Objectives of the Security Policy Project for the University of Cyprus

Size: px
Start display at page:

Download "Objectives of the Security Policy Project for the University of Cyprus"

Transcription

1 Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University has invited tenders for the undertaking of project activities consisting of: Security assessment of the University's existing environment including an analysis of the major business processes, operating functions, organizational units and information systems (and major risks associated) and a thorough evaluation of the configuration and design of the existing network and systems infrastructure and main servers Development of a security strategy encompassing security organization, security policy definition and security management process including recommendations on the methodology to be used for maintaining the security policy in a dynamically changing environment, as well as the related procedures, standards and controls for the effective roll out of the policy, and the approach in enhancing user awareness regarding security issues with the University user population. Security architecture design including gap analysis based upon the results of the current state assessment and contrasted to the defined future state with a migration plan to meet policy requirements and further development of the organizational and technical security measures identified in the previous phase, including risk assessment of proposed policy and solution. Market research and Product selection, cost benefit analysis vis a vis security architecture design and the follow up project implementation path. The successful tenderer is Atos Origin, and we are now in the process of negotiating the project implementation plan, resources required as well as task start / end dates. This is an important activity, and it is expected that many members of the University of Cyprus will be requested to contribute their views and special requirements they may have and which need to be taken into consideration. Information security is of utmost importance to the University. The suggested solution will have to offer a security policy and a security architecture, which will evolve according to the growing IT requirements of the University. 2. Project Requirements, Activities and Deliverables 2.1 Introduction The project will be divided into four stages as defined in section Stage 1 - Security assessment of the current environment

2 2.2.1 Purpose Purpose of this stage is to perform a security assessment of the current environment of the University of Cyprus including an analysis of the major business processes, operating functions, organizational units and information systems (and major risks associated) and a thorough evaluation of the configuration and design of the existing network and systems infrastructure and main servers. In order to provide a consistent assessment which can be used to measure changes over time, Atos Origin will use the "best practices" baseline recommended in ISO/IEC 17799: A Code of Practice for Information Security Management. The Code of Practice provides a set of best practices for security processes and procedures. The security assessment will cover all the ISO/IEC areas, particularly Security Policy; Organizational Security; Asset Classification and Control; Personnel Security; Physical and Environmental Security; Communications and Operations Management; Access Control; System Development and Maintenance; Business Continuity Management; Compliance. as well as assessment of the overall configuration and design of the existing network and systems infrastructure and main servers. During the assessment, the following critical security elements must be analyzed: Sensitivity of information assets and threats to information assets Security strategy, program and management system in place Security policies, standards and procedures User identity and logical accesses management (identification and authentication mechanisms, procedures for creating, modifying and deleting systems / application accounts and profiles, and account naming conventions); Security administration and monitoring User awareness Password policy (syntax rules, expiration, password history etc.); Password Change & Reset procedure; Security controls in Applications/Systems Development & Change processes and integration with SDLC) Information and user Classification; Backup Media Handling and Management; Physical and environmental security Host, application, network and systems and database security Workstation and End User Computing Security measures; Perimeter and remote access security Business continuity and contingency planning Atos Origin will conduct an overall and complete (at all levels in all dimensions) low-level

3 security assessment of the current organization and technical environment, including the perimeter and internet environment and the internal network and systems and hosts in order to identify potential vulnerabilities that would allow an unauthorized attacker to gain access to the systems or otherwise cause financial or reputable damage to the University. The University of Cyprus additionally requests Atos Origin to conduct a Security Vulnerability/Intrusion Test activity on its perimeter network segments, external and internal connections and related systems Activities The following activities will at least be performed: Conduct a kick-off meeting; Conduct interviews with key managers and staff responsible for IT management; Conduct interviews with key personnel in administration and process owners Review the security management-related documentation; Review information technology operations and user management policies Review configuration and design of the existing network infrastructure and main systems; Conduct intrusion-penetration testing against the University's Internet IP addresses using tools and manual commands designed to detect and evaluate potential vulnerabilities that allow an unauthorized attacker to gain access to the network and systems or data residing on network systems. The total number of IP addresses to be tested is the equivalent of 19 class C The intrusion test tasks will at least include: o Gathering and analyzing publicly available information regarding the University of Cyprus and its information technology systems o Performing targeted scanning of the selected IP addresses and systems to determine known vulnerabilities; o Performing targeted testing in an attempt to violate the client's security policy as implemented by the selected components; o Analyze reports and data generated by scanning and targeted testing to assess risks to the University of Cyprus. Conduct internal network and systems assessments to identify vulnerabilities and exploits associated with internal systems and the existing security architecture and procedures; Analyze the findings according to the ISO/IEC Standard and "Best Practices and suggest the actions to improve the security level; Priorities and recommended actions to eliminate - or at least reduce - the vulnerabilities, focusing on quick-hit recommendations to correct problems before the security architecture implementation. Analyze the findings of the procedures, configuration and design of the existing network infrastructure and main systems and identify ways to improve their functionality Deliverables The main deliverables of this stage will be the current state baseline of risks resulting from valuable information assets perceived threats, and gaps in control effectiveness (Security Assessment Report) and the listing of all vulnerabilities discovered (including where the vulnerability was identified, the description of the vulnerability, the risk

