SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES



Similar documents
HIPAA Security COMPLIANCE Checklist For Employers

Security Controls What Works. Southside Virginia Community College: Security Awareness

FINAL May Guideline on Security Systems for Safeguarding Customer Information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Policy Title: HIPAA Security Awareness and Training

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

How To Protect Yourself From A Hacker Attack

Procedure Title: TennDent HIPAA Security Awareness and Training

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

IBX Business Network Platform Information Security Controls Document Classification [Public]

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Computer Security: Principles and Practice

plantemoran.com What School Personnel Administrators Need to know

Five keys to a more secure data environment

Client Security Risk Assessment Questionnaire

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security Controls for the Autodesk 360 Managed Services

HIPAA Information Security Overview

HIPAA Security Alert

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

A Decision Maker s Guide to Securing an IT Infrastructure

PCI Compliance for Cloud Applications

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Data Security Incident Response Plan. [Insert Organization Name]

SECURITY. Risk & Compliance Services

SRA International Managed Information Systems Internal Audit Report

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Big Data, Big Risk, Big Rewards. Hussein Syed

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Franchise Data Compromise Trends and Cardholder. December, 2010

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Enterprise Computing Solutions

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Joseph Suchocki HIPAA Compliance 2015

Top Ten Technology Risks Facing Colleges and Universities

ACE Advantage PRIVACY & NETWORK SECURITY

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

FormFire Application and IT Security. White Paper

Responsible Access and Use of Information Technology Resources and Services Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Cybersecurity: Protecting Your Business. March 11, 2015

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Better secure IT equipment and systems

Network Security Policy: Best Practices White Paper

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Cybersecurity. Are you prepared?

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Security Overview. BlackBerry Corporate Infrastructure

The Business Case for Security Information Management

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Standard: Information Security Incident Management

HIPAA Compliance Evaluation Report

Unit 3 Cyber security

Data Management & Protection: Common Definitions

Feedback Ferret. Security Incident Response Plan

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

PCI DSS Requirements - Security Controls and Processes

INFORMATION SECURITY FOR YOUR AGENCY

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Internet Banking Internal Control Questionnaire

Four Top Emagined Security Services

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Supplier IT Security Guide

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

University of Wisconsin-Madison Policy and Procedure

State HIPAA Security Policy State of Connecticut

Valdosta Technical College. Information Security Plan

Transcription:

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

2 On June 3, 2009, Plante & Moran attended the Midwest Technology Leaders (MTL) Conference, an event that brings together top technology professionals in the Midwest to share trends, best practices, and opportunities. With the help of MTL, Table Sponsors, CIOs, and additional conference attendees, we conducted 12 roundtable discussions on a variety of timely and important IT topics. As an outgrowth of the roundtable discussions, we produced a series of educational white papers. Contents Abstract 2 Introduction 2 Best Practices in Information Security 2 Security Officer 3 Management and User Responsibilities 3 Identification and Authorization System 4 Latest Software Updates and Patches 4 Firewalls and Security Policy 4 Intrusion Detection System (IDS) 4 Penetration Testing 4 Logging 5 Backups 5 Documentation 5 Independent Testing 5 Conclusion 5 ABSTRACT In today s world, breaches in information security are a common occurrence. Recent advances in technology have increased both our access to and requests for information and data. IT professionals are faced with the complex task of providing access while at the same time mitigating security risks. INTRODUCTION The largest breach of 2009 occurred at Heartland Payment Centers where it was reported 130 million records were stolen. Some believe that number is low based on the fact that the company processes more than 100 million records per month and that the hackers had access for 18 months 1. The sources of breaches can be external or internal, probing, coordinated, or random attacks, and as technology advances and laws change, criminals find new ways to infiltrate into private and secure information. Steps can be taken to significantly reduce the risk by adhering to the following best practices in information security. BEST PRACTICES IN INFORMATION SECURITY In today s technology infrastructure, an organization needs to implement multiple security strategies and technologies to protect its information assets. The process should begin with an analysis of risks the organization is exposed to from its current use of technology. Simply put, these risks can be broken into four broad categories: Interruption, Interception, Modification, and Fabrication.

3 To mitigate risks identified, an effective information security programs should develop control strategies including prevention, protection, recovery, detection, and investigation. The controls should span across people, process, and technology. Documenting controls in the form of policies and procedures further assist in the consistency of controls. Lastly, the information security program should be independently assessed through IT general and technical audits. Security Officer All companies need to establish a security officer who is responsible for managing the information security in accordance with the Security Handbook. It s important for the security officer to understand the associated security risks and to update policies and procedures based on those risks. In addition, the security officer should ensure compliance to procedures, conduct risk assessments, test contingency plans, and coordinate awareness programs. Management and User Responsibilities Ultimately, it s management s responsibility to ensure that the documented procedures and policies are in place, and that there s a formal approval process for the security policy and handbook. In order to do this, management must understand the security risks and threats, how they can change, and ensure the policies continue to get updated. It s also important to instill a security conscious atmosphere throughout the organization, which includes ensuring that people selected for critical positions are of the highest integrity and reliability.

