Data Warehouse. T rusted Application. P roject. Trusted System. T echnology. System. Trusted Network. Physical Security
|
|
- Archibald Britton Sharp
- 5 years ago
- Views:
Transcription
1
2 T rusted Application Trusted System Trusted Network Physical Security System T echnology Data Warehouse P roject
3
4 Filetransfer Access right just on the data transfer directories Mailbox L oadprocess Data Warehouse F ull acces s right on the data warehous e
5
6
7
8
9
10 Introduction Information security is an important demand on an IT-project in the today s technological environment. The complexity is increasing with a large extent of networking and its various possibilities of access. A company has not just to guarantee the availability and integrity, but also the confidentiality of the data. Every unauthorised access on systems and data has to be rejected. Uncovered attacks of hackers are spectacular in media. But also in the company itself it is obvious to fulfil the need to have principle, implementing the segregation of duties by restricting access. The Group Internal Audit of UBS AG has built up an own SAS data warehouse to have data ready for the financial auditors. Because of the sensitivity of the assets we had to implement high security features. Therefore we developed a security concept for our own data warehouse. To make a data warehouse (or other data bases) a high trusted security system, measures have to be taken at different levels. In my paper, I will deal with particular security concepts which are of interest to data warehouse projects. I will not discuss general security requirements for a company. I will focus on the conceptional level and refer to our implementation as an example.
11 Security Levels Looking at it from the aspect of data security, the following levels of security can be classified according to the respective measures. Physical Security: Sensitive systems can be protected in particular safety areas like data centres with rigorous access control and protection against environmental and hazard risks. Trusted Network: An internal network can be safeguarded against the outside by firewalls. A firewall system controls the access and the data transfers from the outside world into the trusted internal network of a company. The additional encryption of the data offers more security. A central function is the access control of processes and users by strong authentication algorithm. Trusted System: The operating system security includes all measures which protect the central and critical function of an operating system. For example, users have to change their passwords, but under no circumstances they are allowed to access someone else s password. The access of processes and users on data, for example on a data warehouse server, has to be restricted in accordance with the responsibilities ( need to have principle). The access control is based on the authorisation concept. An other important area is database security, which can be implemented in the operating system, within the data base or in the applications. Trusted Application: This includes database security if it is built in the application. But also the security of a client/serverconnection (SAS -SAS -connection) has to be analysed, particularly if the interface links a trusted server with an untrusted desktop. Out of this security measures, I like to deal with three particular subjects in this paper. Because physical, network and operating system security mostly are the tasks of specialised groups in a company, I concentrate on the areas which a data warehouse project has to consider. 1. Access control of the data transfer processes on information in the data warehouse. 2. Authorisation concept and database security. 3. Client/server-connection (SAS/CONNECT and SAS/SHARE ) from a desktop to a data warehouse or data mart server.
12 Access Control of Processes This part describes the security risks of transfers and load processes of data into a data warehouse. Often data is regularly delivered from operative systems to the data warehouse using filetransfers like FTP. Postprocessings are used to start the data load process automatically after the data transfer. This programs call the data loading programs (SAS or others). Because the postprocessings are directly linked with the load processes by calls, also the postprocessings need the access rights of the loading processes. They build up a chain inheriting the access rights. Therefore, the postprocessings have access rights on the data in the data warehouse itself, not only read but also write access. The risk of such a chain of processes is the possibility to get access on data in the data warehouse over the external interface. To fulfil the segregation of duties, the transfer-load processes have to be divided in two independent chains of processes which have access rights according to their tasks. The postprocessings just have access rights on the directories for the transfer processes (delivery directories) and the load processes have access rights on the delivery directories and the data in the data warehouse. An elegant solution is the use of mailboxes, as we have implemented it in our data warehouse. After the filetransfer into the delivery directories, the started postprocess writes a message with the name of the transferred file into a mailbox. A wait-process gets active as soon as the message has been written into the mailbox. It starts the loading programs (a parameter is the filename) to load the data into the data warehouse. The transfer and the load process have read and write access on the receive directories. But only the load process has full access rights on the data warehouse. The data warehouse is fully uncoupled from the external interface of the data transfer and therefore protected against attacks.
