I n f o r m a t i o n S e c u r i t y
|
|
- Frederick Booker
- 8 years ago
- Views:
Transcription
1 We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments. Our experience with State and Local Government, Financial, Healthcare, and Energy sector clients gives us a significant edge in helping our customers conserve resources on cyber security and related regulatory compliance initiatives. I n f o r m a t i o n S e c u r i t y Consulting*Training*Management At any point in the Security Lifecycle, BorderHawk can be there as needed strategic planning, policy analysis or development, controls design, solutions implementation, or even as technical project managers. ISO HIPAA NERC CIP NISPOM NIST PCI IRS Form 1075 FPLS CYBERSECURITY ANALYTICS & ALERTING * INFORMATION SECURITY TRAINING * CONSULTING ON INFORMATION ASSURANCE ISSUES * CYBER INCIDENT RESPONSE * STANDARDS BASED INFORMATION RISK ASSESSMENTS * CYBER SECURITY TESTING * INFORMATION SYSTEMS FORENSICS Need More Information? Call: info@borderhawk.com Our Security Teams are comprised of only the most senior Information Security professionals in the United States; these are hands on professionals that have been there. Accordingly, our teams have decades of experience conducting complex security engagements in a variety of public and private sector environments.
2 BORDERHAWK CORPORATE OVERVIEW Georgia Corporation as of 2008 (Sole Proprietor, ) Steve Akridge, Owner Phone: Former: Chief Information Security Officer (CISO), State of Georgia; Technical Director, Defense Security Service, U.S. Dept of Defense; Chief Cryptologic Tech, Naval Security Group Command JD, MS, CISSP, CISM, CGEIT Mailing Address: 3330 Cobb Pkwy NW STE 17 PMB363 Acworth, GA Operational Office in Cartersville, GA BorderHawk Values: We believe your organization s information, workforce, and supporting infrastructure are critical components to your success. Consequently, we believe that truly tested professionals with demonstrated integrity, courage, and commitment are the key to achieving your organization s goals. We are tested experts offering best-in-class solutions to resolve security and safety issues. BorderHawk Mission Statement: To provide our clients with experienced advice and professional services involving information protection, workplace safety, employee awareness, and infrastructure management. We deliver innovative solutions that empower our clients in meeting regulatory requirements, while maintaining a competitive business infrastructure.
3 BORDERHAWK SERVICES C Y B E R S E C U R I T Y A N A L Y T I C S & A L E R T I N G BorderHawk Cybersecurity Analytics & Alerting provides an ongoing awareness of information security, information technology vulnerabilities, and potential threats to support organizational risk management decisions. By monitoring certain critical computer systems within your environment and analyzing information collected via the Internet regarding your organization, the BorderHawk Team is often able to isolate potential threat indicators and extrapolate such knowledge into a proactive indication and warning processes. We use a variety of cutting edge tools to collect information, and then we employ a team of experts to analyze that data in order to reach solid conclusions about threats to your organization. Detect/Prevent Unauthorized Access and Insider Abuse Meet Regulatory Requirements Forensic Analysis and Correlation Ensure Regulatory Compliance Track Suspicious Behavior IT Troubleshooting And Network Operation Our Cyber Threat Reports deliver both strategic and tactical perspectives regarding your organization s information security. Client Driven Reported As Needed Focus of analysis can be changed in near real-time Issue can be refined for macro or micro analysis Breaking News Daily Situation Report Weekly Status Report Quarterly Trends Analysis Knowledge delivered by such products: provides historical, current, and predictive views of business related events in order to guide leadership decisions and actions involves computer-based techniques to gather business related information from within your environment and publicly available sources for analysis in order produce actionable security responses
4 I N F O R M A T I O N S E C U R I T Y T R A I N I N G Virtually all Information Security Standards and Regulations require both information security awareness and information security training targeted at all users (including managers, senior executives, and contractors) on an on-going basis. Learning is a continuum it starts with awareness, builds to training, and evolves into education. (NIST Special Publication Revision 1) BorderHawk has developed a Web based Information Security tutoring solution. Our approach delivers two options for our clients: 1) Generic (ISO1799/27001) Information Security Awareness and Training modules or 2) Customized (branded if desired) Information Security Awareness and Training modules based on specific corporate or regulatory requirements unique to the client or line of business, such as HIPAA, FISMA, NERC CIP, CJIS, IRS Pub 1075, Red Flags, etc. In either case, our training is designed to provide a convenient and cost-effective approach to Information Security Awareness and Training. Most organizations have either adopted or are moving toward a remote or off-site business model. Consequently, the opportunity to conduct collective information security awareness or training sessions has become a challenge. Our solution provides a web based series of awareness and training modules that can be accessed via the Internet anywhere, anytime. The student simply logs in using a credit card, selects a module and follows on-screen prompts through the module. When the module has been completed with a passing score, an is generated by our system informing your Human Resources organization that successful Information Security Awareness or Training has been accomplished by the student.
