If such an as-built is not available, Trace3 offers a Network drawings Discovery depicting and Documentation your environment. service. If such an as-built is not available, TRACE3 Detailed offers information a Network on the Discovery current network and Documentation layout including service. subnet allocation, network device Detailed locations, information and IP addresses. on the current network layout including subnet allocation, network List of personnel device locations, and scheduled and IP interview addresses. times prior to project kickoff meeting. List of personnel and scheduled interview times prior to project kickoff meeting. Access to your network equipment. Access to your network equipment. A static A static and and functional network environment during during the the course course of our of discovery/data our discovery/data collection phase. collection phase. Trace3 Co-Management Risk & Compliance Solutions s Guide
3 Risk & compliances services Risk & Compliance s Please select all all that apply to to the project Compliance/ Compliance/ Risk Risk \ Sarbanes-Oxley GLBA HIPAA PCI PCI Readiness ISO 17799/27001 OWASP COBIT NSA IAM/IEM PIPEDA NERC NIST/ Best Practice Custom Vulnerability Disaster Planning Remote Remote App Config. Review App Config. Review Device Config Review Device Config Review Network Config. Review Network Config. Review Server Config. Review Server Config. Review Disaster Social Engineering Social Engineering Off Hours Off Hours Web Application Web Application DR Planning DR Planning DR Creation DR Creation DR Exercise DR Exercise Data Criticality Analysis Data Criticality Analysis Physical Physical Wireless Wireless DR Gap Analysis DR Gap Analysis DR DR Business Impact Analysis Business Impact Analysis Custom Custom Forensics Forensics Incident Response Incident Response Policy Policy Policy Creation Policy Creation Physical Security Physical Security Wireless Security Wireless Security Security Training Security Training Server Hardening Server Hardening Security Architecture Security Architecture Target State Target State Virtual CSO Virtual CSO Trace3 Co-Management Risk & Compliance Solutions s Guide
4 External Vulnerability An external vulnerability assessment will assess your environment from an external or public view to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or obtain sensitive internal information. Internal Vulnerability An internal vulnerability assessment will assess your environment from the internal view of the network to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or allow access to sensitive internal information. Password complexities are also verified, virus protection and patch management are assessed, and a sample number of servers and workstations are reviewed to provide recommendations on how to enhance the organization s security posture. Host & Network testing, also known as ethical hacking, is conducted to confirm the true risk of vulnerabilities identified. Through exploitation of vulnerabilities, engineers will try to gain root or administrator-level access to the target systems and/or other trusted user account access. During this process, advanced tools and custom utilities will be used to maintain availability of the servers while gaining access to potential vulnerable services. After manual verification of the information tested, we provide a mitigation plan to secure the network and prevent the information from being accessed. Application With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business focused attacks, the security focus has shifted to the next battlefront applications. Custom coded applications offer up addition attack vectors for hackers. Application penetration testing is directly related to testing those applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software such as the web servers, but rather focuses on the application software itself. Social Engineering Social engineering evaluates the ultimate weakest link in your security program by testing the security awareness and education of an organization s user population. Using specialized attacks such as phishing, random phone calls, information gathering, and tailgating, consultants are quickly able to determine where vulnerabilities exist in an organization by exploiting weaknesses in human vulnerabilities. Red Team Red Team testing is a state of the art system of exposing information security risks. This methodology quickly and directly identifies key corporate assets and their real world weakness and strengths on all levels of security posture (physical, logical, electronic, social, environmental and business process/structure). The result of this assessment enables clients to find out their true level of defense against generic and sophisticated attacks. Trace3 Co-Management Risk & Compliance Solutions s Guide
5 Risk Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. This assessment will include policy review, architecture review and security practice review. By taking this approach, a security control baseline will be compiled for our customer s environment. This will give the customer an understanding of the current state of security as well as an accurate roadmap to meet Sarbanes-Oxley IT security compliance. In addition to technical reviews and policy inspection, a comprehensive requirements matrix will be compiled. This matrix will show mapping to specific security requirements, as interpreted by the provider, of Sarbanes-Oxley sections 302, 404 and 802. Sarbanes- Oxley (SOX) Gramm- Leach-Bliley (GLBA) The GLBA assessment process is designed to identify, measure, manage, and control the risks to system and data availability, integrity and confidentiality, as well as to ensure accountability for system actions within financial institutions. This particular assessment will follow the guidelines as provided by GLBA and FFIEC to assess the current level of compliance to GLBA and relative security of the