STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Size: px
Start display at page:

Download "STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:"

Transcription

1 STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security practices within the City of Toronto in protecting the City's services, privacy and sensitive security information and to report on deficiencies, along with recommendations for corrective action. Financial Implications and Impact Statement: While there are no financial implications resulting from the adoption of this report, the implementation of the recommendations in this report could improve the efficient and effective enforcement of security practices throughout the City and may result in additional costs which are unknown at this time. Recommendations: It is recommended that: (1) the Commissioner of Corporate Services, prepare a report outlining options available to the City to implement an Information Security Program designed to ensure: (a) (b) information security accountability and responsibility is clearly defined and acknowledged; all parties with a need to know, including but not limited to, information owners and information security practitioners, have access to documented principles, standards, conventions or mechanisms for the security of information and information systems, and are informed of applicable threats to the security of information;

2 - 2 - (c) (d) (e) (f) (g) and information systems addresses the considerations and viewpoints of all interested parties; information security controls are proportionate to the risks of modification, denial of use, or disclosure of the information; are co-ordinated and integrated with each other and with the City s policies and procedures to create and maintain security throughout an information system; all accountable parties act in a timely, co-ordinated manner to prevent or respond to breaches of and threats to the security of information and information systems; and the risks to information and information systems are assessed periodically; (2) the Commissioner of Corporate Services, take a leadership role in ensuring a risk assessment exercise is conducted as a prerequisite to the formulation of effective information security policies and procedures. The results of the risk assessment performed for the Year 2000 project and existing policies from former municipalities be reviewed in connection with completing this task; and (3) the Commissioner of Corporate Services, implement a user security awareness program which promotes security awareness through regular communications, and as part of the orientation program for new employees. The awareness program be reviewed on an annual basis, at a minimum, to ensure it is up to date and relevant. Background: The need for information security is intuitive. Information security, based on effective policies, is quickly becoming a critical business enabler, driven by e-business trends. The recent approval of the Electronic Service Delivery project demonstrates the City s direction to incorporate e- business in its service delivery model. This project will provide a common service delivery window for departmental applications to be made available through the internet. Vulnerabilities can lead to security breach events which expose an organization, such as the City of Toronto, to reputation damage, at a minimum, and potentially serious financial losses. The challenge for the City is to ensure that the policies, procedures and processes in effect to mitigate information security risks are commensurate with the associated business risks. A review of the Information Security Framework for the City was identified as a priority project within Audit Services 2000 Work Plan. This report contains our observations and recommendations arising from the review.

3 - 3 - Comments: An effective information security program is considered essential for an organization the size of the City of Toronto with all of its different work locations, extended network and the service objective to provide the ratepayer and City clients with the opportunity to interact with the City electronically. Prior to amalgamation, the former municipalities varied greatly in the extent of their security related policy and procedures, the mechanism for administering the desired level of their security, and the degree of resources and energy allocated to develop, implement, maintain and enforce sound security principles and practices. To complete this review, an examination of the City s current Information Security Framework was performed. The primary objective for the review was to evaluate the effectiveness with which the City is managing information security. It should be noted that our review of the overall information security framework, in effect, did not encompass a review of specific control techniques, nor represent a compliance check with existing policy and established procedure. Rather, our review focused on evidence for the attributes and qualities of an overall security program such as; senior management commitment, cost effective information security risk management practices, defined security roles and responsibilities, a mechanism for the development and implementation of security related policy and procedures, a security awareness program and the infrastructure to monitor compliance and to ensure enforcement of approved policies and procedures. Our approach was to evaluate the City s Information Security Framework in the context of best practices that govern this area, along with general guidelines which address the following properties of information: confidentiality, integrity and availability. Accountability/Responsibility In the City s environment, best practices suggest that Council is the level of management that must initiate the call for assurance that effective information security risk management principles are followed. Executive and operational management must assure that effective information security risk management practices are in place and that compliance with policies and procedures is actively monitored. Security is a necessary cost of carrying out business and should be viewed as a component of information management that needs to be managed from a corporate perspective. Although we did not have an opportunity to examine historic documents for each former municipality, it is worth noting that, in June 1994, Council for the former Municipality of Metropolitan Toronto approved a report on Information Security Strategy, which recommended that: 1. the Security Strategy, as set out in the document, entitled Policies and Principles for the Management of Records, Data and Information Technology Security be adopted;

