CSM27 Exercises. Hans Georg Schaathun. November 25, Week In session. 1.2 Weekly Exercises. Security problems brain storming
|
|
- Rachel O’Connor’
- 6 years ago
- Views:
Transcription
1 CSM27 Exercises Hans Georg Schaathun November 25, Week In session Security problems brain storming Classication of brain stormed problems. 1.2 Weekly Exercises Current Security Problems Find 3-5 news articles (printed press or WWW) about security issues, problems, or incidents. From the articles, select one or two separate incidents or issues to analyse. For each incident/issue 1. classify the problem (condentiality, integrity, availability) 2. identify the threat and the vulnerability. 3. identify any useability or reliability issues. Remember that each instance may represent more than one class, threat, and vulnerability. Give reasons for your answers Expected length about pages, plus copies of the ve news articles. A thorough 2 study of a single incident is better than a shallower study of two separate incidents. exercise.sty,v /02/28 13:33:32 css1hs Exp 1
2 2 Week In session Gollmann 2.7 Discuss: is a good graphical user interface an appropriate criterion for purchasing a security product? There are arguments both ways. A good user interface is essential to avoid human errors. A good user interface can make the operator or administrator more eective. Save time. Support methodological and systematic work. What actually constitutes a good user interface depends on the people who will be operating it. Graphical user interfaces work best for occasional users. Non-graphical user interfaces are often more ecient for expert users, using the interface frequently. Regardless of whether it is graphical or not, it needs to be good, and work for the people using it. The user interface is not sucient. The user interface in itself does not buy any security. The underlying product must be eective. 2.2 Weekly Exercises Exam Paper Preparation Draft an Organisational Security Policy for the Exam Paper Preparation Process. You may of course use the brain stormings in class as input. Addressing only one specic process, the policy should not be long, but you should make sure to include all the key features mentioned in the lecture. Do not forget a clear Policy Objective, an extensive list of assets, and the responisibilities of the people involved. It exercise.sty,v /02/28 13:33:32 css1hs Exp 2
3 is a good idea to list roles of all the relevant users (convener, checker, administrator, etc.) in order to clarify their responsibilities. It does not matter if your policy ts the actual procedures of any particular university, as long as you have the basic elements of a convenor setting the exam, an indpendent checker for quality assurance, and an administrator to check the formalities. You may make reasonable assumptions as you see t, but such 2.3 Extra Exercises Gollmann 2.9 Identify the security perimeters that may be applicable when analyzing personal computer (PC) security. In your analysis, consider when it is appropriate to assume that the room the PC is placed in, the PC itself, or some security module within the PC lies within the security perimeter. With respect to some threats, the perimeter is probably always the room. At the very least, access to the room would normally allow an attacker to pull the power, making the service unavailable. With respect to condentiality and integrity, the physical PC itself could only be outside the security perimeter if either the critical contents on the harddrive is encrypted or some tamper proof security modules prevents connecting the drive to another box. Otherwise, the disk could be removed to be copied or modied. If physical access is controlled, such as by guarding the room, the perimeter does become the room. Similarly, if the PC is portable, it becomes the interior security modules (which probably have to be tamper-resistant) because the user can take the box home and pick it to pieces, The following is Gollmann's solution: I have the following scenarios in mind: PC with/without network connectivity, PC in a protected room; PC that cannot be removed from the oce, PC with limited input facilities (e.g. only keyboard, so it is really dicult to add software manually), PC (laptop) users can take home so that they have access to the hardware, PC with a tamper resistant security module inside Gollmann 2.8 Look for further examples where a security mechanism in one layer can be bypassed by an attacker who has access to a layer below. exercise.sty,v /02/28 13:33:32 css1hs Exp 3
4 Open question [Gollmann]: a device that can be booted with two dierent operating systems might serve as another example. The access control data set by one operating system will not be understood by the other operating system; access to data that has been protected at a logical level thus can be circumvented by changing the underlying operating system. 3 Week In session Gollmann 3.7 If you are required to use several passwords at a time, you may consider keeping them in a `password book'. A password book is a protected le containing your passwords. Access to the password book can again be controlled through a master password. What are the advantages of such a scheme? What are the disadvantages of such a scheme? Overall, do you think it is a good idea or not? Again, there is no one correct answer. The advantages and disadvantages depend a lot on what the alternative is. Against such a solution, a password book gives a single point of failure, and if the master key is compromised, everything is compromised. Furthermore, accessing the password le, sometimes means showing several passwords in cleartext on the screen, vulnerable to spying and surveillance. On the other hand, good routines can reduce the risk of jeopardising the master key or key le considerably. Remembering all the individual passwords is often humanly infeasible. Forgetting passwords is unacceptable due to the loss of availability, and the solutions to recover forgotten passwords risk introducing additional Thus, a password book may be a necessary `evil'. 3.2 Weekly Exercises Gollmann 2.4 Medical records pose particular security problems. Assume that your medical records can be accessed on-line. On one hand, this information is sensitive and should be protected exercise.sty,v /02/28 13:33:32 css1hs Exp 4