13 Authorisation: One of the most powerful authorisation concept is the Role-Based-Access Control (RBAC). The users are participants of roles corresponding to their function in the company. The access and the operations on objects are defined over roles. The advantages are flexible adaptation to company security polices and the reduction of security management. In RBAC the users are functionally assigned to roles, which allows to access the objects over operations (actions). A user is a person, a role is a collection of job-functions and an operation represents the access mode on one or more (data) objects. Between users and roles, roles and operations, operations and objects exist many-to-many relationships. Example: FOREX in the Internal Audit Group, UBS AG
14 Our organisation is a matrix. One axis represents the product view, the other the regional view. For each product area (i.e. investment banking, asset management,...) we have defined a role. Every staff of one division is allocated to this role. In the regional area each location has an own role, to which all staff of this region are allocated to. They have only access on the products in their region. It is possible to build hierarchies of roles. For example, there could be defined one role for each product of a region. Thus the role product of all regions is the sum of the part roles of the product per region. Because we do not need a more detailed concept than the product / region view, we have done it without this hierarchical level. The next higher level is the data administration. This function contains all product and regional roles so that the data administrator has access to all products and all regions in the data warehouse. The operations (the rights of access) on the respective objects has to be defined for each role. In an operative data base system operations can be designed along the transactions. For example, customer data is readable for a lot of staff, but only a few staff looking after the customers have access rights to the operation new customer. In a data warehouse normally the operations can be reduced to the read operation, because users are just allowed to read and not to update the data. However the data administrator has full access rights (read / write / delete) to the data. The RBAC allows designing any layering of the access rights to the objects to implement complex business models and guarantee the segregation of duties. A great advantage of the RBAC-model is the simple and secure administration. A user just has to be granted or revoked to roles. Thus, for example a user, auditing a product outside his division, is granted to the necessary role and revoked again after the audit has finished. Implementation RBAC The implementation of the RBAC models differs from system to system. Principally it can be implemented in two ways: in the operating system or the data base management system. For our data warehouse we use SAS as database (SAS datasets) and OpenVMS as operating system. Because SAS has no features to implement the authorisation concept, we had to build up the RBAC-model in the operating system. This implementation is quit simple under OpenVMS, because it has strong access control features. On UNIX it is not that easy so often an additional data base together with SAS is used. Before I present our solution I am going to discuss two general database security problems.
15 Database Security In a data base (SAS or others) the security problem is simple if all data is either sensitive or not (see appendix data-classification). The implementation takes best place in the operating system. More difficult is a solution if any data is sensitive and any not. It has to be differed between the inference problem on the attribute level and the multilevel database on the record level. Inference Problem A record may have sensitive attributes. If principally no unauthorised access is allowed on this attributes, the attributes can be protected with a higher security level in the database itself (if the database system offers this feature) or views can be defined containing just the uncritical attributes. But if statistics are also allowed on the sensitive attributes on a lower access right level, it is possible with adroit queries to draw the conclusion to a sensitive attribute. Today only two control mechanism are known: suppression and concealing. Suppression: Statistics are not reported or printed if they lay beyond a critical value, for example value zero and 1 or values under 10. Concealing: There are principally reported just approximate values. Approximate values can be a range (the values are between 100 and 200), rounded values (ex. rounded on 10), statistics on samples or a query-control engine. The last method is very costly, because the engine has to check each query against the previous reports and to find out whether conclusion to the sensitive attributes is possible or not. Mostly the inference problem is not implemented, because there exists no perfect solution. But it is important to know the risk. We have solved the problem on the organisation level: unauthorised persons have to let run their queries and statistics by authorised staff. The reports are checked and handed out, if there is no critical information on them. Multilevel Database If a database file contains sensitive and non sensitive records, there are various simple and complex methods to guarantee data security. The most important methods are the following: 1. The datafile is split up physically into a sensitive and a non sensitive part. The access control can be implemented easily in the operating system. 2. The sensitive records are stored encrypted. Only authorised staff who know the key have access on the data. The key management is an issue. 3. Trusted front-end with filters: a filter adds automatically security conditions to a query. Therefore each record has to contain information about the security level. 4. Different views can be created depending on the security level. Access on a view can be implemented in the operating system. In our data warehouse we have chosen the easiest solution and split up the database. The Implementation of the SAS Data Warehouse of Group Internal Audit We completely store the data in our data warehouse in SAS datasets. Because SAS does not have direct authorisation features, we had to implement our authorisation concept in the operating system. With OpenVMS we have chosen an operating system with robust authorisation features that can fulfil our security requests.
