Security Controls What Works. Southside Virginia Community College: Security Awareness

Similar documents
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Information Blue Valley Schools FEBRUARY 2015

Client Security Risk Assessment Questionnaire

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Information security controls. Briefing for clients on Experian information security controls

INFORMATION SYSTEMS. Revised: August 2013

Fortinet Solutions for Compliance Requirements

Altius IT Policy Collection Compliance and Standards Matrix

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Big Data, Big Risk, Big Rewards. Hussein Syed

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

Intel Enhanced Data Security Assessment Form

How To Protect Yourself From A Hacker Attack

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

CHIS, Inc. Privacy General Guidelines

SRA International Managed Information Systems Internal Audit Report

Practical Guidance for Auditing IT General Controls. September 2, 2009

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Supplier Security Assessment Questionnaire

Security aspects of e-tailing. Chapter 7

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

ISO Controls and Objectives

Cloud Security and Managing Use Risks

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Firewall Administration and Management

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

Certified Information Systems Auditor (CISA)

Hengtian Information Security White Paper

Security Officer s Checklist in a Sourcing Deal

Vendor Audit Questionnaire

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

BMC s Security Strategy for ITSM in the SaaS Environment

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Microsoft s Compliance Framework for Online Services

ISO27001 Controls and Objectives

SECURITY. Risk & Compliance Services

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

The Second National HIPAA Summit

Payment Card Industry Data Security Standard

The Education Fellowship Finance Centralisation IT Security Strategy

INFORMATION SECURITY FOR YOUR AGENCY

Attachment A. Identification of Risks/Cybersecurity Governance

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev Seite 1 von d Seite 1 von 11

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Top Ten Technology Risks Facing Colleges and Universities

Keyfort Cloud Services (KCS)

Securing the Service Desk in the Cloud

Projectplace: A Secure Project Collaboration Solution

Central Agency for Information Technology

HIPAA Compliance Evaluation Report

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Managing Cloud Computing Risk

Data Management & Protection: Common Definitions

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Best Practices For Department Server and Enterprise System Checklist

Cloud Security Trust Cisco to Protect Your Data

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

John Essner, CISO Office of Information Technology State of New Jersey

ISO Information Security Management Systems Professional

Information Security Awareness Training

University of Sunderland Business Assurance Information Security Policy

STATE OF NEW JERSEY Security Controls Assessment Checklist

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

How To Implement Data Loss Prevention

ISO Information Security Management Systems Foundation

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Injazat s Managed Services Portfolio

Security Information Lifecycle

CloudCheck Compliance Certification Program

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Enterprise Computing Solutions

Information Security: A Perspective for Higher Education

PII Compliance Guidelines

Information Security Policy

Information Shield Solution Matrix for CIP Security Standards

AlienVault for Regulatory Compliance

Transcription:

Security Controls What Works Southside Virginia Community College: Security Awareness

Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Identification of Information Security Drivers Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Business Drivers What are the business drivers for information security: Facilitate Business Initiatives Protect Brand Image Protect Customer Confidence Reduce Costs and Improve Productivity Enhance Service Levels Technology Direction Comply with Regulations

Regulatory Compliance Drives Security Initiatives Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include: Policies and Procedures Training and Awareness Security Event Management Tools Identity and Password Management Technologies

Information Security Management Framework What is an Information Security Management Framework: Key Set of Policies and Processes Supporting Information Security Organizational Structure and Governance for Information Security Implementation of Standard Security Controls Appropriate and Sufficient Security Tools and Technologies

Regulatory Benefits of Implementing an Information Security Management Framework Regulatory benefits of implementing an Information Security Management Framework include: Protecting the privacy of personally identifiable information (customer and employee) Protecting sensitive information and resources from being accessed or shared with unauthorized users Ensuring integrity of financial data Ensuring that data content is protected and tamperresistant Ensuring well controlled systems Ensuring secure development and maintenance of software, systems, and applications

Information Security Management Framework Lifecycle The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001. Input Work with business units to identify and classify their assets along with the business risks associated with those asset. Plan Ensure the context and scope of the Framework is correct and appropriate. Respond Update Framework security processes from lessons learned. DEVELOPMENT, MAINTENANCE AND IMPROVEMENT CYCLE. Prevent Implement and operate the processes associated with the Framework. Detect Monitor the effectiveness of security processes. Output Effective Information Security Management Framework based on the organization's risk profile.