5 from disclosure. On the other hand, in an emergency it is highly desirable that whoever treats you has access to your record. Create a plan for how prevention, detection, and recovery can be used to secure a medical records system. Does your plan depend on identication and authentication? In what way? Give reasons for your answers. The answers are open to personal preferences. Prevention may be the most obvious approach, but there is a strong case that detection may be eective. If abuse can be detected, typically abuse by medical personnel, then both disciplinary and judicial actions can be made. Medical personnel abusing their access, could at the very least lose their licence to practice. This would deter most of them from abuse. More severe punishment or demands for compensation would deter more potential abusers. Although prevention may look like the natural choice, it is potentially harmful, as too restrictive policies can prevent access in an emergency. One could, however, look for solutions where access depends on two keys, such as one smart card carried by the patient, and one key available to registered health personnel. But would every patient always carry their card? Access should obviously be restricted to health personnel, so it should depend on a token (smart card) issued to registered medical professionals. If that token is personal, identifying the user, each on-line access can be logged to provide an audit trail. The patients could then be allowed to inspect who have viewed their data, and be allowed to report any suspicious access. Reported incidents would then be subject to appropriate disciplinary and judicial actions Assume that you are only allowed to use the 26 characters from the English alphabet (case insensitive) and the 10 digits (0-9) to construct passwords. How many dierent passwords are possible if a password is exactly n characters long, for n = 4, 6, 8? The number of passwords of lentgh n is 36 n. 2. Suppose the passwords are made case sensitive. How many dierent passwords are now possible for lengths n = 4, 6, 8? exercise.sty,v /02/28 13:33:32 css1hs Exp 5
6 The alpabet has increased to 62 characters, so we get 62 n. 3. How many passwords are possible if the length is at most n for n = 4, 6, 8? We are still assuming 26 lower-case letters, 26 upper-case letters, and 10 digits. 3.3 Extra Exercises The following exercises will not be assessed or discussed in session, but they are good, exam-relevant training. You may also want to see the `Exercise Samples' on the web pages for relevant exercises with sample solutions from last year From Gollmann Chapter Assume that passwords have length six and all alphanumerical characters, upper and lower case, can be used in their construction. How long will a brute force attack take on average if it takes one tenth of a second to check a password? it takes a microsecond to check a password? There are 62 symbols and 62 6 possible password. In the rst case the search takes 90 years; in the second it taks 8h. The purpose of the exercise is to demonstrate that speed-ups in password checking are not relevant to individual end users but help an attacker. (Gollmann) 3.4 Assume that you are only allowed to use the 26 characters from the alphabet to construct passwords of length n. Assume further that you are using the same password in two systems where one accepts case sensitive passwords but the other does not. Give an upper bound at the number of attempts required to guess the case sensitive version of a password. You should search rst for the case-insensitive password, using 26 n checks. Having found this, there are 2 n possible combinations of upper/lower case. The total number of checks needed is then 26 n + 2 n. 4 Week In session [Gollmann 4.3] Discuss: What are the dierences between groups and roles, if there are any dierences at all? [Gollmann 4.9] You are given a set of categories. Implement a lattice-based needto-withhold policy where you selectively withdraw access rights from subjects. exercise.sty,v /02/28 13:33:32 css1hs Exp 6
7 4.2 Weekly Exercises Suppose you have M users on a system, each of whom has 50 les. You distinguish between alter, observe, and execute for each le. How many bytes do you need to store the access control matrix for these users and les when M = 10, M = 100, M = 500, M = 4415? We have 50M les and M users, so the access matrix has 50M 2 entries. Each entry is 3 bits (for three access modes), so we need 150M 2 bits to store it. Use a calculator to calculate the exact size for dierent M. [Gollmann 4.6] Let (L, ) be a lattice of security levels where L is a nite set. Show that unique elements System Low and System High must exist in such a lattice. By system low we mean a security level which is dominated by every other security level. Similarly, system high is level dominating every other security level. (This proof is simpler than the one attempted in class.) Assume that there is no element System High. Then there must be two elements A and B such that there is no element X L with A < X or B < X. (That is, two elements A and B which are not