16 For each UBS-division and each region we have created an own disk-directory. The data is physically stored in the directory of the divisions (for example: FOREX in the division investment banking), but splitted up in a file per region. This makes sense because usually a product is audited just in one region, thus the unity of a product of all regions is rarely used. In order that the users of the regions can access the data, we have implemented hardlinks from the region directory to its physical, regional file in the division directory. The system s behaviour is like the region file would be stored in the region directory. Each of these files are assigned to the following access rights in the ACL (ACL=access control list): the role investment banking user, the role of the particular regional user and the role database manager. All users have read rights on the datafiles, but just the data manager role has read / write / delete access on the data. In this sense we have defined all roles and implemented it on the operating system in the ACL with identifiers.
17 Client/Server-Connection In a SAS Data warehouse the client/server connection is based on SAS/SHARE or SAS/CONNECT. I am going to analyse this two modules after their strengths and weaknesses under the view of data security. A client/server-connection should at least fulfil the following requests: 1. The password and username for connecting is transferred encryptedly. 2. The data may be transferred encryptedly from the server to the client, depending on the security level of the data. 3. No direct access to the operating system. 4. Regular password change. 5. High network traffic is to avoid. SAS/CONNECT as well as SAS/SHARE have positive and negative points concerning data security. This bases on SAS/CONNECT without a spawner program, which should probably give more security, because for OpenVMS there is no spawner available. SAS/SHARE : 1. Optionally username and password can be encrypted. 2. The data between server and client is transferred unencryptedly. 3. No direct access to the operating system, because a user account can be set as disuser on the operating system (no direct login). The authorisation takes place over the shareserver using the access control list of the operating system. 4. How the password can be changed is unclear. 5. Probably high network traffic, because the query starts from the client. SAS/CONNECT : 1. Username and password are transferred in clear text since SAS/CONNECT is put up on a hidden terminal based connection. 2. The data between server and client is transferred unencryptedly. 3. Because a user owns a login on the operating system level, he has direct access to the operating system. 4. The password can be changed. 5. The network traffic is minimal because the queries are fully executed on the remote server. Whether these disadvantages are obvious for a data warehouse project or not, has to be decided in the individual case as well as the measurements concluded from that. We have build in more security features on the client side (LAN) to guarantee the requested data security.
