Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)
|
|
- Camron Barnett
- 6 years ago
- Views:
Transcription
1 Objective of Survey The purpose of this survey is to identify and understand 1) the nature of critical and sensitive campus-wide applications and/or data, 2) where the data is located, 3) how the data is protected, and 4) how the data is transferred between systems. Applications or data that serve others outside your own department are considered campus-wide applications. Criteria for criticality and sensitivity are explained below. Data gathering will be conducted in phases. For this first phase, the survey does not apply to: Research data Instructional data (web sites, course management systems, etc.) Infrastructure services such as DHCP servers, network switches, etc. Software deployment and security applications such as SMS, patch management, etc. Applications/Data To Include in Survey (include applications that meet one or more of the following criteria) Criticality Application whose failure to function correctly and on schedule could result in a business failure by UCLA and/or unit to perform mission-critical functions; a significant loss of funds to UCLA and/or unit; or significant liability or other legal exposure to UCLA and/or unit. Application performs an important function but UCLA and/or unit could continue operations for some designated (but not extended) period of time without the function and there is time for recovery should the function not perform correctly on schedule. Sensitivity Application contains personal data - information that identifies or describes an individual, including but not limited to, his or her name, social security number, driver s license number or California ID Card number, health information, and financial matters such as bank account number or credit or debit card account number. Application contains limited-access data data whose unauthorized access, modification or loss could seriously or adversely affect the University s reputation, operations, and assets; adversely affect a partner (e.g. a business or agency working with the University); or adversely affect the public. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 1 of 10
2 Cross-system Dependencies Application feeds data to campus wide systems. Application stores (locally) data drawn from campus wide systems. Contact If you have questions on whether or not this survey applies to your application, please call or write to us: Esther Woo-Benjamin (project coordinator) Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 2 of 10
3 Questions about person responding to survey A. Name of Respondent: B. School/Department: C. address: D. Date: Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 3 of 10
4 Questions about applications or data Please complete a separate survey form for each distinct application and/or data. If the answers to the Example section in the Preventive Measures and Controls category (see page 4) are exactly the same for multiple applications, then fill out just one questionnaire. For questions E through K, list the applications, referencing each with numbers (1, 2, 3, etc.). You may want to read through the entire survey before attempting to answer all of the questions to determine if you ll need to fill out just one or multiple questionnaires. E. Name of application or data: F. Functional description of application or data: G. Major users of application or data: H. Other applications that depend on this application or data: I. This application feeds data to what campus wide systems? J. This application draws data from what campus wide systems? K. Location of equipment that houses the application or data: Building: Room No. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 4 of 10
5 L. How is data protected? On the following pages, in the Y/N column, answer Y (Yes) or N (No) to the corresponding Example statement. Provide additional details in the Comments/Details column where appropriate. Do not answer questions in the Preventive Measures and Controls column. Physical Security (BFB IS-3 1 Section VII) security measures for controlling access to electronic information resources through physical means, including disaster controls, physical access controls, and procedural controls over financial instruments (e.g. check stock). Preventive Measures and Controls Example Y/N Comments/Details Disaster Controls 1. Do you have appropriate measures for the prevention, detection, early warning of, and/or recovery from emergency situations such as, earthquake, fire, water leakage or flooding, disruption or disturbance of power, air conditioning failure, and/or other environmental conditions exceeding equipment limitations? 2. Are there disaster recovery and emergency procedures implemented that address a disaster or any other interruption that render normal processing unavailable for an unacceptable period of time? a. There is a fire suppression system. b. There is a UPS. If yes, how long can power be maintained? c. There are redundant network connections. d. There is adequate HVAC. e. There are single points of failure. If yes, please describe. There are automated systems for monitoring applications to be sure they are available. f. There is a power backup generator. g. Other Please describe. a. There is a Disaster Recovery Plan. b. Plan is included in the campus Disaster Recovery Plan. c. Plan is tested on a regular basis. How often? d. Specific personnel are assigned responsibility for responding in emergency situations. e. Procedures are in place to enable team members to communicate with each other and with management during an emergency. f. There is systems documentation for performing recovery. g. There are provisions for running applications at an alternate ( hot ) site. h. There are provisions for equivalent alternate processing (e.g. manual). What is the unacceptable outage time/functionality that would constitute an emergency? Please describe. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 5 of 10
