Corporate Account Takeover (CATO) Risk Assessment



Similar documents
Your security is our priority

3. Are employees set as Administrator level on their workstations? a. Yes, if it is necessary for their work. b. Yes. c. No.

4/20/2015. Fraud Watch Campaign. AARP is Fighting for You. AARP is Fighting for You. Campaign Tactics. AARP can help you Spot & Report Fraud

Cybersecurity Health Check At A Glance

Network and Security Controls

Client Security Risk Assessment Questionnaire

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Supplier Information Security Addendum for GE Restricted Data

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Top tips for improved network security

Small Business IT Risk Assessment

Business ebanking Fraud Prevention Best Practices

Cyber Self Assessment

Internet threats: steps to security for your small business

2012 Endpoint Security Best Practices Survey

Cyber Security: Beginners Guide to Firewalls

Payment Card Industry Self-Assessment Questionnaire

Computer and Network Security Policy

Business Internet Banking / Cash Management Fraud Prevention Best Practices

HIPAA Compliance Evaluation Report

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Stable and Secure Network Infrastructure Benchmarks

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Frequently Asked Questions

IT Security Procedure

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

FINAL May Guideline on Security Systems for Safeguarding Customer Information

PCI DSS Requirements - Security Controls and Processes

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Telework and Remote Access Security Standard

Cybersecurity Best Practices

Remote Deposit Terms of Use and Procedures

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

CLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

1. Why is the customer having the penetration test performed against their environment?

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Guide to Vulnerability Management for Small Companies

Basic Computer Security Part 2

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Corporate Account Take Over (CATO) Guide

GFI White Paper PCI-DSS compliance and GFI Software products

INFORMATION SECURITY FOR YOUR AGENCY

Malware & Botnets. Botnets

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Information Technology General Controls And Best Practices

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Supplier Security Assessment Questionnaire

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

System Security Policy Management: Advanced Audit Tasks

Network/Cyber Security

IT Service Desk

YSU Secure Wireless Connect Guide Windows XP Home/Professional/Media Center/Tablet PC Edition

Remote Deposit Quick Start Guide

8 Steps For Network Security Protection

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

In-House Vs. Hosted Security. 10 Reasons Why Your is More Secure in a Hosted Environment

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Top 10 Tips to Keep Your Small Business Safe

Deep Security Vulnerability Protection Summary

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

SecurityMetrics Vision whitepaper

CBI s Corporate Internet Banking Inquiry Services gives you the ability to view account details and transactions anytime, anywhere.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Best Practices for DanPac Express Cyber Security

Hang Seng HSBCnet Security. May 2016

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

INFORMATION SECURITY BASICS. A computer security tutorial for Holyoke Community College

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Introduction to WSU

SITECATALYST SECURITY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

BKDconnect Security Overview

Protecting Your Organisation from Targeted Cyber Intrusion

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

INSTANT MESSAGING SECURITY

Did you know your security solution can help with PCI compliance too?

Data Management Policies. Sage ERP Online

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Transcription:

Corporate Account Takeover (CATO) Risk Assessment As a business, you want to be sure you have a strong process in place for monitoring and managing who has access to your ECorp services and how the information is handled. Use this Risk Assessment to make sure you have the necessary controls in place. For each question below, select the answer that best represents your environment. You ll see a number after each possible answer. These numbers will be used in the section called Risk Rating. At the end of the Risk Assessment you ll find a section called CATO Vulnerability-Best Answers & Tips. Use this to evaluate your current environment and to make to make any necessary changes, so your ECorp process is secure. Date Risk Assessment Conducted: Risk Assessment Completed By: Personnel Security 1) Are employees required to sign and Acceptable Use Policy (AUP)? a. Yes, at least annually or more frequently as needed (1) b. Yes, but only at hire (2) 2) Does each employee using ECorp go through security awareness training? a. Yes, at least annually or more frequently as needed (1) b. Yes, but only at hire (2) 3) Do you run background checks on employees prior to hire? a. Yes, for all employees (1) b. Yes, but only based on position (2)