18 Final Remarks How many security measurements a project implements in a data warehouse is a question of weighing up the costs and risks. The minimisation of the risks can be quite cost-intensive. On the other side risks can be consciously accepted, because a possibly claim is acceptable. But it is important to know the risks. The greatest dangers are the unknown risks. They may cause grater claims to a company when coming true materialising. Appendix data-classification: An example for the data-classification: Class Description Protection Need Scope of Protection 0 generally accessible none generally accessible (in electronic form: protection against unauthorised changes) 1 for internal use normal access and viewing restricted to bank employees (within the scope of their business activities) no comprehensive analysis of customer relations or business activities possible 2 confidential elevated access and viewing restricted to the persons designated by the data owner customer relations or business activities cannot be inferred by unauthorised third parties 3 strictly confidential qualified additionally to class 2: access and viewing only for particular persons or groups of persons designated by the data owner 4 secret absolute additionally to class 3: access and viewing only for particular persons designated by the data owner Christina von Rotz Associate Director, IT Analyst UBS AG Group Internal Audit Bahnhofstrasse 45 P.O. Box, CH-8098 Zürch Tel: Fax: christina.von-rotz ubs.com
Risk. Systemystem. A SAS Datawarehouse on OpenVMS (AXP)
Group Audit Department Project ICARUS Information Collecting Risk Andnd Uncovering Systemystem A Datawarehouse on OpenVMS (AXP) UBS Giampaolo Trenta Juni 98 / 1 The Group internal Audit department (GADE)
More informationGLOBAL PAYMENTS AND CASH MANAGEMENT. Security
GLOBAL PAYMENTS AND CASH MANAGEMENT Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of
More informationGeneral Data Protection Regulation
General Data Protection Regulation Workshare Ltd ( Workshare ) is a service provider with customers in many countries and takes the protection of customers data very seriously. In order to provide an enhanced
More informationPost-Class Quiz: Access Control Domain
1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationCSN11111 Network Security
CSN11111 Network Security Access Control r.ludwiniak@napier.ac.uk Learning Objectives Access Control definition Models Information access control Network based access control AAA Radius Tacacs+ ACCESS
More informationGDPR Draft: Data Access Control and Password Policy
wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR
More informationAccess Control Policy
Access Control Policy Version Control Version Date Draft 0.1 25/09/2017 1.0 01/11/2017 Related Polices Information Services Acceptable Use Policy Associate Accounts Policy IT Security for 3 rd Parties,
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationCorporate Information Security Policy
Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationDatabase Security. Authentification: verifying the id of a user. Authorization: checking the access privileges
Database Security Security Tasks Authentification: verifying the id of a user Authorization: checking the access privileges Auditing: looking for violations (in the past) 1 Data Security Dorothy Denning,
More informationAccess Control (slides based Ch. 4 Gollmann)
Access Control (slides based Ch. 4 Gollmann) Preliminary Remarks Computer systems and their use have changed over the last three decades. Traditional multi-user systems provide generic services to their
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationBring more control and added efficiency to your scanning and print environment
Bring more control and added efficiency to your scanning and print environment Incorporating into your processes will lead to real improvements in the control and efficiency of multifunctional devices.
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationAccess Control Mechanisms
Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection
More informationIntroduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 09 Now, we discuss about the insecurity of passwords.
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationPRINCIPLES AND FUNCTIONAL REQUIREMENTS
INTERNATIONAL COUNCIL ON ARCHIVES PRINCIPLES AND FUNCTIONAL REQUIREMENTS FOR RECORDS IN ELECTRONIC OFFICE ENVIRONMENTS RECORDKEEPING REQUIREMENTS FOR BUSINESS SYSTEMS THAT DO NOT MANAGE RECORDS OCTOBER
More informationProtecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets
Protecting Information Assets - Week 10 - Identity Management and Access Control MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz Identity Management and
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationYour Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team
Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust Wise Athena Security Team Contents Abstract... 3 Security, privacy and trust... 3 Artificial Intelligence in the cloud and
More informationBasic rules for protecting remote maintenance accesses
BSI publications on cyber security RECOMMENDATION: IT IN THE COMPANY Basic rules for protecting remote maintenance accesses The use of more and more complex hardware and software products makes it necessary
More informationUse of Central Authorisation Service Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with
More informationDiscretionary Access Control (DAC)
CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 7 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 Authentication, Authorization, Audit AAA
More informationCS 356 Lecture 7 Access Control. Spring 2013
CS 356 Lecture 7 Access Control Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,
More informationHikCentral V.1.1.x for Windows Hardening Guide
HikCentral V.1.1.x for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1 Strict Password Policy... 2 1.2 Turn Off Windows Remote
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationInformation Technology Access Control Policy & Procedure
Information Technology Access Control Policy & Procedure Version 1.0 Important: This document can only be considered valid when viewed on the PCT s intranet/u: Drive. If this document has been printed
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationIntroduction to SURE
Introduction to SURE Contents 1. Introduction... 3 2. What is SURE?... 4 3. Aim and objectives of SURE... 4 4. Overview of the facility... 4 5. SURE operations and design... 5 5.1 Logging on and authentication...
