R 143 CYBERSECURITY RECOMMENDATION FOR MEDIA VENDORS SYSTEMS, SOFTWARE & SERVICES



Similar documents
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

A Decision Maker s Guide to Securing an IT Infrastructure

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Cisco ASA. Administrators

Protecting Your Organisation from Targeted Cyber Intrusion

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Securing the Service Desk in the Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SonicWALL PCI 1.1 Implementation Guide

Web Plus Security Features and Recommendations

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

March

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Best Practices for PCI DSS V3.0 Network Security Compliance

CompTIA Security+ (Exam SY0-410)

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Guidelines for Web applications protection with dedicated Web Application Firewall

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Guideline on Auditing and Log Management

Adobe Systems Incorporated

FISMA / NIST REVISION 3 COMPLIANCE

PCI Compliance Considerations

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Information Security Network Connectivity Process

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Supplier Information Security Addendum for GE Restricted Data

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

CYBER SECURITY. Is your Industrial Control System prepared?

Lesson Plans Administering Security in a Server 2003 Network

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Device Log Export ENGLISH

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

BMC s Security Strategy for ITSM in the SaaS Environment

Document ID. Cyber security for substation automation products and systems

Security Controls for the Autodesk 360 Managed Services

Altus UC Security Overview

Network and Security Controls

Information Technology General Controls And Best Practices

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

SANS Top 20 Critical Controls for Effective Cyber Defense

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

C015 Certification Report

CareGiver Remote Support Information Technology FAQ

NSFOCUS Web Application Firewall White Paper

Oracle Database 11g: Security. What you will learn:

How To Manage Web Content Management System (Wcm)

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

INFORMATION SECURITY TRAINING CATALOG (2015)

8070.S000 Application Security

How To Protect Your Data From Being Stolen

Cyber Security Risk Mitigation Checklist

A Rackspace White Paper Spring 2010

Oracle Database 11g: Security

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Common Criteria Web Application Security Scoring CCWAPSS

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Internal Penetration Test

Security Considerations White Paper for Cisco Smart Storage 1

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Security and Control Issues within Relational Databases

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Information Shield Solution Matrix for CIP Security Standards

Criteria for web application security check. Version

Standard Information Communications Technology. Multifunction Device. January 2013 Version 2.2. Department of Corporate and Information Services

Payment Card Industry Self-Assessment Questionnaire

1B1 SECURITY RESPONSIBILITY

Client Security Risk Assessment Questionnaire

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Locking down a Hitachi ID Suite server

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS

Chapter 9 Firewalls and Intrusion Prevention Systems

Top 20 Critical Security Controls

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Global Partner Management Notice

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Codes of Connection for Devices Connected to Newcastle University ICT Network

Introduction to Endpoint Security

WordPress Security Scan Configuration

Four Top Emagined Security Services

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Transcription:

R 143 CYBERSECURITY RECOMMENDATION FOR MEDIA VENDORS SYSTEMS, SOFTWARE & SERVICES RECOMMENDATION Geneva April 2016

R 143 Cybersecurity Rec. for media vendors systems, software & services Cybersecurity Recommendation for media vendors systems, software & services EBU Committee First Issued Revised Re-issued TC 2016 Keywords: Security, Services, Infrastructure, Broadcasting, IP. Recommendation The EBU, considering that, 1. Media companies increasingly employ third parties to provision their systems, software and services. 2. Production workflows and infrastructures are rapidly migrating to generic IT technologies. 3. Cyberthreats (e.g. malware and ransomware) are increasingly easier to perform and are continuously evolving. 4. Connected media devices still tend to have a low security threshold inherited from the era of non-connected broadcast media. Recommends that media companies: 1. Apply the annexed security safeguards when planning and designing their systems, software and services. 2. Require potential vendors of systems, software and services to declare their ability to comply with the annexed security safeguards (by completing columns A, B & C) when responding to tenders or requests for technology. 3. Define their minimal vendor system acceptance level on the basis of this recommendation with full awareness of the potential risks. Note The annexed security safeguards have been drawn up using inputs from recognised European safety institutes including ANSSI 1, BSI 2, together with inputs from a group of European broadcasters with recent, hard-won experiences of dealing with security issues. 1 Agence Nationale de la Sécurité des Systèmes d Information (France) : http://www.ssi.gouv.fr 2 German alliance for cybersecurity : https://www.allianz-fuer-cybersicherheit.de/ 3

Cybersecurity Rec. for media vendors systems, software & services R 143 Page is intentionally blank. This document is formatted for two-sided printing. 4