4 status of the vulnerability, and recommendations on how to eliminate the vulnerability (Vulnerability Test and Assessment Report). The Security Assessment Report will reveal all the security gaps highlighted (summarized in specific "Risk Cards") in the University of Cyprus environment against the "best of breed" International Security Standards. The structure of the deliverable will be mainly based on ISO/IEC areas. For all the vulnerabilities discovered, the Atos Origin will provide the University's Management staff with a set of ad-hoc recommendations in order to address them in such a way as to mitigate the related risks. The Security Assessment Report will at least contain the following sections: Executive Summary Report Organization And Overview Assessment objectives Overview of ISO/IEC Standard Sources of information Overall compliance assessment ISO/IEC Gap Analysis Scorecard Highlights of major strengths and weaknesses for each area as per the ISO/IEC standard (narrative) Tactical and strategic recommendations to address weaknesses for each area as per the ISO/IEC standard (narrative) Recommendations regarding the introduction of AAA, covering issues such as smart card, PKI, PGP, etc. The Vulnerability/Intrusion Test Report will include the vulnerability level evaluation of the network and systems components analyzed and all the related recommendation to improve the security level to a best practice situation. Specifically, the test report will include: Executive summary; Vulnerability classification that assigns each target to a specific "vulnerability class" (this value defines the level of vulnerability/exposure for each network and systems component against any possible treat/attack coming from outside) in order to provide a time comparison and a priority of the action. Risk/Asset/Likelihood diagram to show the security degree considering the University and Academic constraints (vulnerability level / Asset value / likelihood); Business Risk Summary including a root cause analysis / summary Detailed card reporting the vulnerabilities, the kind of risks deriving from such vulnerabilities, the recommendations to minimize or eliminate them; Automated reports generated by the intrusion tools used during the penetration test. Description of main tools used One paper and an electronic copy of the "Security Assessment" and "Vulnerability/Intrusion Test" reports must be delivered to the University Project Manager at the end of this stage, based on the agreed project plan. 2.3 Stage 2 - Security strategy, organization and policy definition

5 2.3.1 Purpose The purpose of this stage is to define the desired future state of the University s information security program, build consensus for the future state information security capabilities and obtain the University buy-in. The information security program itself, the structure, roles and responsibilities including integration with business functions are examples of program policy. Issue specific policies set the approach for addressing specific issues of concern relating to Information Technology security. The University's scope is to put in place an appropriate and comprehensive set of security policies based on the ISO/IEC Standard: A Code of Practice for Information Security Management. The Code of Practice provides a guideline to best practices for security processes and mechanisms. There are 10 areas in the standard containing 32 groups with 159 individual security controls. Tenders consultants will develop a set of policies that will be appropriate for the level of risk the University's organization is willing to assume based on the requirements that will be defined based on the results of the previous stage and the general and strategic academic requirements and objectives Activities The following activities will at least be performed: Conduct interviews with key staff, students, decision makers and IT personnel for policy information gathering and assistance; Organize and facilitate workshops during which high level impact assessment will be performed, general policy requirements will be discussed and strategy will be defined; Discuss, modify and define information security management structure Discuss, modify and define the charter and scope of the security function Discuss, modify and define information security policy steering committee Organize and facilitate workshops during which security management will collaborate with system owners and department representatives to discuss specific policy requirements in compliance with program policy; Discuss, modify and define information security policy development process Discuss, modify and define the policy requirements associated with current and future academic initiatives, processes, and functions, using ISO/IEC as a model; Identify and evaluate current policies and standards; Map overall security policy requirements to current security policies; Perform gap analysis to identify where new policies are required, and where existing policies and standards are no longer valid; Discuss, modify and define policy format and language Develop appropriate policy statements to address the gaps or develop a new security policy using ISO/IEC as a model. Provide recommendations and training regarding the methodology to be used to maintain the security policy in a dynamic environment Deliverables The main deliverable is the Information Security Policies and will contain at least:

6 Policy and procedures gap analysis summary A definition of information security with a clear statement of management's intentions, vision and strategy; A definition of the information security function structure, roles and responsibilities Program level policies based on the concepts of availability, confidentiality and integrity Security policy development and maintenance process documentation Security policies and guidelines including system specific policies, roles and responsibilities. Security monitoring procedures, change management procedures, incident response procedures, security awareness and education guidelines (including virus and spam prevention and detection) and business continuity planning, Guidelines regarding compliance with legislative and contractual requirements. One paper and an electronic copy of the "Information Security Policies" must be delivered to the University Project Manager at the end of this stage. 2.4 Stage 3 - Security architecture design Purpose The purpose of this stage is to design the network, system, application and information security architecture for the University of Cyprus based on its current Intranet and Internet environment and its planned new Internet and Intranet applications and services and according to the defined information security policies and guidelines defined during the previous stage. Atos Origin will use information from the previous stages to recommend a secure architecture design that is consistent with the University's academic objectives and IT capabilities. The design will include diagrams, specifications for any required software and hardware, and recommended configurations. The recommendations may also include changes to systems management processes and procedures according to security management system Activities The following main activities will be performed based on the environment, strategies and policies previously identified and defined for the University: Define network, system, application and information requirements (including authentication, authorization, integrity and confidentiality); Define non functional requirements (including performance, capacity, redundancy); Design architecture model (including Identity management, Access control, information flow controls, network segregation and zoning, naming and IP numbering schemes / strategy, credential repository, auditing, encryption). Design system monitoring and management architecture The main requirements and focus areas to be analyzed and addressed in terms of security solution are the following:

7 Perimeter security; Network security Host and database security Internet systems and services; Intranet systems and services and messaging services; WWW (University) publishing services; Web browsing services E-Business services and systems; FTP services; Remote access services (including Dial-in services); Intrusion Detection System; Security Monitoring, logging and Management systems; Security filters and controls on the network boundaries. Wireless networks Cryptography and encryption services (PKI, PGP, digital signature,...) Identification / Authentication mechanisms for Network, Applications and Systems; User identity and, Logical access Management (procedures for creating, modifying and deleting systems / applications accounts and profile, password procedures and policy implementation); Security controls in Applications/Systems Development & Change processes; Backup Media Handling and Management; Workstation and End User Computing Security Physical and environmental security Business continuity and planning Any other Internet or non-internet based area Deliverables The main deliverable of this stage will be the Security Architecture Design document, which will set forth the security and privacy principles that will enable the University organization to meet its security policy and privacy objectives, as academic needs change. The Security Architecture Design document will include: Network, system and Application requirement definition. Non functional requirement definition (performance, capacity, availability, etc.) Conceptual Security architecture with the definition of different "zones of control" and common attributes. Component architecture with the definition of logical system building blocks. Operational model with the definition of physical nodes and suggested topologies and specific configuration-detailed specification details both at the hardware and software level and IT support roles. The Security Architecture document will be detailed and complete in order to be used as the following RFP to implement the defined architecture and policies. The information provided in the document will Be product independent Show clearly the functional requirements and system specifications that match

