Risk Assessment Guide



Similar documents
Data Management Policies. Sage ERP Online

NIST National Institute of Standards and Technology

UF IT Risk Assessment Standard

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Information Technology Cyber Security Policy

WHY DO I NEED DATA PROTECTION SERVICES?

Data Security Incident Response Plan. [Insert Organization Name]

How To Protect The Time System From Being Hacked

HIPAA Security COMPLIANCE Checklist For Employers

How To Protect Decd Information From Harm

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Wellesley College Written Information Security Program

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Autodesk PLM 360 Security Whitepaper

Network & Information Security Policy

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

HIPAA Security Alert

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Hengtian Information Security White Paper

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

RISK ASSESSMENT GUIDELINES

Best Practices For Department Server and Enterprise System Checklist

External Penetration Assessment and Database Access Review

Network Security Policy

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Five keys to a more secure data environment

INFORMATION SECURITY FOR YOUR AGENCY

Vulnerability Management Policy

Better secure IT equipment and systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PCI Compliance for Healthcare

FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

A practical guide to IT security

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Information Security It s Everyone s Responsibility

Department of Education. Network Security Controls. Information Technology Audit

Cybersecurity Health Check At A Glance

External Supplier Control Requirements

Performing Effective Risk Assessments Dos and Don ts

Estate Agents Authority

Risk Management Guide for Information Technology Systems. NIST SP Overview

White Paper. Information Security -- Network Assessment

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

Network Security Policy

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Service Children s Education

Standard: Information Security Incident Management

Security Whitepaper: ivvy Products

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Responsible Access and Use of Information Technology Resources and Services Policy

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

SITECATALYST SECURITY

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

External Supplier Control Requirements

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Internal Control Guide & Resources

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Building Economic Resilience to Disasters: Developing a Business Continuity Plan

ELECTRONIC INFORMATION SECURITY A.R.

Cyber Self Assessment

Supplier Information Security Addendum for GE Restricted Data

Data Management & Protection: Common Definitions

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Technical Standards for Information Security Measures for the Central Government Computer Systems

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

PSWN. Land Mobile Radio System Security Planning Template. Final. Public Safety Wireless Network

KeyLock Solutions Security and Privacy Protection Practices

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

How-To Guide: Cyber Security. Content Provided by

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Passing PCI Compliance How to Address the Application Security Mandates

Common Cyber Threats. Common cyber threats include:

Retention & Destruction

SECURITY CONSIDERATIONS FOR LAW FIRMS

The Ministry of Information & Communication Technology MICT

Windows Operating Systems. Basic Security

Data Security for the Hospitality

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Transcription:

KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered.

KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment Guide document is used to analyze vulnerabilities, potential threats and risks for an organization, and the organization s IT systems. Conduct Assessment Survey Implement Management Plan Identify s Create Management Action Plan Assess Importance & Likelihood This guide is based on controls found in the NIST Special Publication 800-53, the Shared Assessments Program Agreed Upon Principles, ISO 27001 and other highly regarded industry standards. This guide is meant to trigger a thought process to identify vulnerabilities and risks particular to your organization and is not meant to be a comprehensive list of potential risks.

KirkpatrickPrice Assessment Guide 3 Identification Identifying risk for an IT system requires an understanding of the system s processing environment. Therefore, the risk assessor must first collect system-related information, which is usually classified as follows: Hardware; Software; System interfaces (e.g., internal and external connectivity); Data and information; Persons who support and use the IT system; System mission (e.g., the processes performed by the IT system); System and data criticality (e.g., the system s value or to an organization); and System and data sensitivity. The use of information technology poses a wide variety of risks. Obviously, there is the risk of malicious attack from hackers, but certain other risks are often overlooked. User error can destroy or leak data, or take down a system. Adverse events such as fires, floods and other natural disasters can wreak havoc in any business environment. The following table lists many such events: Potential Adverse Events Air Conditioning Failure Earthquake Nuclear Accident Aircraft Accident Electromagnetic Interference Pandemic Biological Contamination Fire (Major or Minor) Power Loss Blackmail Flooding/Water Damage Sabotage Bomb Threat Fraud/Embezzlement Terrorism Chemical Spill Hardware Failure Tornado, Hurricane, Blizzard Communication Failure Human Error Unauthorized Access or Use Computer Crime Loss of Key Personnel Vandalism and/or Rioting Cyber-Terrorism Malicious Use Workplace Violence

KirkpatrickPrice Assessment Guide 4 The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination, of the following three security goals: integrity, availability, and confidentiality. The following list provides a brief description of each security goal and the consequence (or impact) of its not being met: Loss of Integrity. System and data integrity refers to the requirement that information be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of an IT system. Loss of. If a mission-critical IT system is unavailable to its end users, the organization s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users performance of their functions in supporting the organization s mission. Loss of. System and data confidentiality refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization. The remainder of this guide is a risk assessment matrix, which you may use to analyze vulnerabilities, threats and the overall risk to your organization. We do not claim the following to be fully comprehensive. Our hope is that the risk assessment matrix will stimulate thought and help your organization to perform a thorough risk assessment.