More informationCryptoEx: Applications for Encryption and Digital Signature
CryptoEx: Applications for Encryption and Digital Signature CryptoEx Products: Overview CryptoEx Outlook CryptoEx Notes CryptoEx Volume CryptoEx Pocket CryptoEx File CryptoEx Office CryptoEx Business Server
More informationIntroduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?
Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationStrategic IT Architectures and The SAS System A Case Study of the Application of The SAS System within British Gas Trading
Strategic IT Architectures and The SAS System A Case Study of the Application of The SAS System within British Gas Trading Presenters: John Ingram - British Gas Trading Ty Sapsford - OCS Consulting Plc
More informationThe checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.
3 Design The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you. Data oriented design requirements Minimise and
More informationLOGGING AND AUDIT TRAILS
LOGGING AND AUDIT TRAILS Policy LOGGING AND AUDIT TRAILS - POLICY TMP-POL-LAT V3.00-EN, 26/06/2009 TABLE OF CONTENTS 1 INTRODUCTION... 3 1.1 Document Purpose... 3 1.2 Target Audience...3 1.3 Business Context...4
More informationApril Appendix 3. IA System Security. Sida 1 (8)
IA System Security Sida 1 (8) Table of Contents 1 Introduction... 3 2 Regulatory documents... 3 3 Organisation... 3 4 Personnel security... 3 5 Asset management... 4 6 Access control... 4 6.1 Within AFA
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationIndustrial Control System Security white paper
Industrial Control System Security white paper The top 10 threats to automation and process control systems and their countermeasures with INSYS routers Introduction With the advent of M2M (machine to
More informationIT Remote Working Policy
IT Remote Working Policy 1. Purpose To ensure that all staff processing information remotely (i.e. not at a PC on campus) do so securely and in accordance with the Data Protection Act 1998. This policy
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationXton Access Manager GETTING STARTED GUIDE
Xton Access Manager GETTING STARTED GUIDE XTON TECHNOLOGIES, LLC PHILADELPHIA Copyright 2017. Xton Technologies LLC. Contents Introduction... 2 Technical Support... 2 What is Xton Access Manager?... 3
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationA guide to the Cyber Essentials Self-Assessment Questionnaire
A guide to the Cyber Essentials Self-Assessment Questionnaire Apply for certification at https://ces.apmg-certified.com/ Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you
More informationISO : 2013 Method Statement
ISO 27001 : 2013 Method Statement 1.0 Preface 1.1 Prepared By Name Matt Thomas Function Product Manager 1.2 Reviewed and Authorised By Name Martin Jones Function Managing Director 1.3 Contact Details Address
More informationUnit 5.2b - Security 1. Security. Unit 5.2b
Security Unit 5.2b Unit 5.2b - Security 1 Security Database Security involves protection against: unauthorised disclosures alteration destruction The protection which security gives is usually directed
More informationLast time. User Authentication. Security Policies and Models. Beyond passwords Biometrics
Last time User Authentication Beyond passwords Biometrics Security Policies and Models Trusted Operating Systems and Software Military and Commercial Security Policies 9-1 This time Security Policies and
More informationCyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No
PROPOSAL FORM Cyber Insurance Underwritten by The Hollard Insurance Co. Ltd, an authorised Financial Services Provider www.itoo.co.za @itooexpert ITOO is an Authorised Financial Services Provider. FSP.