5 C O N S U L T I N G O N I N F O R M A T I O N A S S U R A N C E I S S U E S Security Policy Access Control Organization of Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Info Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance C Y B E R I N C I D E N T R E S P O N S E BorderHawk is available to help you manage all aspects of a breach including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed. In response to risks identified by a breach, we work with you to: Limit immediate incident impact to customers and partners Determine who initiated the incident and your options going forward Recover from the incident and return to operations Review existing policies and protocols for adequacy Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage Review adequacy of other systems security Develop long-term mitigation plans Provide necessary training
6 S T A N D A R D S B A S E D I N F O R M A T I O N R I S K A S S E S S M E N T S Information Risk Assessments set the stage for establishing the Information Technology Big Picture. Our Information Risk Assessment process is built around an ISO 17799/27001 based framework, and controls are customized according to business needs (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Financial Services - Federal Financial Institutions Examination Council (FFIEC) & Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation s (NERC) Critical Infrastructure Protection (CIP), or the Payment Card Industry Data Security Standard (PCI DSS). Our inquiry will include every aspect of your organization: People, Process, and Technology. Preparation Doc Request Overview Scoping People Processes Technology Discovery Analysis Results Ratings Trends Draft Report Final Report Recommendations Reporting The cost of a BorderHawk Information Risk Assessment is directly related to the client s needs and information security program. PURPOSE/TYPE PROCESS DESCRIPTION Information Risk Assessment consisting of 11 Information Security Management Controls and 132 sub-components Activity Hours Total OPTION 1 INFORMATION RISK PROGRAM DEVELOPMENT Discovery (offsite & onsite) 60 Analysis Reporting 40 Planning 40
7 Security Policy Option 1 Inquiries Information Security Policy Evaluation Review of Information Security Policy Implementation Organization of Security Management commitment to Information Security Information Security Co-ordination Allocation of Information Security Responsibilities Authorization Process for Information Processing Facilities Confidentiality Agreements Contact with Authorities Contact with Special Interest Groups Independent Review of Information Security Identification of Risks Related to External Parties Addressing Security When Dealing with Customers Addressing Security in Third Party Agreements Asset Management Inventory of Assets Ownership of Assets Acceptable Use of Assets Classification Guidelines Information Labeling & Handling Human Resources Security Roles & Responsibilities Screening Terms & Conditions of Employment Management Responsibilities Information Security Awareness, Education, & Training Disciplinary Process Termination Responsibilities Return of Assets Removal of Access Rights Physical & Environmental Security Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms, & Facilities Protecting Against External & Environmental Threats Working in Secure Areas Public Access, Delivery, & Loading Areas Equipment Protection Supporting Utilities Cabling Security Equipment Maintenance Security of Equipment Off-Premise Secure Disposal or Re-use of Equipment Removal of Property Communications & Operations Management Documented Operating Procedures Change Management Segregation of Duties Separation of Development, Test, & Operational Facilities Third Party Service Delivery Management Monitoring & Review of Third Party Services Managing Changes to Third Party Services Capacity Management System Acceptance Controls against Malicious Code Controls against Mobile Code Information Back-up Network Controls Security of Network Services Management of Removable Media Disposal of Media Information Handling Procedures Security of System Documentation Information Exchange Policies & Procedures Exchange Agreements Physical Media in Transit Electronic Messaging Business Information Systems Electronic commerce On-line Transactions Publicly Available Information Audit logging Monitoring System Use Protection of Log Information Administrator & Operator Logs Fault Logging Clock Synchronization Access Control Access Control Policy User Registration Privilege Management User Password Management Review of User Access Rights Password Use Unattended User Equipment Clear Desk & Clear Screen Policy Policy on Use of Network Services User Authentication for External Connections Equipment Identification in Networks Remote Diagnostic & Configuration Port Protection Segregation in Networks Network Connection Control Network Routing Controls Secure Log-on Procedures User Identification & Authentication Password Management System Use of System