4 guidelines be established by the Commissioner of Corporate Services that embody the Security Strategy and serve as the basis for ensuring information security throughout the Metropolitan Corporation; 3. a team leader for the Information Security Strategy be named as the Corporate Records and Data Security Administrator to implement the strategy; and 4. the appropriate Metropolitan Officials be authorized to take the necessary action to give effect thereto. The intent of the above recommendations is in line with best practices. By approving the report, Council endorsed the establishment of effective information security risk management practices. The report also indicated management s commitment as evident by the establishment of a funded position to implement an Information Security Strategy. We found the City does not currently operate with a corporate wide Information Security Program which is centrally administered and supported with the infrastructure that such a program demands. There is no one area or employee charged with responsibility to ensure effective security policies are circulated and promoted across the City. There is no accountability for directing, co-ordinating, monitoring, communicating and reviewing the information security needs of the City. Although some job descriptions include security related duties, these responsibilities are often assigned low priority given the conflicting demands on the time of employees. Many security policies from the former municipalities exist, however, there is no clear indication which policies apply to the new City of Toronto. Further, there is no central repository for approved information security policies available to the employee, nor is there an effective employee awareness program in effect. In addition, few Business Continuity Plans exist. We believe the absence of a specific function charged with responsibility for effective security policies is a significant contributor to the City s lack of coordinated information security policies. The assignment of accountability and responsibility is key to addressing the information security needs of the City. Recommendation: 1. The Commissioner of Corporate Services, prepare a report outlining options available to the City to implement an Information Security Program designed to ensure: (a) (b) information security accountability and responsibility is clearly defined and acknowledged; all parties with a need to know, including but not limited to, information owners and information security practitioners, have access to documented principles, standards, conventions or mechanisms for the security of information and information systems, and are informed of applicable threats to the security of information;

5 - 5 - (c) (d) (e) (f) (g) and information systems addresses the considerations and viewpoints of all interested parties; information security controls are proportionate to the risks of modification, denial of use, or disclosure of the information; are co-ordinated and integrated with each other and with the City s policies and procedures to create and maintain security throughout an information system; all accountable parties act in a timely, co-ordinated manner to prevent or respond to breaches of and threats to the security of information and information systems; and the risks to information and information systems are assessed periodically. Policies and Procedures Policies and procedures are the building blocks for a strong Information Security Framework. Putting policy into place requires a special effort by the information security team, with the support of management. Similarly, updating, reviewing and revising information policies take considerable work. Maintenance of current and effective security policies would allow the City to state its information security objectives, thereby, providing guidance to in-house staff who are selecting, developing and implementing systems. A written policy can change attitudes and perspective toward security throughout the City. It also demonstrates that the City has diligently addressed information security matters which may become a significant factor should the City be challenged in this area. In the 2000 Operating Budget highlights, the program description of the Chief Administrative Officer s Office states, The CAO is accountable to Council for the policy direction and program delivery of all departments and programs. However, there is a need to more clearly define the responsibility for formulating policy governing the security of the City s information; the policy approval process; communication of approved policy to members of the organization; and the custodial requirements of approved information security policies. In the past, information policies applied only to the data-processing department. Perhaps this is the reason that ownership over the formulation and development of policy for information security gravitates to the Information Technology Division. However, today s distributed processing systems require that the scope of these policies encompass the entire organization. In fact, with the continued movement to electronic services, one could argue that the scope should include the City s customers and clients as well.

6 - 6 - With the exception of the recent project initiated by the Information Technology Division to review existing Corporate IT Standards Policies and Guidelines, the City has not undertaken an exercise to examine the various information security policies created by the former municipalities. Consequently we have a variety of policies but no official policy to support what we are doing in practice. As mentioned, the Information Technology Division has initiated a review of Corporate IT Standards Policies and Guidelines. Twenty eight documents are under examination and the review should be completed in the first quarter of The documents under review cover several areas, and in many cases, include standards and procedures which deal more with outlining a technical strategy to address a particular item. It should be noted that these documents are tailored for the Information Technology group and do not represent an attempt to formulate city-wide policies. A key element missing from this exercise is the risk assessment step. Ideally, the City should initiate its policy development effort after conducting a comprehensive information security risk assessment. This risk assessment should indicate the value of the information in question, the risks to which this information is subjected and the control vulnerabilities associated with the current method of handling this information. The results of the risk assessment drive the tone and rigour of the policies. Recommendation: 2. The Commissioner of Corporate Services, take a leadership role in ensuring a risk assessment exercise is conducted as a prerequisite to the formulation of effective information security policies and procedures. The results of the risk assessment performed for the Year 2000 project and existing policies from former municipalities be reviewed in connection with completing this task. User Security Awareness Program Data and information systems are important resources and when they are misused or mismanaged, those actions would put the City at risk. It is therefore important that each City employee is educated and continually advised through a user security awareness program of the best procedures for using information assets. The awareness program sets the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure. There is currently no formal, documented security awareness program in the City. Recommendation: 3. The Commissioner of Corporate Services, implement a user security awareness program which promotes security awareness through regular communications, and as part of the orientation program for new employees. The awareness program be reviewed on an annual basis, at a minimum, to ensure it is up to date and relevant.