R 143 Cybersecurity Rec. for media vendors systems, software & services Annex: Recommended Security Requirements Vendor Security Requirement A B C Do you provide this requirement? (Yes or No) If you answered No in column A, when will this requirement be met / provided? Your Questions/Remarks 1. Organisational Safeguards 1.1 Product lifecycle & internal processes Follow well known best practices or information security standards when developing and implementing security measures Strive for a broadly accepted certification regarding the implemented security measures "Implemented, written development policies (e.g. following OWASP Top 10 )" Mandatory test stages (security gates) required within the development cycle Implemented code analyses during development cycle Cleaning of products to ensure that no test code remains from the development process Regular technical security analyses (penetration and vulnerability tests) Tracking and handling of vulnerabilities Clearly define the product lifecycle and ensure that patches and updates are available over that lifecycle. Support for security updates for all third-party components, including the operating system platform and Runtime Environments used. 1.2 Communication Appointed points of contact or other contact options for security questions and incidents Information process for customers in case a weakness in a product becomes known 5

Cybersecurity Rec. for media vendors systems, software & services R 143 Vendor Security Requirement "Vendor shall support customer maintenance access procedures (RAS, VPN, Accounts, Password) " A B C Do you provide this requirement? (Yes or No) If you answered No in column A, when will this requirement be met / provided? Your Questions/Remarks 2. Product Safeguards 2.1 Documentation Explicit instruction to change passwords from their defaults is necessary Proper description of security functionalities "Documentation of interfaces, access points, network communication and features" "Inclusion of information on how to integrate the product in a security concept (e.g. different network zones, central authentication service, workflows, interfaces, only the necessary TCP/UDP ports are open )" Recommendation on hardening or best practice configuration Description of the patch management process regarding security updates 2.2 Authentication and Authorization "Must support central authentication services (e.g. LDAP, active directory, Radius)" Session timeout support Support for role based access control Support of personalized accounts Enforce change of default passwords Support for implementation of a password policy Two-factor authentication support for internet facing products Strong authentication such as two-factor authentication Support for AAA logging on centralized logging server 6

R 143 Cybersecurity Rec. for media vendors systems, software & services Vendor Security Requirement A B C Do you provide this requirement? (Yes or No) If you answered No in column A, when will this requirement be met / provided? Your Questions/Remarks 2.3 Encryption Encrypted password storage and transfer Support of state-of-the-art encryption technologies, following the best practice recommendations "Support for encrypted (e.g. TLS based) network protocols (https, ftps, sftp)" "Avoid clear text protocols (http, telnet, ftp) " Support of certificates and PKI usage 2.4 Base configuration Support for logging (at minimum, failed and successful login events AAA) "Support for centralized logging of log files (Syslog, Events Logs)" Option to control connection of USB and portable media Deactivation of unneeded network protocols and services "Must support effective protection against Virus/Malware and Exploits (e.g. Antivirus, EMET) on server and client side." Hardened base operating system if provided by the vendor Must support vulnerability scanners Support for monitoring (min. SNMPv2) Backup / Restore support (configuration settings) Possibility for decoupling the operating system from the software itself (allowing OS and Runtime Environments patching) 2.5 Network configuration "Support for sufficiently granular segmentation of networks (MPLS, Multi VLAN support, Routing)" No direct connection of control components with the Internet (licensing issues) 7

Cybersecurity Rec. for media vendors systems, software & services R 143 Vendor Security Requirement "If Internet connection is needed, support for content inspection (e.g. forward and reverse proxy, including authentication mechanisms)" Support for maintenance access points in a demilitarised zone (DMZ) so that vendors or administrators first connect to a DMZ instead to the application itself. (e.g. Jumphosts) A B C Do you provide this requirement? (Yes or No) If you answered No in column A, when will this requirement be met / provided? Your Questions/Remarks 2.6 Application security Implemented proper input validation inside the application Controls against Cross Site Scripting and SQL Injection for web frontends (e.g OWASP Top 10) "Support add-on plug-in release management (e.g. Flash, Java, PHP, )" Regular patch management for provided applications Application runs in non-admin context (fewest privileges possible) Zero day vulnerability management and communication 3. Vendor ISMS There is a documented Cyber Security Policy in place An effective Cyber Security Organisation is established A CISO is named who is granted the needed competencies to fulfil the role An Audit plan exists that includes regular audits and penetration tests of the internal infrastructure "Cyber Security is included in employee trainings, regular awareness campaigns are conducted" 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information