environment. Health Insurance Portability & Accountability Act (HIPAA) Section (a)(1) of HIPAA requires an organization to conduct the risk analysis of the organization. This analysis is required to understand the flow of e- PHI (Electronic Protected Health Information) in the organization and the result of this analysis will facilitate creation of security policies & procedures and support the recommendation to initiate the HIPAA Security Compliance related remediation activities. This assessment will enable organizations to gain a full understanding of their compliance with HIPAA, provide a gap analysis against current security controls, and provide a remediation plan to achieve full compliance. ISO 27001/7700 ISO/IEC and its related code of practice, ISO/IEC 17799, provide internationally accepted, standardized criteria to implement an effective information security management system. The basis for the standard is that information is an organization s most valuable asset. As a valued asset, information must be managed and protected from internal and external threats. In order to protect its information assets, the organization must develop sustainable security measures and integrate those measures into its business processes. ISO/IEC and ISO/IEC assessments provide strategic and tactical direction for assessing, measuring and preventing threats, as well as proposed range of security controls focused on safeguarding information assets. Trace3 Co-Management Risk & Compliance Solutions s Guide
6 Policy and Procedure A review of documented security policies for proper coverage of information security as related to ISO Through this review we will recommend additional policies/procedures and/or modifications to existing policies that have been or need to be created. Policy & Procedure Writing Assist in writing policies and procedures applicable to the business and operational needs of a network. The goal for this activity is to develop a tailored and flexible plan that is easy to use when recovery activities are activated. Specific objectives to achieve this goal include: Disaster Planning Disaster Define the components of the plan. Select team leaders, members and alternates based upon functional areas who may be involved in the plan development and initial walkthrough of the plan. Develop procedures that address and document the steps for responding to a crisis event, recovering operational capability and resuming critical business functions, and eventually restoring all functions to business as usual. Ensure important decisions are made and documented in the plan. Document relationships that will be relied upon if the company experiences a disaster, including contact names and type of assistance they may provide. Review completed plans with senior management to confirm approach and assumptions. Reassess work program and schedule and make necessary adjustments. Test facilitation and training services provide organizations with an independent, objective exercise and assist with bringing stakeholders up to speed on what they need to know. gives management confidence in the validity of their plans, and training provides for usability of plans in the hands of stakeholders who will execute them. Business Impact Analysis (BIA) The BIA process is normally conducted to help an organization identify the key systems and data relevant to sustaining business. This process is the first step in putting together an effective business continuity plan. It requires client participants to identify economic, legal, service, and other operational implications that affect their ability to deliver a service or other work product in the event of a service disruption. The BIA process helps define the results of a loss on individual locations, business units or processes in financial and operational terms. The results provide information about a business area s current ability to deal with a disruption, and the potential impacts that may be experienced if one should occur. Rogue Wireless Detection: Detect rogue wireless AP s including Direction Finding of said connection devices. Wireless Test Attempts at gaining access to wireless networks through compromising vulnerabilities in the wireless infrastructure to gain unauthorized access to networks and systems. Trace3 Co-Management Risk & Compliance Solutions s Guide
7 Wireless Architecture of the diagrams of wireless networks and protocols surrounding them for security efficacy and potential vulnerabilities. Wireless Policies & Procedures of policies and procedures pertaining to wireless networking. Conducting a gap analysis of those policies and procedures for best practices. Physical Security This assessment process begins with a characterization of the facility including identification of the undesired events and the respective critical assets. Guidance for defining a design basis threat is included, as well as the definition of the threat to estimate the likelihood of an adversary attack at a specific facility. Relative values of consequence are estimated. Methods are also included for estimating the effectiveness of the security system against the adversary attack. Finally, risk is calculated. In the event that the value of risk is deemed to be unacceptable (too high), the methodology addresses a process for identifying and evaluating security system upgrades in order to reduce risk. Forensic Analysis Complete systems analysis of live systems for forensic evidence. Hard Drives Analysis Forensics analysis of hard drives for evidence of crimes, intrusions or incidents. Such evidence can be taken to authorities and courts. Rootkit Detection Detection of rootkits, backdoors, Trojans, etc. for forensic purposes. Active Threat Defense Defending a network against an active attack (ie. DDoS, corporate espionage, counter attack, etc.) External Threat Mitigation Identify, monitor and track external threats. (Hacking, theft, harrassment, etc.) Internal Threat Mitigation Problematic internal employee or resource tracking, monitoring, and mitigation. (AUP violations, termination policy enforcement, internal hacking, etc.) Trace3 Co-Management Risk & Compliance Solutions s Guide
Cisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationGUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT
GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationDevice Hardening, Vulnerability Remediation and Mitigation for Security Compliance
Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationCyber Incident Response
State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Cyber Incident Response No: NYS-S13-005 Updated: 03/20/2015 Issued By: NYS ITS
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationTechnical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments
DATA SHEET Technical Testing Application, Network and Red Team Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance
More informationSecurity. Security consulting and Integration: Definition and Deliverables. Introduction
Security Security Introduction Businesses today need to defend themselves against an evolving set of threats, from malicious software to other vulnerabilities introduced by newly converged voice and data
More informationI n f o r m a t i o n S e c u r i t y
We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments.
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationAbout This Document. Response to Questions. Security Sytems Assessment RFQ
Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationNetwork Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients
Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com
More informationInternal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015
Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationAUTOMATED PENETRATION TESTING PRODUCTS
AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationSecurity aspects of e-tailing. Chapter 7
Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationHIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004
HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004 Table of Contents Abstract... 3 Assignment 1 Define the Environment...
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationEEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
More informationPractical Guidance for Auditing IT General Controls. September 2, 2009
Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationIncident Response. Proactive Incident Management. Sean Curran Director
Incident Response Proactive Incident Management Sean Curran Director Agenda Incident Response Overview 3 Drivers for Incident Response 5 Incident Response Approach 11 Proactive Incident Response 17 2 2013
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationHigh Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe
2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationInformation Security for the Rest of Us
Secure Your Way Forward. AuditWest.com Information Security for the Rest of Us Practical Advice for Small Businesses Brian Morkert President and Chief Consultant 1 Introduction President Audit West IT
More informationSecurity solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.
Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?
More informationCisco SAFE: A Security Reference Architecture
Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationPENETRATION TESTING GUIDE. www.tbgsecurity.com 1
PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationGEARS Cyber-Security Services
Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments
More informationMicrosoft Services Premier Support. Security Services Catalogue
Microsoft Services Premier Support Security Services Catalogue 2014 Microsoft Services Microsoft Services helps you get the most out of your Microsoft Information Technology (IT) investment with integrated
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationExam 1 - CSIS 3755 Information Assurance
Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationProfessional Services Overview
Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationPCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES
CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE BENCHMARKS, STANDARDS, FRAMEWORKS
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationJumpstarting Your Security Awareness Program
Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb
More informationThe Security Organization p. 1 Anecdote p. 2. Introduction
Preface p. xxiii Introduction p. xxv The Security Organization p. 1 Anecdote p. 2 Introduction p. 2 Where to Put the Security Team p. 2 Where Should Security Sit? Below the IT Director Report p. 3 Where
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationHow a Company s IT Systems Can Be Breached Despite Strict Security Protocols
How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More informationThreat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA
www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationAlcatel-Lucent Services
SOLUTION DESCRIPTION Alcatel-Lucent Services Security Introduction Security is a sophisticated business and technical challenge, and it plays an important role in the success of any network, service or
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationState of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
More informationSHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES
SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES 2 On June 3, 2009, Plante & Moran attended the Midwest Technology Leaders (MTL) Conference, an event that brings together
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationLog Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging
Log Management Standard Effective Date: 7/28/2015 1.0 INTRODUCTION The California State University, Chico system/application log management standard identifies event logging requirements, log review frequency,
More information