4 New, current, and temporary users must all receive the proper training to ensure security is effective. Guidelines must be in written form and include specifics about what users should and should not do. Users should be asked to sign an acknowledgement that they ve read and understood all the requirements. The guidelines should be available to reference at all times, preferably online so that the latest revisions are always included. Identification and Authorization System There are a number of security identification systems, including biometric systems, chip cards, and magnetic chip cards, but the most common is passwords. A large number of breaches occur because default usernames and passwords are never changed, providing easy access for attackers. Implementing a strong password policy will help to mitigate risk. Below is a list of best password practices: Do not share passwords. Passwords should be at least six characters long, with a mix of numbers, uppercase letters, lowercase letters, and special characters. User IDs and passwords should be unassociated. Change passwords every 30 days. Passwords should expire if not changed, locking users out of the system. Do not reuse passwords. Remove passwords and deactivate user IDs immediately if an employee leaves an organization. The strongest identification systems are ones that include multiple systems. Latest Software Updates and Patches Ensure that the latest software updates and patches are running on your applications and operating systems so that they re less vulnerable from outside attacks. Not complying with this guideline is like leaving a purse in a locked car with the windows down. There are products on the market that can help ensure your computers and systems are up to date with the latest patches. Firewalls Firewalls are used to secure the internal network from an external network such as the Internet by using a defined set of rules to allow or deny network traffic to pass through it. A firewall acts as a gate to ensure that private or confidential information doesn t go out and that unwanted content or unauthorized users don t come in. They should have an alarm mechanism that warns system administrators of a potential breach, and all traffic that crosses the firewall should be tracked in a log for reference purposes. The security policy should address the use of the firewall and its requirements. Intrusion Detection System Even with a firewall in place, an intrusion detection system should be used to detect unusual actions or patterns that could indicate an attack on the system. Since intrusions can be internal or external, having both a firewall and an intrusion detection system will provide your organization with the best protection. Penetration Testing A yearly penetration test should be performed to uncover any security vulnerabilities. This handson, active approach will provide much better

5 information about the strengths and weaknesses of your security system than just conducting a paperbased audit. Penetration testing helps safeguard your organization against fraud, financial loss, loss of consumer confidence, and provides industry compliance to regulators, customers, and shareholders. Logging History logs are generally a part of any system and, from a security standpoint, are critical so that breaches can be quickly identified and analyzed. Most importantly, network activity logs, particularly software installations and firewall logs, need to provide details of who, when, where, and what occurred to determine if they match patterns or violate the rules. Backups All data and information files on the system should be backed up on a regular basis. A bolt of lightning, human error, or other disaster could take place and result in the loss of information. Procedures and policies should be outlined in the security policy and/or security handbook to address backup media, location to store the media (preferably off site), number of copies, frequency at which backups occur, and include intervals at which backups will be tested to ensure data can be retrieved and restored. Documentation It s important to document your organization s IT security policies, procedures, and contingency plans in detail in a Security Handbook. Documenting your procedures displays that management has taken security seriously and in the event of a breach or major incident, the Security Handbook will guide internal resources through the proper steps to follow. Independent Testing The effectiveness of your information security program should be assessed by independent auditors. The assessment can be general such as IT general controls, technical such as penetration testing or specific such as firewall review. The security risk and control landscape is constantly changing and as such at a minimum, the independent assessment should be performed annually. The assessment is also helpful when demonstrating compliance with regulations such as Sarbanes Oxley, and Privacy (GLBA, HIPAA) or standards such as Payment Card Industry Data Security Standards (PCI DSS) and SAS 70. CONCLUSION The task of granting increasing access to data and information while keeping tighter and tighter control over system security is difficult in a technology environment that s constantly evolving. Every time one type of security breach is solved, attackers figure out a new way to get in, which is why it s important for organizations to understand and follow IT security best practices. Understanding the risks and then documenting, monitoring, and constantly updating security policies and procedures to address them requires time and effort but are critical in keeping your system safe. Putting barriers such as identity and authorization systems, firewalls, and intrusion detection systems in place and making sure they re tested and upgraded as required will minimize the risk of system attacks. And, if in spite of every best effort, a breach still occurs, keeping history logs and backups will allow you to recover your system and investigate the attack. Lessons learned may require updates to policies, procedures, and barriers, and the cycle starts again.

6 THANK YOU Plante & Moran would like to thank Govind Rammurthy, Table Sponsor from MicroWorld Technologies; Joe Sawasky, CIO from Wayne State University; and all roundtable participants for their contributions. Sources Cited 1. Top 10 Information Security Breaches & Blunders of 2009 http://perimeterusa.com/wp/top 10 Breaches and Blunders of 2009.pdf 2. IT Security and Crime Prevention Methods http://www.interpol.int/public/technologycrime/crim eprev/itsecurity.asp#2 3. 10 Ways to Avoid IT Security Breaches http://blogs.techrepublic.com.com/10things/?p=780 For more information, please contact: Doug Wiescinski 248.223.3208 Doug.Wiescinski@plantemoran.com 4. IT Security Series Part 1: Information Security Best Practices http://www.corporatecomplianceinsights.com/2009/in formation security best practices

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information