dominated by a common element dierent from A and B.) Since A and B have a least upper bound by denition, we get A = lub(a, B) = B. Assume than that System High is not unique, so that A and B are both System High. Then we have A B and B A, implying A = B by the denition of a partial ordering. It follows by contradiction that there be a unique System High. The proof for System Low is similar. Consider the graf of user and group privileges in the slide on Group-based access control. Explain why the graf is not a lattice. What change would you have to make to turn it into a lattice? The graf does not have a largest lower bound (System Low). To turn it into a lattice, System Low would have to be added, e.g. as a nobody user dominated by every le. 4.3 Extra Exercises Gollmann 4.5 You are given a security policy stating that a subject has access to an object if and only if the security level of the subject dominates the security level of the object. What is exercise.sty,v /02/28 13:33:32 css1hs Exp 7
8 uid1 root uid2 uid3 the eect of using this lattice with this policy? guest Users (uid1, uid2, uid3) have access to their own le as well as those of guest. Guest has only to her own les and nothing else. Root has access to everything Gollmann 4.7 Construct the lattice of security labels for the security levels `public', `condential', and `strictly condential', and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (condential,students) in a need-to-know policy? How many labels can be constructed from n security levels and m categories? For illustration, consider the values n=16 and m=64. Draw the lattice following the model from the slides. A subject with (condential,{students}) can see objects with (condential,{students}), (public,{students}), (condential, ), or (public, ). You have n security levels and m categories. Because each category can be either present or not, we get 2 m combinations of categories. Any combination of categories can be combined with any security level, giving n2 m security labels. For n = 16 = 2 4 and m = 64, we get security labels. exercise.sty,v /02/28 13:33:32 css1hs Exp 8
Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication
Session objectives Background Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 3 Recognise the purposes of (password) identification.
More informationThis lecture presents ordered lists. An ordered list is one which is maintained in some predefined order, such as alphabetical or numerical order.
6.1 6.2 This lecture presents ordered lists. An ordered list is one which is maintained in some predefined order, such as alphabetical or numerical order. A list is numerically ordered if, for every item
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationCPSC 320 Sample Solution, Playing with Graphs!
CPSC 320 Sample Solution, Playing with Graphs! September 23, 2017 Today we practice reasoning about graphs by playing with two new terms. These terms/concepts are useful in themselves but not tremendously
More informationTest Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,
Test Conditions Closed book, closed notes, no calculator, no laptop just brains 75 minutes Steven M. Bellovin October 19, 2005 1 Form 8 questions I m not asking you to write programs or even pseudo-code
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 14001 Lead Implementer www.pecb.com The objective of the PECB Certified ISO 14001 Lead Implementer examination is to ensure that the candidate
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationStandard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms
GE Digital Energy D20MX - NERC - CIP Response Product Bulletin Date: May 6th, 2013 Classification: GE Information NERC Critical Infrastructure Protection Response Overview The purpose of this document
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27002 Manager www.pecb.com The objective of the PECB Certified ISO/IEC 27002 Manager examination is to ensure that the candidate has
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationSession objectives. Security Evaluation. Evaluation Standards. Can we trust a secure product/system? CSM27 Computer Security
Overview Session objectives Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Discuss advantages and limitations of security evaluations Clarify fundamental concepts
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationThe SUMO Speaker Series for Undergraduates. The Art Gallery Problem
The SUMO Speaker Series for Undergraduates (food from Pizza Chicago) Wednesday, April 21 4:40-5:30, room 380C The Art Gallery Problem Amy Pang Abstract: Imagine you are the curator of an art gallery with
More information5 MANAGING USER ACCOUNTS AND GROUPS
MANAGING USER ACCOUNTS AND GROUPS.1 Introduction to user accounts Objectives.2 Types of User Accounts.2.1 Local User Account.2.2 Built-in User Account.2.3 Domain User Account.3 User Profile.3.1 Content
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22301 Lead Implementer www.pecb.com The objective of the Certified ISO 22301 Lead Implementer examination is to ensure that the candidate
More informationTop considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda
Top considerations for implementing secure backup and recovery A best practice whitepaper by Zmanda In the last few years there have been many headlines about high-profile incidents of lost or stolen backup
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27001 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 27001 Lead Auditor examination is to ensure that the candidate
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationIntroduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 09 Now, we discuss about the insecurity of passwords.