Information Security Management Framework Flow Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework. Regulatory Requirements Security Standards Business Initiatives Technology Direction Business and Security Environment Organizational Directive for Information Security Information Security Framework (Security Controls) Technologies and Solutions

Identification of Regulations and Acts Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding of Security Controls Technology Solutions Assisting in Regulatory Compliance

Significant Regulations and Acts Some of the more significant security regulations and acts include: Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) European Union Data Protection Directive (EUDPD) Personal Data Act Computer Misuse Act Data Protection Act 21 CFR Part 11 BASEL II Various State Security Breach Laws

Security Objectives These regulations and acts specify information security objectives associated with: Security Policy, Organization, and Program Personnel, Human Resources, and Administrative security controls User, Network, System, and Physical access management Proactive vulnerability, risk, and threat assessment and management activities Intrusion Detection capabilities Event Logging and Monitoring and Incident Response programs and processes Encryption capabilities and the protection of information confidentiality and integrity Identification, authentication, and authorization controls to information and systems Asset classification and control Disaster Recovery and Business Continuity planning This is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulations

Introduction to Security Standards Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Value Proposition of Security Standards Security Standards: Provide outlines of accepted best practice for security management Provide guidelines for the implementation of security measures Provide a framework for the management of information, network, and system security within an organization Provide a suggested code of practice Integrate security measures into an overall security architecture Can be used by organizations of all sizes, industries, and sectors Security Standard compliance is NOT required by law, though some contracts now require Certifications.

Compliance and Certification To achieve compliance the organization must implement measures to address all control objectives. Formal certification is usually achieved through a formal audit conducted by a certified independent auditor. Certification offers internal and external confidence in the Information Security Management Framework. Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.

Compliance Achievement Process Initiation Analysis Implementation Compliance Recognise the need Get management support Appoint Program Manager Scoping Decide on suitable scope Define scope Agree with Certification Body (formal certification only) Gap Analysis Identify existing controls Review existing documents Identify gaps between these and Standard requirements Risk Assessment Identify assets within scope Identify threats to assets Asses level of risk Identify treatment options Security Improvement Managed program for addressing security issues Typical activities Security policies and procedures Security awareness training Internet and email usage Laptop and PDA security Backup procedures Firewall configuration review Penetration Testing Review of user accounts Demonstrate Compliance Document ISMS Policy Justify claim in documented Statement of Applicability Formal Certification Documentation Review and Pre Audit (2-3 days) Formal Audit (4-8 days)

Industry Accepted Security Standards Some of the more commonly accepted and implemented standards include: International Standard, ISO/IEC 17799:2005 (ISO 17799) Australian Standard, AS/NZS 7799.2:2003 (AS 7799) Payment Card Industry (PCI) Data Standard Common Criteria for IT Security Evaluation (ISO 9000) NIST Computer Security Standards

Understanding Security Controls Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Security Controls Overview Security Controls address security issues that should be considered as part of the Information Security Management Framework. Security Policy Security Organization and Governance Asset Management Data Protection Personnel Security Physical and Environmental Communications and Operations Management Access Control Logging and Monitoring Vulnerability Management Incident Management Software & System Acquisition, Development, and Maintenance Business Continuity Management Compliance While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.

Security Control Objectives - 1 Security Policy: Documented security objectives for the organization that is agreed and approved by management Security Organization and Governance: Assigning security responsibilities and accountability and a management forum for setting and approving security objectives

Security Control Objectives - 2 Asset Management: The management (identification, classification, and control) of information and hardware & software resources Data Protection: Effective controls for protecting the confidentiality, integrity, and availability of information and information resources

Security Control Objectives - 3 Personnel Security: The management of staff, terms of employment, termination processes, and awareness and training Physical and Environmental Security: Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security

Security Control Objectives - 4 Communications and Operations Management: Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security Access Control: The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks

Security Control Objectives - 5 Logging and Monitoring: The collection, aggregation, normalization, correlation, mining, and tracking of security events Vulnerability Management: The performance of risk, threat, and vulnerability assessments

Security Control Objectives - 6 Incident Management: The detection, reporting, recording, handling, response, review, and management of security incidents Software & System Acquisition, Development, and Maintenance: The secure development and maintenance of software and systems for on-going secure operation

Security Control Objectives - 7 Business Continuity Management: Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations Compliance: Ensuring the compliance with security and privacy legislative requirements

Technology Solutions Assisting In Regulatory Compliance Identification of Information Security Drivers Introduction to Security Standards Understanding of Security Controls Identification of Regulations and Acts Technology Solutions Assisting in Regulatory Compliance

Microsoft s The Regulatory Compliance Planning Guide This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include: Document Management Solutions Business Process Management Solutions Project Management Solutions Risk Assessment Solutions Change Management Solutions Network Security Controls Host Control Solutions Malicious Software Prevention Solutions Application Security Solutions Messaging and Collaboration Solutions Data Classification and Protection Solutions Identity Management Solutions Authentication, Authorization, and Access Control Solutions Training Solutions Physical Security Solutions Vulnerability Identification Solutions Monitoring and Reporting Solutions Disaster Recovery and Failover Solutions Incident Management and Trouble- Tracking Solutions

Session Summary Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Regulations and Acts specify information security objectives necessary for regulatory compliance. Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management. Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls. Many Microsoft technology solutions assist in regulatory compliance

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information