Utilities Session Time Out Limitation of Time Connection Information Access Restrictions- Sensitive System Isolation Mobile Computing & communications Teleworking Info Systems Acquisition, Development & Maintenance Security Requirements Analysis & Specification Input Data Validation Control of Internal Processing Message Integrity Output Data Validation Policy on the Use of Cryptographic Controls Key Management Control of Operational Software Protection of System Test Data Access Control to Program Source Code Change Control Procedures Technical Review of Applications after Operating System Changes Restrictions on Changes to Software Packages Information Leakage Outsourced Software Development Control of Technical Vulnerabilities Information Security Incident Management Reporting Information Security Events Reporting Security Weaknesses Information Security Incident Management Responsibilities & Procedures Learning From Information Security Incidents Collection of Evidence
8 Business Continuity Management Including Information Security in the Business Continuity Management Process Business Continuity & Risk Assessment Developing & Implementing Continuity Plans Including Information Security Business Continuity Planning Framework Testing, Maintaining & Re-assessing Business Continuity Plans Compliance Identification of Applicable Legislation Intellectual Property Rights Protection of Organizational Records Data Protection & Privacy of Personal Information Prevention of Misuse of Information Processing Facilities Regulation of Cryptographic Controls Compliance with Security Policies & Standards Technical Compliance Checking Information Systems Audit Controls Protection of Information Systems Audit Tools Information Risk Gap Analysis consisting of 11 Information Security Management Controls and 42 sub-components Activity Hours Total OPTION 2 INFORMATION RISK GAP ANALYSIS Discovery (offsite & onsite) Analysis 24 Reporting 16 Option 2 Inquiries Information Security Policy Evaluation Allocation of Information Security Responsibilities Confidentiality Agreements Independent Review of Information Security Identification of Risks Related to External Parties Addressing Security in Third Party Agreements Inventory of Assets Acceptable Use of Assets Terms & Conditions of Employment Information Security Awareness, Education, & Training Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms, & Facilities Secure Disposal or Re-use of Equipment Change Management System Acceptance Access Control Policy Password Use Clear Desk & Clear Screen Policy Segregation in Networks Network Routing Controls User Identification & Authentication Mobile Computing & communications Teleworking Outsourced Software Development Reporting Information Security Events Information Security Incident Management Responsibilities & Procedures Collection of Evidence Business Continuity & Risk Assessment Intellectual Property Rights Protection of Organizational Records Data Protection & Privacy of Personal Information Prevention of Misuse of Information Processing
9 Controls against Malicious Code Information Back-up Security of Network Services Disposal of Media Physical Media in Transit Electronic commerce Facilities Compliance with Security Policies & Standards Technical Compliance Checking Information Systems Audit Controls Protection of Information Systems Audit Tools OPTION 3 INFORMATION RISK DOCUMENT REVIEW Analysis of client completed BorderHawk Information Risk Questionnaire and requested supplemental documents provided by client Not to exceed 24 hour expended time Option 3 Inquiries The BorderHawk Information Risk Questionnaire develops a high-level overview of an organization s information security posture. Specifically, this document requests an overview of the client s business function, a preliminary list of documents describing information technology and security operations, and a brief questionnaire about security within the organization. The review process requires documentation be provided in a digital or paper format, including: Information Security Policy: This document states your organization s policy and management direction as it relates to information security Information Security Procedures, Guidelines, & Standards: Information protection related procedures, guidelines, and standards supporting the information security policy Security Incident Reporting and Procedures: Procedures and forms associated with the organization s incident response plan o System Configuration Diagrams: Technical policies, procedures and other baseline documents used by your information technology group for installation and configuration of information systems Change Management: Change control policy, procedures, and other documents used to initiate and/or validate changes to information systems and/or their environment Most Recent Information Technology Audit or Review of Controls (SAS70 or Equivalent): Assessments by external consulting organizations and associated documentation Software Coding Standards (if applicable): Software development and testing