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationMeeting the Meaningful Use Security and Privacy Measure
Meeting the Meaningful Use Security and Privacy Measure Meeting the MU Security Measure a risk analysis Complete a risk management assessment Implement an Employee Training Program and Employee Sanction
More informationSystem Structure. Steven M. Bellovin December 14,
System Structure Steven M. Bellovin December 14, 2015 1 Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin December 14, 2015
More informationAccounts and Passwords
Accounts and Passwords Hello, I m Kate and we re here to learn how to set up an account on a website. Many websites allow you to create a personal account. Your account will have its own username and password.
More informationAltius IT Policy Collection
Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (1 st Week) Outline Course Information and Policies Course Syllabus 1. Overview Course Information Instructor: Prof. Dr. Hasan H. BALIK, balik@yildiz.edu.tr,
More informationLecture 3: Linear Classification
Lecture 3: Linear Classification Roger Grosse 1 Introduction Last week, we saw an example of a learning task called regression. There, the goal was to predict a scalar-valued target from a set of features.
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationII.C.4. Policy: Southeastern Technical College Computer Use
II.C.4. Policy: Southeastern Technical College Computer Use 1.0 Overview Due to the technological revolution in the workplace, businesses such as Southeastern Technical College (STC) have turned to computer
More informationIntroduction to Security and User Authentication
Introduction to Security and User Authentication Brad Karp UCL Computer Science CS GZ03 / M030 14 th November 2016 Topics We ll Cover User login authentication (local and remote) Cryptographic primitives,
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationNERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks
NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks NERC Standard Requirement Requirement Text Measures ConsoleWorks
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationIntroduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?
Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationSECURITY AND DATA REDUNDANCY. A White Paper
SECURITY AND DATA REDUNDANCY A White Paper Security and Data Redundancy Whitepaper 2 At MyCase, Security is Our Top Priority. Here at MyCase, we understand how important it is to keep our customer s data
More informationExercises with solutions, Set 2
Exercises with solutions, Set 2 EITF55 Security, 2019 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationDisk Encryption Buyers Guide
Briefing Paper Disk Encryption Buyers Guide Why not all solutions are the same and how to choose the one that s right for you.com CommercialSector Introduction We have written this guide to help you understand
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Implementer www.pecb.com The objective of the Certified ISO 22000 Lead Implementer examination is to ensure that the candidate
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationIntroduction to Security
to Security CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 CSS322Y12S2L01, Steve/Courses/2012/s2/css322/lectures/introduction.tex,
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationINFORMATION TECHNOLOGY PRINCIPLES
INTBUS9 NOVEMBER 2013 EXAMINATION DATE: 6 NOVEMBER 2013 TIME: 14H00 16H00 TOTAL: 100 MARKS DURATION: 2 HOURS PASS MARK: 40% (DBM-07) INFORMATION TECHNOLOGY PRINCIPLES THIS EXAMINATION PAPER CONSISTS OF
More information6 Tips to Help You Improve Configuration Management. by Stuart Rance
6 Tips to Help You Improve Configuration Management by Stuart Rance Introduction Configuration management provides information about what assets you own, how they are configured, and how they are connected
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationStart the Security Walkthrough
Start the Security Walkthrough This guide will help you complete your HIPAA security risk analysis and can additionally be used for periodic review. It is based on the methodology used in PrivaPlan Stat
More informationImplementing an Audit Program for HIPAA Compliance
Implementing an Audit Program for HIPAA Compliance Mike Lynch Fifth National HIPAA Summit November 1, 2002 Seven Guiding Principles of HIPAA Rules Quality and Availability of Care Nothing in the proposed
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationCSE 127: Computer Security. Security Concepts. Kirill Levchenko
CSE 127: Computer Security Security Concepts Kirill Levchenko October 3, 2014 Computer Security Protection of systems against an adversary Secrecy: Can t view protected information Integrity: Can t modify
More informationA Homeopath Registered Homeopath
A Homeopath Registered Homeopath DATA PROTECTION POLICY Scope of the policy This policy applies to the work of homeopath A Homeopath (hereafter referred to as AH ). The policy sets out the requirements
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationSecurity Fundamentals for your Privileged Account Security Deployment
Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216 Compromising privileged accounts is
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationDATA SECURITY THE PROTECTION OF YOUR INFORMATION IS OUR PRIME DIRECTIVE
DATA SECURITY THE PROTECTION OF YOUR INFORMATION IS OUR PRIME DIRECTIVE OVERVIEW building security theft alarms point of entry interior & exterior closed-circuit camera monitoring impact-resistant windows
More informationBASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide
BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide Last Updated 8 March 2016 Contents Introduction... 2 1 Key point of contact... 2 2 Third Part IT Specialists... 2 3 Acceptable use of Information...