More informationDesigning a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,
Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10, 2007 1 Some of Our Tools Encryption Authentication mechanisms Access
More informationJérôme Kerviel. Dang Thanh Binh
Dang Thanh Binh Jérôme Kerviel Rogue trader, lost 4.9 billion Largest fraud in banking history at that time Worked in the compliance department of a French bank Defeated security at his bank by concealing
More informationData Retrieval Firm Boosts Productivity while Protecting Customer Data
Data Retrieval Firm Boosts Productivity while Protecting Customer Data With HEIT Consulting, DriveSavers deployed a Cisco Self-Defending Network to better protect network assets, employee endpoints, and
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control
More informationWHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365
WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365 Airwatch Support for Office 365 One of the most common questions being asked by many customers recently is How does AirWatch support Office 365? Customers often
More informationSession objectives. Identification and Authentication. A familiar scenario. Identification and Authentication
Session objectives Background Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 3 Recognise the purposes of (password) identification.
More informationDiscretionary Access Control (DAC)
CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 2 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 Authentication Ravi Sandhu 2 Authentication,
More informationGuide to cyber security/cip specifications and requirements for suppliers. September 2016
Guide to cyber security/cip specifications and requirements for suppliers September 2016 Introduction and context The AltaLink cyber security/cip specification and requirements for suppliers (the standard)
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationREPORTING INFORMATION SECURITY INCIDENTS
INFORMATION SECURITY POLICY REPORTING INFORMATION SECURITY INCIDENTS ISO 27002 13.1.1 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-13.1.1 Version No: 1.0 Date: 1 st
More information? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week
Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project
More informationComputer Security 3e. Dieter Gollmann. Chapter 5: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 5: 1 Chapter 5: Access Control Chapter 5: 2 Introduction Access control: who is allowed to do what? Traditionally, who is a person.
More informationProviding Users with Access to the SAS Data Warehouse: A Discussion of Three Methods Employed and Supported
Providing Users with Access to the SAS Data Warehouse: A Discussion of Three Methods Employed and Supported Cynthia A. Stetz, Merrill Lynch, Plainsboro, NJ Abstract A Data Warehouse is stored in SAS datasets
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationOracle Advanced Security: Enterprise User Management. An Oracle Technical White Paper November 1999
Advanced Security: Enterprise User Management An Technical White Paper Advanced Security: Enterprise User Management THE CHALLENGES OF USER MANAGEMENT Some of the challenges faced by an enterprise today
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More informationInformation Security. Structure. Common sense security. Content. Corporate security. Security, why
Information Security Teemupekka Virtanen Helsinki University of Technology Telecommunication Software and Multimedia Laboratory teemupekka.virtanen@hut.fi Structure 1. Information security What, why, content
More informationCondor Local File System Sandbox Requirements Document
Condor Local File System Sandbox Requirements Document Requirements Document 1 1 Table of Contents 1 Table of Contents 2 2 Introduction 3 3 Describing the problem space 3 4 Defining the project's scope
More informationA guide to the Cyber Essentials Self-Assessment Questionnaire
A guide to the Cyber Essentials Self-Assessment Questionnaire Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you by APMG International 1 P a g e Cyber Essentials was always
More informationData Classification, Security, and Privacy
Data Classification, Security, and Privacy Jennifer Bayuk Securities Industry and Financial Markets Association Internal Audit Division October, 2007 Overview of Information Classification Logical Relationship
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationCOMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy
COMPUTER & INFORMATION TECHNOLOGY CENTER Information Transfer Policy Document Controls This document is reviewed every six months Document Reference Document Title Document Owner ISO 27001:2013 reference
More informationData protection policy
Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees
More informationTrust Enhanced Cryptographic Role-based Access Control for Secure Cloud Data Storage
1 Trust Enhanced Cryptographic Role-based Access Control for Secure Cloud Data Storage Lan Zhou,Vijay Varadharajan,and Michael Hitchens Abstract Cloud data storage has provided significant benefits by
More informationThe Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:
Unit Title: OCR unit number 38 Level: 3 Credit value: 12 Guided learning hours: 100 Unit reference number: Security of ICT Systems D/500/7220 Candidates undertaking this unit must complete real work activities
More informationSAS SOLUTIONS ONDEMAND
DECEMBER 4, 2013 Gary T. Ciampa SAS Solutions OnDemand Advanced Analytics Lab Birmingham Users Group, 2013 OVERVIEW SAS Solutions OnDemand Started in 2000 SAS Advanced Analytics Lab (AAL) Created in 2007
More informationIndustry Classification Methodology Guide. ISE Cyber Security Industry Classification
Industry Classification Methodology Guide ISE Cyber Security Industry Classification 1 Table of Contents Chapter 1. Introduction... 3 Chapter 2. Industry Classification... 4 2.1. Structure and Changes...