10 procedures Network Architecture: Network architecture diagram detailing all inbound and outbound network connections (Internet, VPN, remote access, third-party vendors, etc.). C Y B E R S E C U R I T Y T E S T I N G BorderHawk Cyber Security Testing is a hands on effort in which Test Operators attempt to circumvent security features of a system or network based on their understanding of the technical design and implementation. The purpose of a penetration test is to identify methods for gaining access to a system or network by using common attacker tools and techniques. Accordingly, in order to conduct a penetration test, the operator must first conduct a vulnerability assessment in order to determine exploitable targets. External Network Assessment Targets: Internet facing systems and devices Attack Parameters: May include both automated and manual attacks; Will usually NOT include exploitation of any identified vulnerabilities; Password cracking usually in the scope Restrictions: Attack(s) usually limited to non-business hours Time to Complete: Dependent on target size according to Internet Protocol (IP) addresses Internal Network Assessment Targets: Internal network devices, not limited to domain controllers, infrastructure services (WINS/DHCP/DNS), servers, workstations, printers and network devices Optional: Configuration review of the firewall and internal Attack Parameters: Unobtrusive system vulnerability scans may occur during business hours; Caution: potential for interruption of critical business systems Restrictions: Internal network assessment will be conducted on-site Will not include mainframe systems
11 May include both automated and manual attacks; but will not usually include exploitation of any identified vulnerabilities; password cracking is usually in the scope Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses Wireless Assessment Targets: Organization -Campus -Specific Building -or Facility Attack Parameters: May occur during business hours for unobtrusive scans Rogue wireless device detection; penetration testing, password cracking usually in the scope Restrictions: Wireless security risk assessment usually limited to technologies Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses Social Engineering Attempt to bypass security controls in order to gain access to sensitive areas or information Targets: Individual - Organization Campus - Specific Building - or Facility Attack Parameters: May include physical access, telephone, and /phishing Restrictions: Attack may be performed any time Time to Complete: Dependent on target size and client needs Application Pen Test Targets: Web-based production application, Internet facing IP address Attack Parameters: May include both automated and manual attacks May include attempts to gain access through social engineering Restrictions: Will usually not include exploitation of any identified vulnerabilities Password cracking is usually in the scope Will not include a code review Time to Complete: Dependent on target size and client needs I N F O R M A T I O N S Y S T E M S F O R E N S I C S
12 In association with our forensic partners, BorderHawk can be available to assist with all facets of computer evidence extraction, preservation, analysis, and presentation. Depending on the situation, we are prepared to assist with: Digital evidence acquisition, search, filter, and consolidation from virtually any type of media from mobile hand held devices through fixed plant servers and cloud repositories. Depositions, expert witness testimony, helping achieve optimal balance in legal and technical strategies Special Master Duties (E-Discovery & Information System Forensics) Analyzing and exposing flaws with interpretation of electronic evidence and results gleaned from other digital forensic analysis efforts BORDERHAWK SAMPLE ENGAGEMENTS Large Financial Institution Information Risk Assessments of over sixty-five third party/vendor companies located throughout the US and Canada (business verticals include financial, insurance, health, technology, printing, courier, software, receivables, non-profits, legal, and data brokers); ISO/IEC 17799; FFIEC Oil Pipeline Company (Northwest) State Dept of Revenue, Tax Division (Northwest) State Legislative Services Division (Midwest) State Dept of Blind Services (Southeast) Information Security Program Development; Custom Training; ISO/IEC 17799/27001/27002 Code of Practice for Information Security Management, NIST SP Guide for Developing Security Plans for Federal Information Systems and IRS Publication 1075; API-1164 State Department of Corrections (Southeast) City (Electric Utility) (Southeast) City, Employees Retirement System (Northeast) Non Profit (Law Enforcement Related) (Southeast) Cyber Security Testing; penetration testing, technical vulnerability assessment, and controls analysis; ISO/IEC 17799; NERC CIP 5 & 7