6 Preventive Measures and Controls Example Y/N Comments/Details Physical Access Controls 3. Do you have controls for limiting physical access to the facility that house the application(s)? a. There are combination/key locks. b. There are badge/biometric readers. c. There are sign in/out logs. d. There are dedicated on-site If yes, what hours? (e.g. 24 x 7 x 365) personnel. e. There are non-breakable windows. Indicate if no windows. f. Room is not accessible from outside Tiles are locked or not able to be opened. via ceiling tiles. g. Room is not accessible from outside via raised floor. h. Other Please describe. Procedural Controls 4. Do you have controls over sensitive documents, or any other financial instruments? a. There are controls over sensitive documents. b. Physical inventories of equipment are maintained in accordance with BFB Bus-29 2, Management and Control of University Equipment. c. There are controls preventing restricted data from being transferred and stored on separate portable equipment such as laptops. d. There are maintenance records documenting repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks. Please describe. Please describe. Please describe. Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 6 of 10
7 Logical Security (BFB IS-3 Section VI) security measures for controlling access to electronic information resources through logical means (e.g. via software or network controls), procedural controls related to software development and change control, security of data, communications security, and reduction of risk from intrusive computer software. Preventive Measures and Controls Example Y/N Comments/Details Access Controls 5. Is application access controlled with proper authentication and authorization security? 6. Are the number of system administrator userids on shared servers kept to a minimum and only provided to those personnel requiring system administration capabilities in order to perform their job duties? a. Access is controlled with authentication. b. Access is controlled through authorization procedures. c. There are mechanisms that detect, record, and generate alerts about repeated failed attempts at access. d. There are system logs to assist in monitoring access. e. There is a formal process in place for providing access. f. Owner of application/data provides approval of access. a. Privileged or superuser access is kept to a minimum. b. Superuser access is limited to UCLA personnel (i.e. NOT contractors) c. Superuser accounts are monitored to ensure they are being used for designated purposes. If yes, what technology? If yes, do procedures include review & approval mechanisms? Please describe. Can suspicious patterns of activity be identified through these logs? If yes, is this a manual or automatic process? How often do you review these logs? If yes, how often? Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 7 of 10
8 Preventive Measures and Controls Example Y/N Comments/Details Change Control 7. Do software changes conform to change management procedures established by the campus (BFB IS-10 3, Systems Development Standards)? 8. Do you provide a separate development environment and testing environment a. Only authorized personnel may implement changes to software. b. There are change management procedures. c. There are audit logs for transactions. d. Internal Audit or the Campus Controller is involved in development or implementation of this application. e. Programmers are not allowed to make application changes AND promote changes into production. f. Application/data owner must sign off on change before it is promoted to production. a. There is a separate development environment. different from the production environment? b. There is a separate testing environment. If yes, are these manual or automated procedures? Data Security 9. Are backup copies of critical data taken? a. Backups are taken. How often? b. Backups are stored at a secure, commercial off-campus site. c. Backups are stored at a secure, noncommercial off-campus site. d. Back up services for data complies with UC policies regarding data retention (BFB RMP-2 4 ; BFB RMP- 4 5 ; BFB IS-10). Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 8 of 10
9 Preventive Measures and Controls Example Y/N Comments/Details 10. Does data conform to University policies and regulations related to privacy of data or information records associated with them? a. Data complies with Legal Requirements on Privacy of and Access to Information (BFB RMP- 8) 6. b. Data complies with Systems Development Standards (BFB IS- 10). 11. When transferring data, are access controls on the destination system commensurate with access controls on the originating system? c. Data complies with UC Electronic Communications Policy 7. a. There are procedures to ensure users are apprised of this constraint when access is originally granted. b. The user s signature is required to acknowledge this notification. c. The data is encrypted before transfer to/from destination and originating sites. d. Logon/password protocol is used at originating and destination sites. Communications Security 12. Are communications access controls present to limit unauthorized access to restricted data and applications across campus communication networks? Other 13. Is this application subject to regular UCOP or UCLA audits? a. There are firewalls. b. There is intrusion detection. c. Service & ports are locked down. d. Scans are done for security holes. e. There is patch management. f. Encryption is used. g. Virus Scans are done. What product/s? h. Other Please describe. a. This application is audited. If yes, how often and by whom? Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 9 of 10