KirkpatrickPrice Assessment Guide 5 Function: Storing customer information in IT database(s) threat likelihood Viruses or malware attacking servers/pcs Hacker attacking through public Internet or wireless connections Unknown publicly available vulnerabilities Release of patches or exploits that notify hackers of potential problems Unintended access to unauthorized employees Weak passwords that unauthorized individuals or programs could guess Perpetual access to systems with compromised passwords Old or unnecessary accounts are still available for access Anti-virus and anti-malware utilities installed on all servers and PCs Firewall installed at each Internet connection and between any wireless network External scans performed quarterly Patch management performed quarterly and within 30 days of critical releases Company employees access privileges are limited based on job function Network is configured to enforce strong password construction (at least 7 characters, alpha/numeric, requiring at least one special character) Company employees network passwords are changed at least every 60 days Company has a formal process for terminating employees which includes removal of access to IT network resources

KirkpatrickPrice Assessment Guide 6 Function: Storing customer information in IT database(s) (Continued) threat likelihood Data lost and irretrievable Data lost due to sudden power loss Data lost due to environmental pressures (such as temperature) Database(s) backed up nightly, and tested monthly for restore capability Battery backup is in place Proper cooling systems are installed in data center or server room to prevent overheating Data lost due to fire Fire detection and suppression systems in place in data center or server room Integrity Data lost due to employee or system error Annual auditing of item locations in database versus physical locations

KirkpatrickPrice Assessment Guide 7 Function: Providing online customer access to information in IT database(s) threat likelihood Data leaking through unencrypted Internet browser session Unauthorized parties accessing online accounts Unauthorized parties posing as legitimate users Services unavailable due to loss of Internet connectivity Secure socket layer encryption used during online access Access accounts are password protected Access accounts are set up only after users provide valid authentication Backup Internet connection in place

KirkpatrickPrice Assessment Guide 8 Function: Storing customer records and information in company facilities threat likelihood Unauthorized parties entering sensitive areas Unauthorized entry goes unnoticed Unauthorized entry notice is delayed Unknown parties enter sensitive areas Malicious individuals working for vendors commit theft of information or disclose sensitive details All facility entrances are locked All entrances monitored by video surveillance, receptionist/guard and/or entrance tracked by access cards Facility alarmed and thirdparty monitored All facility visitors provide valid ID, sign a log book and are escorted by a company employee while on premises All vendors with access to facilities are contractually bound to privacy obligations, or are escorted by a company employee while on premises Data loss due to fire Fire suppression in place in all areas where employee information stored Data loss due to flood Facility located outside of flood plain areas Data loss or lack of access due to power outage Data inaccessible due to chemical spill or disaster Backup generator installed / Company has on-call relationship with third party capable of providing emergency power Facility located away from sources of toxic substances

KirkpatrickPrice Assessment Guide 9 Function: Storing customer records and information in company facilities (Continued) threat likelihood Integrity Integrity Data irretrievable due to damage Data damaged due to inadvertent water damage from fire suppression systems Company has on-call relationship with third party capable of assisting with document preservation and remediation Company employees trained at least annually on responding to accidental discharge of sprinkler system

KirkpatrickPrice Assessment Guide 10 Function: Transporting customer records and information in company vehicles threat likelihood Integrity Data stolen from delivery vehicle Data stolen due to employee forgetting to lock the cargo area of a vehicle Thief attempting breakin of vehicle Data lost due to vehicle theft Data availability delayed due to impounding Data damaged due to environmental conditions All vehicles have distinct cargo area that is not accessible from driver cabin All vehicle cargo areas have self-locking mechanisms All vehicles equipped with audible alarms All vehicles equipped with GPS systems All vehicles are properly licensed and identified with company details (to prevent towing) All vehicle cargo areas are climate controlled (for vehicles transporting computer media)

KirkpatrickPrice Assessment Guide 11 Function: Handling of customer records and information by company employees threat likelihood Untrusted employee steals information Company performs background checks on all employees Employees access information with no contractual obligations assigned All employees sign confidentiality agreements Employees do not understand privacy responsibilities All employees receive privacy training at least annually and within 30 days of hiring Integrity Data loss due to lack of employee understanding of job responsibilities Employees receive training on company policies and procedures at least annually and within 30 days of hiring Integrity Mistakes and procedural flaws go unnoticed Employee activities related to handling customer records and information are regularly audited Employees are unavailable to work during pandemic Company encourages vaccination against disease by making vaccinations available at company expense Employees are contagious during pandemic Hand sanitizers installed in all facilities to help prevent disease spread

KirkpatrickPrice Assessment Guide 12 Assessment History Revision date: 01/24/2012 Original effective date: Last full review: Next full review: KirkpatrickPrice Kirkpatrick Price, LLC 1228 East 7th Ave., Suite 200 Tampa, FL 33605 800.977.3154

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information