More informationSMart esolutions Information Security
Information Security Agenda What are SMart esolutions? What is Information Security? Definitions SMart esolutions Security Features Frequently Asked Questions 12/6/2004 2 What are SMart esolutions? SMart
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationEnterprise Data Access Management in a Multi-Tenant SAS BI environment
Paper 891-2017 Enterprise Data Access Management in a Multi-Tenant SAS BI environment ABSTRACT Chun-Yian Liew, ING Bank N.V. Sometimes it might be beneficial to share a SAS Business Intelligence environment
More informationFull file at https://fratstock.eu
CISSP Guide to Security Essentials, 2 nd Edition Solutions 2 1 CISSP Guide to Security Essentials, 2 nd Edition Chapter 2 Solutions Review Questions 1. The process of obtaining a subject s proven identity
More informationCyber Resilience - Protecting your Business 1
Cyber Resilience - Protecting your Business 1 2 Cyber Resilience - Protecting your Business Cyber Resilience - Protecting your Business 1 2 Cyber Resilience - Protecting your Business Cyber Resilience
More informationData protection. 3 April 2018
Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd
More information1. Security of your personal information collected and/or processed through AmFIRST REIT s Web Portal; and
Security Statement About this Security Statement This AmFIRST Real Estate Investment Trust s ( AmFIRST REIT ) Web Portal Security Statement ( Security Statement ) applies to AmFIRST REIT s website at www.amfirstreit.com.my.
More informationKeeping your healthcare information secure: Simple security and privacy tips
Keeping your healthcare information secure: Simple security and privacy tips This guide provides awareness of privacy settings that you can use to adjust your My Health Record to suit your own requirements.
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationCyber Essentials Questionnaire Guidance
Cyber Essentials Questionnaire Guidance Introduction This document has been produced to help companies write a response to each of the questions and therefore provide a good commentary for the controls
More informationTop-Down Network Design
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer 1 Network Security Design The steps for security design are: 1. Identify
More informationMedical Sciences Division IT Services (MSD IT)
Medical Sciences Division IT Services (MSD IT) Security Policy Effective date: 1 December 2017 1 Overview MSD IT provides IT support services support and advice to the University of Oxford Medical Sciences
More informationIntroduction to Security and User Authentication
Introduction to Security and User Authentication Brad Karp UCL Computer Science CS GZ03 / M030 14 th November 2016 Topics We ll Cover User login authentication (local and remote) Cryptographic primitives,
More informationANZ TRANSACTIVE ADMINISTRATOR GUIDE
ANZ TRANSACTIVE ADMINISTRATOR GUIDE Table of Contents Introduction to ANZ TRANSACTIVE About this guide 3 Learning about ANZ Transactive 3 Minimum specifications 5 ANZ Transactive security information 6
More informationGeneral Information for Service Bureau
SWIFTNet Connectivity Service Bureau General Information for Service Bureau This document provides an overview of how to establish and use a SWIFT Service Bureau. 12 October 2006 Service Bureau Legal Notices
More informationISAE 3402-II. LESSOR Group. April 2016
Independent service auditor s assurance report on the description of controls, their design and operating effectiveness regarding the operation of hosted services for the period 01-04-2015 to 31-03-2016
More information