10 M. Does application or data contain personal information? In the Y/N column, answer Y (Yes) or N (No) to the corresponding Example statement. Provide additional details in the Comments/Details column where appropriate. 14. What type(s) of personal information is contained in the data/applications? 15. What people/number of people have access to this personal information? 16. What privacy statement, if any, has been written for the data/application? Example Y/N Comments/Details a. Name, address, phone Please describe. b. Date of birth c. Social Security number d. Driver s license # or CA ID card # e. Payroll salary, title Please describe. f. Bank acct. no. or debit card acct. no. Please describe. g. Credit card acct. no. h. Other Please describe. a. Department HR manager How many? b. Department HR analyst How many? c. Department LAN administrators How many? d. Other (within department) Who? How many? e. Other (outside department) Who? How many? 1 Electronic Information Security BFB IS-3: 2 Management and Control of University Equipment - BFB Bus-29: 3 Systems Development Standards - BFB IS-10: 4 UC Records Disposition Program & Procedures - BFB RMP-2: 5 Vital Records Protection BFB RMP-4: 6 Legal Requirements on Privacy of and Access to Information - BFB RMP-8: 7 UC Electronic Communications Policy: Draft UCLA Electronic Information Security Risk Assessment Survey, Phase 1 P /15/04 - Page 10 of 10
University of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationStandard: Data Center Security
Standard: Data Center Security Page 1 Executive Summary The university data centers provide for the reliable operation of SJSU s computing systems, computing infrastructure, and communication systems.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationHurricane and Storm Commercial Damage Assessment
Hurricane and Storm Commercial Continue to follow all evacuation orders. Stay up-to-date on current hurricane and storm information by visiting the U.S. National Hurricane Center. How to Conduct s:. PREPARE
More informationUCLA AUDIT & ADVISORY SERVICES
UCLA AUDIT & ADVISORY SERVICES Edwin D. Pierce, CPA, CFE Director September 4, 2015 10920 Wilshire Boulevard, Suite 700 Los Angeles, California 90024-1366 310 794-6110 Fax: 310 794-8536 SENIOR VICE PRESIDENT/CHIEF
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationPhysical and Environmental Security Standards
Physical and Environmental Security Standards Table of Contents 1. SECURE AREAS... 2 1.1 PHYSICAL SECURITY PERIMETER... 2 1.2 PHYSICAL ENTRY CONTROLS... 3 1.3 SECURING OFFICES, ROOMS AND FACILITIES...
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationNetwork Performance, Security and Reliability Assessment
Network Performance, Security and Reliability Assessment Presented to: CLIENT NAME OMITTED Drafted by: Verteks Consulting, Inc. 2102 SW 20 th Place, Suite 602 Ocala, Fl 34474 352-401-0909 ASSESSMENT SCORECARD
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER
ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER IT Audit, Information Security & Risk Insight Africa 2014 Johnson Falana CISA,MIT,CEH,Cobit5 proverb814@yahoo.com Overview Information technology
More informationIntroduction to Business continuity Planning
Week - 06 Introduction to Business continuity Planning 1 Introduction The purpose of this lecture is to give an overview of what is Business Continuity Planning and provide some guidance and resources
More informationAfilias DNSSEC Practice Statement (DPS) Version
Afilias DNSSEC Practice Statement (DPS) Version 1.07 2018-02-26 Page 1 of 8 1. INTRODUCTION 1.1. Overview This document was created using the template provided under the current practicing documentation.
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More information1) Are employees required to sign an Acceptable Use Policy (AUP)?
Business ebanking Risk Assessment & Controls Evaluation As a business owner, you want to be sure you have a strong process in place for monitoring and managing who has access to your Business ebanking
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationTUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY
JUNE 2017 TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY OVERVIEW The intent of this document is to provide external customers and auditors with a high-level overview of the Tufts Health Plan Corporate
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More informationL E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N
L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N Revision Date: 7/31/2014 Time: 1 hour OBJECTIVES The following objectives are covered in this Lecture Note. These objectives
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationCyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No
PROPOSAL FORM Cyber Insurance Underwritten by The Hollard Insurance Co. Ltd, an authorised Financial Services Provider www.itoo.co.za @itooexpert ITOO is an Authorised Financial Services Provider. FSP.
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationINFORMATION SECURITY- DISASTER RECOVERY
Information Technology Services Administrative Regulation ITS-AR-1505 INFORMATION SECURITY- DISASTER RECOVERY 1.0 Purpose and Scope The objective of this Administrative Regulation is to outline the strategy
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationsecurity FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.
security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name. Security for Your Business Mitigating risk is a daily reality for business owners, but you don t have
More informationKantanMT.com. Security & Infra-Structure Overview
KantanMT.com Security & Infra-Structure Overview Contents KantanMT Platform Security... 2 Customer Data Protection... 2 Application Security... 2 Physical and Environmental Security... 3 ecommerce Transactions...