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationDesigning a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,
Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10, 2007 1 Some of Our Tools Encryption Authentication mechanisms Access
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationIncident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles
Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1 Conflict of Interest Nolan Garrett Has no real or apparent conflicts of
More informationUnderstanding IT Audit and Risk Management
Understanding IT Audit and Risk Management Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation We need
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationCredentials Policy. Document Summary
Credentials Policy Document Summary Document ID Credentials Policy Status Approved Information Classification Public Document Version 1.0 May 2017 1. Purpose and Scope The Royal Holloway Credentials Policy
More informationDesign and Analysis of Algorithms Prof. Madhavan Mukund Chennai Mathematical Institute. Week 02 Module 06 Lecture - 14 Merge Sort: Analysis
Design and Analysis of Algorithms Prof. Madhavan Mukund Chennai Mathematical Institute Week 02 Module 06 Lecture - 14 Merge Sort: Analysis So, we have seen how to use a divide and conquer strategy, we
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries
More informationSecurity. ITM Platform
Security ITM Platform Contents Contents... 0 1. SaaS and On-Demand Environments... 1 1.1. ITM Platform configuration modes... 1 1.2. Server... 1 1.3. Application and Database... 2 1.4. Domain... 3 1.5.
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27005 Risk Manager The objective of the Certified ISO/IEC 27005 Risk Manager examination is to ensure that the candidate has the knowledge and the skills to
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationNew attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],
New attacks on the MacDES MAC Algorithm Don Coppersmith IBM Research T. J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Chris J. Mitchell Information Security Group Royal
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22000 Lead Auditor www.pecb.com The objective of the Certified ISO 22000 Lead Auditor examination is to ensure that the candidate has
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationFull file at https://fratstock.eu
CISSP Guide to Security Essentials, 2 nd Edition Solutions 2 1 CISSP Guide to Security Essentials, 2 nd Edition Chapter 2 Solutions Review Questions 1. The process of obtaining a subject s proven identity
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27002 Manager The objective of the PECB Certified ISO/IEC 27002 Manager examination is to ensure that the candidate has the knowledge for implementing information
More informationThe checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.
3 Design The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you. Data oriented design requirements Minimise and
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationNasty Nine Information Security Mistakes
Nasty Nine Information Security Mistakes Peter Tippett CEO, HealthCelerate The Nasty Nine Slide 2 1. Risk is most related to vulnerability 2. Best way to reduce risk: implement stronger solutions, policies
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 20000 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 20000 Lead Auditor examination is to ensure that the candidate
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More informationThe Eight Rules of Security
The Eight Rules of Security The components of every security decision. Understanding and applying these rules builds a foundation for creating strong and formal practices through which we can make intelligent
More informationDisaster Recovery Self-Audit
Disaster Recovery Self-Audit Disaster Recovery Audit There are 3 steps to this process: 1. Identify all data and IT-related functions (like credit card processing, documents on your file server, member
More informationContents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Symbolic Links 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical
More informationPASSWORD SECURITY GUIDELINE
Section: Information Security Revised: December 2004 Guideline: Description: Password Security Guidelines: are recommended processes, models, or actions to assist with implementing procedures with respect
More information