7 - 7 - Conclusion: There is a need for a management group, with a security mandate and authority, to ensure that effective and appropriate security policies and procedures are implemented. In addition to an effective organization structure, other key elements for a good security infrastructure should be addressed including, a risk assessment process, a business continuity plan and a user security awareness program. Contact: Jeffrey Griffiths, City Auditor, Tel: (416) ; Fax: (416) Jeff.Griffiths@city.toronto.on.ca Jeffrey Griffiths City Auditor dl/cg C:\DATA\Audit\Reports\2001\Department\Corp Svcs\I T\Information Security Framework Jan doc

Information Technology Branch Organization of Cyber Security Technical Standard

Information Technology Branch Organization of Cyber Security Technical Standard Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:

More information

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets. REPORT FOR ACTION IT Infrastructure and IT Asset Management Review: Phase 1: Establishing an Information Technology Roadmap to Guide the Way Forward for Infrastructure and Asset Management Date: January

More information

Security and Privacy Governance Program Guidelines

Security and Privacy Governance Program Guidelines Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by

More information

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product. Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This

More information

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Exam4Tests.   Latest exam questions & answers help you to pass IT exam test easily Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

Policy. Business Resilience MB2010.P.119

Policy. Business Resilience MB2010.P.119 MB.P.119 Business Resilience Policy This policy been prepared by the Bi-Cameral Business Risk and Resilience Group and endorsed by the Management Boards of both Houses. It is effective from December to

More information

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED. Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management

More information

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17 GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:

More information

REPORT 2015/010 INTERNAL AUDIT DIVISION

REPORT 2015/010 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint

More information

Security Management Models And Practices Feb 5, 2008

Security Management Models And Practices Feb 5, 2008 TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related

More information

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles

More information

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance. Policy Number: 10-09-02 Section: Roads and Traffic Subsection: Traffic Operations Effective Date: April 25, 2012 Last Review Date: Approved by: Council Owner Division/Contact: For information on the CCTV

More information

General Information System Controls Review

General Information System Controls Review General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County

More information

REPORT 2015/149 INTERNAL AUDIT DIVISION

REPORT 2015/149 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results

More information

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014 UNITED NATIONS DEVELOPMENT PROGRAMME AUDIT OF UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY Report No. 1173 Issue Date: 8 January 2014 Table of Contents Executive Summary

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005

More information

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here

More information

Managing Cybersecurity Risk

Managing Cybersecurity Risk Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017 Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act

More information

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:

More information

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project

More information

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value

More information

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110 Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including

More information

POSITION DESCRIPTION

POSITION DESCRIPTION UNCLASSIFIED IT Security Certification Assessor POSITION DESCRIPTION Unit, Directorate: Location: IT & Physical Security, Protective Security Wellington Salary range: H $77,711 - $116,567 Purpose of position:

More information

SAVANNAH LAKES VILLAGE PROPERTY OWNERS ASSOCIATION, INC. JOB DESCRIPTION

SAVANNAH LAKES VILLAGE PROPERTY OWNERS ASSOCIATION, INC. JOB DESCRIPTION SAVANNAH LAKES VILLAGE PROPERTY OWNERS ASSOCIATION, INC. JOB DESCRIPTION POSITION: CHIEF OPERATING OFFICER FUNCTION: Responsible for all aspects of the SLV POA day-to-day operations. In this capacity,

More information

Cyber Security Program

Cyber Security Program Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by

More information

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO Section: Subject: Administration (AD) Data Governance AD.3.3.1 DATA GOVERNANCE PROCEDURE Legislation: Alberta Evidence Act (RSA 2000 ca-18); Copyright Act, R.S.C., 1985, c.c-42; Electronic Transactions

More information

CASA External Peer Review Program Guidelines. Table of Contents

CASA External Peer Review Program Guidelines. Table of Contents CASA External Peer Review Program Guidelines Table of Contents Introduction... I-1 Eligibility/Point System... I-1 How to Request a Peer Review... I-1 Peer Reviewer Qualifications... I-2 CASA Peer Review

More information

Manchester Metropolitan University Information Security Strategy

Manchester Metropolitan University Information Security Strategy Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History