13 Medical Device Company (Southeast) Insurance Company (Southeast) Hospital Company (Southeast) State Dept of Labor (Northwest) Pharmaceutical Company (Southwest) State Dept of Health and Social Services (Northwest) State Dept of Human Resources (Southeast) Information Security Program Assessment; Federal Parent Locator Service, HIPAA; ISO/IEC Retail Company (Northeast) Non Profit (Technology Provider) (Southeast) Financial Service Company (Global) Information Security Incident Analysis; Incident response to potential cyber crime or other malicious activity specifically targeting client networks or sensitive data
Department of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationINFORMATION SYSTEMS. Revised: August 2013
Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationDokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11
Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationAcceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15
Acceptance Page 2 Revision History 3 Introduction 14 Control Categories 15 Scope 15 General Requirements 15 Control Category: 0.0 Information Security Management Program 17 Objective Name: 0.01 Information
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationAnalysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds
Original Article Healthc Inform Res. 2010 June;16(2):89-99. pissn 2093-3681 eissn 2093-369X Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds Woo-Sung
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationA Comparison of Oil and Gas Segment Cyber Security Standards
INEEL/EXT-04-02462 Revision 0 Control Systems Security and Test Center A Comparison of Oil and Gas Segment Cyber Security Standards Prepared by the Idaho National Engineering and Environmental Laboratory
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationsecurity policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.
Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationSplunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationSCAC Annual Conference. Cybersecurity Demystified
SCAC Annual Conference Cybersecurity Demystified Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner Tscott@admin.sc.gov 803-896-6395 What is Cyber
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
More informationThird-Party Access and Management Policy
Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum 20.01.2014
ISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum 20.01.2014 Legende: gering mittel hoch Änderungsgrad A.5 Information security policies
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationInformation security management systems Specification with guidance for use
BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More information^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA
^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS017799 ALAN CALDER STEVE WATKINS KOGAN PAGE London and Sterling, VA Contents Foreword by Nigel Turnbull How to use this book
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationThe ICS Approach to Security-Focused IT Solutions
The ICS Approach to Security-Focused IT Solutions for the State of Mississippi ICS offers a dynamic and comprehensive portfolio of security-driven IT solutions for the State of Mississippi. Taking a proactive
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationCurrent IBAT Endorsed Services
Current IBAT Endorsed Services Managed Network Intrusion Prevention and Detection Service SecureWorks provides proactive management and real-time security event monitoring and analysis across your network
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationDraft Information Technology Policy
Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationInformation Security Management. Audit Check List
Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationProfessional Services Overview
Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More informationNEC Managed Security Services
NEC Managed Security Services www.necam.com/managedsecurity How do you know your company is protected? Are you keeping up with emerging threats? Are security incident investigations holding you back? Is
More informationRecent Researches in Electrical Engineering
The importance of introducing Information Security Management Systems for Service Providers Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * Faculty of Electrical Engineering
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationISACA rudens konference
ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationInformation Security Policy version 2.0
http://kfu.edu.sa KING FAISAL UNIVERSITY Information Security Policy version 2.0 Prepared & Presented by: M. Shahul Hameed, MBA, M.Sc.IT, C\MA, CIA, PMP, CGEIT, CISA, CISM, ITSM(ITIL), ISO27001LA, Head
More informationEcom Infotech. Page 1 of 6
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationThis is a free 15 page sample. Access the full version online.
AS/NZS ISO/IEC 17799:2001 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology. It was approved on behalf
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More information