2012 Risk Assessment Workshop



Similar documents
Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Client Security Risk Assessment Questionnaire

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

INCIDENT RESPONSE CHECKLIST

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Activity 1: Scanning with Windows Defender

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Supplier Information Security Addendum for GE Restricted Data

Securing the Service Desk in the Cloud

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Best Practices For Department Server and Enterprise System Checklist

Security Standard: Servers, Server-based Applications and Databases

Exhibit to Data Center Services Service Component Provider Master Services Agreement

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

BMC s Security Strategy for ITSM in the SaaS Environment

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Payment Card Industry Self-Assessment Questionnaire

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University of Pittsburgh Security Assessment Questionnaire (v1.5)

SonicWALL PCI 1.1 Implementation Guide

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Digi Device Cloud: Security You Can Trust

1 Introduction 2. 2 Document Disclaimer 2

INFORMATION SECURITY TRAINING CATALOG (2015)

KeyLock Solutions Security and Privacy Protection Practices

Small Business IT Risk Assessment

New Systems and Services Security Guidance

Codes of Connection for Devices Connected to Newcastle University ICT Network

Server Security Checklist (2009 Standard)

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI Requirements Coverage Summary Table

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

H.I.P.A.A. Compliance Made Easy Products and Services

The Protection Mission a constant endeavor

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Projectplace: A Secure Project Collaboration Solution

PCI DSS Requirements - Security Controls and Processes

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

SECURITY. Risk & Compliance Services

Secondary DMZ: DMZ (2)

FormFire Application and IT Security. White Paper

Policy Document. Communications and Operation Management Policy

Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)

Network and Security Controls

Accessing the Media General SSL VPN

Security Controls What Works. Southside Virginia Community College: Security Awareness

Teleran PCI Customer Case Study

Information Security Policy

74% 96 Action Items. Compliance

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

BKDconnect Security Overview

information security and its Describe what drives the need for information security.

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

1B1 SECURITY RESPONSIBILITY

PCI within the IU Enterprise

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Data Stored on a Windows Server Connected to a Network

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Dooblo SurveyToGo: Security Overview

Medical Device Security Health Group Digital Output

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Birst Security and Reliability

Windows Operating Systems. Basic Security

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Supplier Security Assessment Questionnaire

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

Vendor Audit Questionnaire

IBM. Vulnerability scanning and best practices

Did you know your security solution can help with PCI compliance too?

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Penetration testing & Ethical Hacking. Security Week 2014

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

R3: Windows Server 2008 Administration. Course Overview. Course Outline. Course Length: 4 Day

NETWORK SECURITY GUIDELINES

PII Compliance Guidelines

Transcription:

2012 Risk Assessment Workshop Agenda Risk Assessment Strategy for Texas State Device Registration Application Risk Assessment using ISAAC Review Server Management responsibilities 1

Risk Assessment Strategy at Texas State What s happening in 2012 Device Registration ISAAC (Information Security Awareness, Assessment, and Compliance) minor modifications Penetration Testing by IT Security Core Impact, open source tools, 3 rd party assessment Confidential Information Discovery Identity Finder Firewall exception process - new Risk Assessment Strategy at Texas State Results from 2011 Review trend data 2

ISAAC Risk Assessment what s new Modified questions reflecting the updated TAC 202 Using the Template method for your ISAAC assessment again this year Device Registration Device Registration application https://tim.txstate.edu/ndmrs/ Secure application (HTTPS) Search feature Activate/Inactivate feature 3

ISAAC ISAAC Assess Texas Administration Code (TAC) 202 compliance Accepted method for conducting risk assessment https://isaacs.tamu.edu/ Risk Assessment Checklist Update Device Registration https://tim.txstate.edu/ndmrs/ Make sure all current devices registered for your department are active Update ISAAC Registration Open your 2012 assessment templates Review questions in ISAAC and mark complete 4

Server Management Responsibilities Policies UPPS 04.01.09 Security policy http://www.txstate.edu/effective/upps/upps-04-01-09.html UPPS 04.01.09 Server Management http://www.txstate.edu/effective/upps/upps-04-01- 09.html DIR Requirements annual risk assessment Confidential information handling Disposal of electronic media Risk Assessments and Compliance Annual process for all servers Servers are considered devices that offers services to other computers such as: Web and secure-web services (http, https) File sharing services and secure print servers (devices storing confidential data) Completed by Data Custodian (sysadmin) and Data Owner Other compliance issues PCI, HIPAA 5

Services and Protocols Services that are not required for the server to meet its mission must be disabled whenever the server is connected to the university network Demonstrate how to disable services and protocols in Windows Server 2008 Services and Protocols 6

User Account Management Demonstrate disabling, renaming, deleting user accounts in Windows Server 2008 Managing passwords User Account Management 7

Windows Permissions Share Permissions Security Permissions Security permissions are more granular permissions on the folders and files inside the share Beware "Inherit Permissions" Intrusion Protection Anti-virus Network IPS Host-based firewalls Tipping Point and Palo Alto Special reports available 8

Event Log Management and Notification Backup and Recover Data Center backup Windows server backup 9

Logon Banner Configuration Demo OS and Anti-Virus Updates In general, vulnerability patches should be applied within 72 hours Anti-virus protection for servers Configure for automatic updates from antivirus server 10

Physical Security Environmental monitoring Physical access controls: Escorts Video monitoring Card reader access Theft protection Remote Access Encryption Virtual Private Network Available to all University faculty and staff Secure remote access from public networks https://ive1.txstate.edu/ 11

Centrally Managed Services Security incident management Report suspected incidents to IT Security Penetration testing and vulnerability scanning and VPN Perimeter firewalls Data Center consolidation Secure grant data storage File share cluster Backup and recovery SCCM http://security.vpit.txstate.edu itsecurity@txstate.edu Hands-On Device Registration And ISAAC Assessment 12

Tools and References IT Security Website SANS Security Checklists Open source tools for web site scanning OWASP project www.owasp.org Security Configuration Benchmarks (CIS) Microsoft Security Baseline Analyzer (MSBA) microsoft.com/technet/security/tools/mbsahom e.mspx Nmap for Windows (nmap.org) Windows Defender Sysinternals http://live.sysinternals.com/ Identity Finder www.tr.txstate.edu/software/download/identityfinder.html http://security.vpit.txstate.edu itsecurity@txstate.edu Q & A 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information