More information

General Information Technology Controls Follow-up Review

General Information Technology Controls Follow-up Review Office of Internal Audit General Information Technology Controls Follow-up Review May 19, 2015 Internal Audit Team Shannon B. Henry Chief Audit Executive Stacy Sneed Audit Manager Rod Isom Auditor Winston-Salem

More information

The Honest Advantage

The Honest Advantage The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents

More information

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY INFORMATION TECHNOLOGY GENERAL CONTROLS INFORMATION SYSTEMS AUDIT JANUARY 2016 EXECUTIVE SUMMARY PURPOSE

More information

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion

More information

Public Safety Canada. Audit of the Business Continuity Planning Program

Public Safety Canada. Audit of the Business Continuity Planning Program Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely

More information

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive IT Governance ISO/IEC 27001:2013 ISMS Implementation Service description Protect Comply Thrive 100% guaranteed ISO 27001 certification with the global experts With the IT Governance ISO 27001 Implementation

More information

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing

More information

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018 1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess

More information

Information Security Continuous Monitoring (ISCM) Program Evaluation

Information Security Continuous Monitoring (ISCM) Program Evaluation Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.! enquiries@privacy.org.au http://www.privacy.org.au/ 28September2012 APFsubmission draftmandatorydatabreachnotification intheehealthrecordsystemguide. The Australian Privacy Foundation (APF) is the country's

More information

Protecting your data. EY s approach to data privacy and information security

Protecting your data. EY s approach to data privacy and information security Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014

More information

Community Development and Recreation Committee

Community Development and Recreation Committee STAFF REPORT ACTION REQUIRED CD13.8 Toronto Paramedic Services Open Data Date: June 3, 2016 To: From: Wards: Reference Number: Community Development and Recreation Committee Chief, Toronto Paramedic Services

More information

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS) APPENDI 2 ommendation () () 1. The City Manager in consultation with the Chief Information Officer give consideration to the establishment of an IBMS governance model which provides for senior management

More information

FOLLOW-UP REPORT Industrial Control Systems Audit

FOLLOW-UP REPORT Industrial Control Systems Audit FOLLOW-UP REPORT Industrial Control Systems Audit February 2017 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver

More information

INTERNAL AUDIT DIVISION REPORT 2017/138

INTERNAL AUDIT DIVISION REPORT 2017/138 INTERNAL AUDIT DIVISION REPORT 2017/138 Audit of business continuity in the United Nations Organization Stabilization Mission in the Democratic Republic of the Congo There was a need to implement the business

More information

Subject: University Information Technology Resource Security Policy: OUTDATED

Subject: University Information Technology Resource Security Policy: OUTDATED Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from

More information

Access to University Data Policy

Access to University Data Policy UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public

More information

External Supplier Control Obligations. Cyber Security

External Supplier Control Obligations. Cyber Security External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place

More information

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005

More information

A Global Look at IT Audit Best Practices

A Global Look at IT Audit Best Practices A Global Look at IT Audit Best Practices 2015 IT Audit Benchmarking Survey March 2015 Speakers Kevin McCreary is a Senior Manager in Protiviti s IT Risk practice. He has extensive IT audit and regulatory

More information

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Seven Requirements for Successfully Implementing Information Security Policies and Standards Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information

More information

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture: DATA PROTECTION SELF-ASSESSMENT TOOL Protecture: 0203 691 5731 Instructions for use touches many varied aspects of an organisation. Across six key areas, the self-assessment notes where a decision should

More information

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy. Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations

More information

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014 Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents

More information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative

More information

SOC for cybersecurity

SOC for cybersecurity April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory

More information

Threat and Vulnerability Assessment Tool

Threat and Vulnerability Assessment Tool TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...

More information

PeopleSoft Finance Access and Security Audit

PeopleSoft Finance Access and Security Audit PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...

More information

EU General Data Protection Regulation (GDPR) Achieving compliance

EU General Data Protection Regulation (GDPR) Achieving compliance EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,

More information

Information Security Strategy

Information Security Strategy Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone

More information

Information for entity management. April 2018

Information for entity management. April 2018 Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed

More information

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced

More information

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD INTERNATIONAL STANDARD ISO/IEC 27006 First edition 2007-03-01 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

More information

Apex Information Security Policy

Apex Information Security Policy Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8

More information

_isms_27001_fnd_en_sample_set01_v2, Group A

_isms_27001_fnd_en_sample_set01_v2, Group A 1) What is correct with respect to the PDCA cycle? a) PDCA describes the characteristics of information to be maintained in the context of information security. (0%) b) The structure of the ISO/IEC 27001