More informationTemplate. IT Disaster Recovery Planning: A Template
Template IT Disaster Recovery Planning: A Template When disaster strikes, business suffers. A goal of business planning is to mitigate disruption of product and services delivery to the greatest degree
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationPROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO
Section: Subject: Administration (AD) Data Governance AD.3.3.1 DATA GOVERNANCE PROCEDURE Legislation: Alberta Evidence Act (RSA 2000 ca-18); Copyright Act, R.S.C., 1985, c.c-42; Electronic Transactions
More informationNMHC HIPAA Security Training Version
NMHC HIPAA Security Training 2017 Version HIPAA Data Security HIPAA Data Security is intended to provide the technical controls to ensure electronic Protected Health Information (PHI) is kept secure and
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationIT CONTINUITY, BACKUP AND RECOVERY POLICY
IT CONTINUITY, BACKUP AND RECOVERY POLICY IT CONTINUITY, BACKUP AND RECOVERY POLICY Effective Date May 20, 2016 Cross- Reference 1. Emergency Response and Policy Holder Director, Information Business Resumption
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationAny observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.
Larry Mandel Vice Chancellor and Chief Audit Officer Audit and Advisory Services 401 Golden Shore, 4th Floor Long Beach, CA 90802-4210 562-951-4430 562-951-4955 (Fax) lmandel@calstate.edu October 10, 2018
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationUCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification
University of California UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification UCOP Implementation Plan for Compliance with Business and Finance Bulletin
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationBusiness Continuity Planning
Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationAutomate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds
EXECUTIVE BRIEF SHAREBASE BY HYLAND Automate sharing. Empower users. Retain control. With ShareBase by Hyland, empower users with enterprise file sync and share (EFSS) technology and retain control over
More informationLevel 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) Cloud Services
9628-08 Level 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) 9628-808 Cloud Services Sample question paper Duration: 60 minutes Candidate s name: Candidate s
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationInfocomm Professional Development Forum 2011
Infocomm Professional Development Forum 2011 1 Agenda Brief Introduction to CITBCM Certification Business & Technology Impact Analysis (BTIA) Workshop 2 Integrated end-to-end approach in increasing resilience
More informationemarketeer Information Security Policy
emarketeer Information Security Policy Version Date 1.1 2018-05-03 emarketeer Information Security Policy emarketeer AB hereafter called emarketeer is a leading actor within the development of SaaS-service
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCTS performs nightly backups of the Church360 production databases and retains these backups for one month.
Church360 is a cloud-based application software suite from Concordia Technology Solutions (CTS) that is used by churches of all sizes to manage their membership data, website, and financial information.
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationRADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE
ADIAN6 SECUITY, PIVACY, AND ACHITECTUE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers. Integral to this
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationBUSINESS CONTINUITY. Topics covered in this checklist include: General Planning
BUSINESS CONTINUITY Natural and manmade disasters are happening with alarming regularity. If your organization doesn t have a great business continuity plan the repercussions will range from guaranteed
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery Technology and Process Alessio Di Benedetto Presales Manager Roma, 7 th of May 2010 1 Objectives The objective of this workshop is to provide: an overview of the
More informationBusiness Continuity Planning. PDI January 14 th, 2018
Business Continuity Planning PDI January 14 th, 2018 Presenters Sally Alexander, Director & CRO Office of Risk Management & Insurance Tel: 970 491 7726 Email sally.alexander@colostate.edu Angela Gray,
More informationInformation Services IT Security Policies L. Network Management
Information Services IT Security Policies L. Network Management Version 1.1 Last updated: 11th August 2010 Approved by Directorate: 2nd July 2009 Review date: 1st August 2011 Primary owner of security
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:
UCOP ITS Systemwide CISO Office Systemwide IT Policy UC Event Logging Standard Revision History Date: By: Contact Information: Description: 05/02/18 Robert Smith robert.smith@ucop.edu Approved by the CISOs
More informationAn Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule Legal Disclaimer: This overview is not intended as legal advice and should not be taken as such. We recommend that you consult legal
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationDATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012
DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS Audit Report 12-31 June 15, 2012 Henry Mendoza, Chair William Hauck Steven M. Glazer Glen O. Toney Members, Committee on Audit University
More informationDRAFT. Standard 1300 Cyber Security
These definitions will be posted and balloted along with the standard, but will not be restated in the standard. Instead, they will be included in a separate glossary of terms relevant to all standards
More information