Computer System Security 4) Do your computer systems have up-to-date antivirus software? a. Yes, all systems (1) b. Yes, but only critical systems (3) 5) Is there a process in place to ensure software updates and patches are applied (ie, Microsoft, Web Browser, Abobe Products, etc.)? a. Yes, a formal process where updates are applied at least monthly (1) b. Yes, not informally as needed (3) 6) Do users run as local administrators on their computer systems? a. No (1) b. Only those that require it (3) c. Yes (5) 7) Is a firewall in place to protect the network? b. No (15) 8) Do you have an Intrusion Detection/Prevention System (IDS/IPS) in place to monitor and protect the network? 9) Is internet content filtering being used? a. Yes, internet traffice on the system used for high risk internet banking activities is completeley restricted to only sites specifically needed for business funtions (1) b. Yes, we have internet content filtering (2) 10) Is email SPAM filtering being used? b. No (5) 11) Are users of ECorp trained to manually lock their workstations when they leave them? a. Yes, and the system are set to auto-lock after a period of inactivity (1) b. Yes, but it is only manually (2) 12) Is wireless technology used on the network with ECorp? a. No (1) b. Yes, but wireless traffic uses industry approved encryption (ie, WPA, etc.) (1) c. Yes, but wireless uses WEP encryption (2) d. Yes, and wireless traffic is not encrypted (15)

Physical Security 13) Are critical systems (including systems used to access ECorp) located in a secure area? a. Yes, behind a locked door (1) b. Yes, in a restricted area (2) c. No, in a public area (5) 14) How are passwords protected? a. Passwords are securely stored (ie, Excel file) (1) b. Passwords are written on paper or sticky notes and placed by the computer (15) 15) Do you control unauthorized physical access to protect your computers? 16) Do you create back-up copies of information? Risk Rating Once you have completed the questionnaire, add up the numbers next to each answer you have selected. Using your total, note where you fall on the chart below: Overall Risk Rating 0-17 LOW 18-27 MEDIUM 28-37 HIGH Over 38 EXTREME CATO Vulnerability Best Answers & Tips: Compare your answers to the ECorp Risk Assessment to the Best Answers listed below. Tips are also provided to help you protect your systems and information. Personnel Security 1. a) An Acceptable Use Policy (AUP) details the permitted user activities and consequences of noncompliance. Examples of elements included in an AUP are: purpose and scope of network activity; devices that can be used to access the network, bans on attempts to break into accounts, crack passwords, circumvent controls or distrust services; expected user behavior; and consequences of noncompliance.

2. a) Security Awareness Training (SAT) for ECorp users, at a minimum, should include a review of the acceptable use policy, desktop security, log-on requirements, password administration guidelines, social engineering tactics, etc. Watch our Identity Theft tutorial on our website and read the NACHA Best Practices document (Next section in the Binder). 3. a) Companies should have plans in place to verify job application information on all new employees. The sensitivity of a particular position or job function may warrant additional background and credit checks. After employment, companies should remain alert to changes in employees circumstances that could increase incentives for abuse or fraud. Computer System Security 4. a) Companies should active and up-to-date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real-time scanning. 5. a) Update your software frequently to ensure you have the latest security patches. This includes a computer s operating system and other installed software (ie, Web Browsers, Adobe Flash Player, Adobe Reader, Java, Microsoft Office, etc.). In many cases, it is best to automate software updates when the software supports it. 6. a) Limit local Administrator privileges on computer systems where possible. 7. a) Use firewalls on your local network to add another layer of protection for all the devices that connect through the firewall (ie, PCs, Smart Phones, and Tablets). 8. a) Intrusion Detection/Prevention Systems (IDS/IPS) are used to monitor network/internet traffic and report or respond to potential attacks. 9. a) ECorp activities is completely restricted to only sites specifically needed for business functions. Filter web traffic to restrict potentially harmful or unwanted internet sites from being accessed by computer systems. For high risk systems, it is best to limit internet sites to only those business sites that are required. 10. a) Implementing email SPAM filtering will help eliminate potentially harmful or unwanted emails from making it to end users inboxes. 11. a) Systems should be locked (requiring a password to reconnect) when users walk away from their desks to prevent unauthorized access to the system. 12. a) or b) Wireless networks are considered public networks because they use radio waves to communicate. Radio waves are not confined to specific areas and are easily intercepted by unauthorized individuals. Therefore, if wireless is used, security controls such as encryption authentication, and segregation are necessary to ensure confidentiality and integrity. Physical Security 13. a) Physically secure critical systems to only allow access to approved employees. 14. a) Passwords should never be left out for unauthorized individuals to gain access.

15. a) Identify and challenge all third parties entering the organization s sensitive areas, lock all secondary entrances, and consider both the placement of paper documents and position of computer monitors to protect information. 16. a) Back up all critical information at least once a week, test backups monthly for successful recoverability, and rotate backups to an off-site location.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information