More information

UNCONTROLLED IF PRINTED

UNCONTROLLED IF PRINTED 161Thorn Hill Road Warrendale, PA 15086-7527 1. Scope 2. Definitions PROGRAM DOCUMENT PD 1000 Issue Date: 19-Apr-2015 Revision Date: 26-May-2015 INDUSTRY MANAGED ACCREDITATION PROGRAM DOCUMENT Table of

More information

Audit and Compliance Committee - Agenda

Audit and Compliance Committee - Agenda Audit and Compliance Committee - Agenda Board of Trustees Audit and Compliance Committee April 17, 2018, 1:30 2:30 p.m. President s Board Room Conference Call-In Phone #1-800-442-5794, passcode 463796

More information

1997 Minna Laws Chap. February 1, The Honorable Jesse Ventura Governor 130 State Capitol Building

1997 Minna Laws Chap. February 1, The Honorable Jesse Ventura Governor 130 State Capitol Building This document is made available electronically by the Minnesota Legislative Reference Library as part of an ongoing digital archiving project. http://www.leg.state.mn.us/lrl/lrl.asp Department of Administration

More information

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents Policy Title: Approved By: ACAOM Commissioners History: Policy Implementation Date: 28 October 2016 Last Updated: Related Policies: ACAOM -Records Retention Schedule References: Responsible Official: ACAOM

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes

More information

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your). Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations

More information

ISO/IEC Information technology Security techniques Code of practice for information security management

ISO/IEC Information technology Security techniques Code of practice for information security management This is a preview - click here to buy the full publication INTERNATIONAL STANDARD ISO/IEC 17799 Second edition 2005-06-15 Information technology Security techniques Code of practice for information security

More information

Personnel Certification Program

Personnel Certification Program Personnel Certification Program ISO 9001 (QMS) / ISO 14001 (EMS) Form PC1000 Last Updated 9/11/2017 Page 1 of 14 INDEX Auditor Certification Quality or Environmental Program Pg 3-4 Certification Status

More information

Effective COBIT Learning Solutions Information package Corporate customers

Effective COBIT Learning Solutions Information package Corporate customers Effective COBIT Learning Solutions Information package Corporate customers Thank you f o r y o u r interest Thank you for showing interest in COBIT learning solutions from ITpreneurs. This document provides

More information

Sage Data Security Services Directory

Sage Data Security Services Directory Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time

More information

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry

More information

The University of Queensland

The University of Queensland UQ Cyber Security Strategy 2017-2020 NAME: UQ Cyber Security Strategy DATE: 21/07/2017 RELEASE:0.2 Final AUTHOR: OWNER: CLIENT: Marc Blum Chief Information Officer Strategic Information Technology Council

More information

The next generation of knowledge and expertise

The next generation of knowledge and expertise The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404

More information

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Lecture 3 Information Security Policy Jan 29, 2008 Introduction Information security policy: What it is How to write it How to implement it How to maintain it Policy

More information

Tools & Techniques I: New Internal Auditor

Tools & Techniques I: New Internal Auditor About This Course Tools & Techniques I: New Internal Auditor Course Description Learn the basics of auditing at the new internal auditor level. This course provides an overview of the life cycle of an

More information

CYBER INSIDER RISK MITIGATION MATURITY MATRIX

CYBER INSIDER RISK MITIGATION MATURITY MATRIX CYBER INSIDER RISK MITIGATION MATURITY MATRIX By Chris Hurran, OBE, Senior Associate Fellow of the Institute for Security and Resilience Studies, UCL Cyber security is increasingly recognised to be a people

More information

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1 CAE Communications and Common Audit Committee

More information

Complaints and Compliments Policy. Date Approved: 28 September Approved By: Governing Body. Ownership: Corporate Development

Complaints and Compliments Policy. Date Approved: 28 September Approved By: Governing Body. Ownership: Corporate Development Complaints and Compliments Policy Date Approved: 28 September 2016 Approved By: Ownership: Governing Body Corporate Development Date of Issue: August 2017 Proposed Date of Review: August 2019 Date of Equality

More information

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18 Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA AUDIT OF THE INFORMATION SYSTEMS GENERAL CONTROLS ELIZABETH CITY STATE UNIVERSITY JULY 2006 OFFICE OF THE STATE AUDITOR LESLIE MERRITT, JR., CPA, CFP STATE AUDITOR AUDIT OF THE

More information

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre IDENTIFICATION Department Position Title Infrastructure Manager, Infrastructure Services Position Number Community Division/Region 32-11488 Yellowknife Technology Service Centre PURPOSE OF THE POSITION

More information

TAN Jenny Partner PwC Singapore

TAN Jenny Partner PwC Singapore 1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks

More information