8 them Point out the association between the proposed functional requirements, system specifications and the policies they aim to address. Identify alternatives and clearly describe the advantages and weaknesses between the various options. One paper and an electronic copy of the document must be delivered to the University Project Manager at the conclusion of this stage. 2.5 Stage 4 - Product recommendation, cost evaluation and implementation plan Purpose Purpose of this stage is to recommend products that will best meet the University's security architecture needs. Atos Origin will also provide cost evaluation and a detailed implementation plan (road map) to enable the University management to make clear decisions on the implementation phase. Atos Origin is expected to declare any association they have with any of the proposed products. Full functional and technical specifications of each product must be provided and the analysis will be based on the security policy, security architecture design and recommendations made and the degree to which these are met by the various products-solutions proposed Activities Main activities of this stage will be: Work with the University to detail and prioritize security requirements; Identify and analyze different or alternative products, solutions and tools against these requirements, including cost, cost benefit analysis, and bill of materials); Identify viable alternatives to fill unmet requirements; Document proposed changes to process flow; Present analysis, findings and recommendations, including any association Atos Origin may have with the said product Deliverables The main deliverables of this stage are: Market research, Cost/Benefit Evaluation Report and Security Solutions recommendation that will allow the University to plan the implementation project and finalize the contents of the RFP prepared as result of section 3. The report must include sources of information, technical and functional description of products and solutions, cost, different or alternative products, solutions and tools against the security design requirements, (including cost, cost benefit analysis, and bill of materials), priority based on analysis, and final recommendations based on proposed security policy and design Recommended Implementation Plan (road map) that will allow the University to plan and launch the follow-on project to implement the recommended architecture. Cost of ownership and maintenance of the proposed infrastructure over a period of 4 years.

9 One paper and an electronic copy of the "Security Product Recommendation and Cost Evaluation Report" and the "Implementation Plan" documents must be delivered to the University Project Manager at the end of this stage.

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Charting the Course... Certified Information Systems Auditor (CISA) Course Summary Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business

More information

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002 ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting

More information

Cyber Criminal Methods & Prevention Techniques. By

Cyber Criminal Methods & Prevention Techniques. By Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation

More information

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project

More information

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more. FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from

More information

Network Security Assessment

Network Security Assessment Network Security Assessment http://www.cta.com/content/docs/n et_ass.pdf 1 Introduction There are certain characteristics that the network should possess: 1. Security Policy. Networks should have an associated

More information

The Common Controls Framework BY ADOBE

The Common Controls Framework BY ADOBE The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

NEN The Education Network

NEN The Education Network NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected

More information

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management

More information

Information Security Management System

Information Security Management System Information Security Management System Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

More information

Security Management Models And Practices Feb 5, 2008

Security Management Models And Practices Feb 5, 2008 TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related

More information

Information technology Security techniques Information security controls for the energy utility industry

Information technology Security techniques Information security controls for the energy utility industry INTERNATIONAL STANDARD ISO/IEC 27019 First edition 2017-10 Information technology Security techniques Information security controls for the energy utility industry Technologies de l'information Techniques

More information

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

Certified Information Security Manager (CISM) Course Overview

Certified Information Security Manager (CISM) Course Overview Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,

More information

Vulnerability Assessments and Penetration Testing

Vulnerability Assessments and Penetration Testing CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze

More information

Nebraska CERT Conference

Nebraska CERT Conference Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology

More information

Advent IM Ltd ISO/IEC 27001:2013 vs

Advent IM Ltd ISO/IEC 27001:2013 vs Advent IM Ltd ISO/IEC 27001:2013 vs 2005 www.advent-im.co.uk 0121 559 6699 bestpractice@advent-im.co.uk Key Findings ISO/IEC 27001:2013 vs. 2005 Controls 1) PDCA as a main driver is now gone with greater

More information

CCISO Blueprint v1. EC-Council

CCISO Blueprint v1. EC-Council CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance

More information

_isms_27001_fnd_en_sample_set01_v2, Group A

_isms_27001_fnd_en_sample_set01_v2, Group A 1) What is correct with respect to the PDCA cycle? a) PDCA describes the characteristics of information to be maintained in the context of information security. (0%) b) The structure of the ISO/IEC 27001

More information

Security and Architecture SUZANNE GRAHAM

Security and Architecture SUZANNE GRAHAM Security and Architecture SUZANNE GRAHAM Why What How When Why Information Security Information Assurance has been more involved with assessing the overall risk of an organisation's technology and working

More information

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

Tiger Scheme QST/CTM Standard

Tiger Scheme QST/CTM Standard Tiger Scheme QST/CTM Standard Title Tiger Scheme Qualified Security Tester Team Member Standard Version 1.2 Status Public Release Date 21 st June 2011 Author Professor Andrew Blyth (Tiger Technical Panel)

More information

Security Policies and Procedures Principles and Practices

Security Policies and Procedures Principles and Practices Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

Information Security Risk Strategies. By

Information Security Risk Strategies. By Information Security Risk Strategies By Larry.Boettger@Berbee.com Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not

More information

MIS Week 9 Host Hardening

MIS Week 9 Host Hardening MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls

More information

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery. Modular Security Services Offering - BFSI Security In A Box A new concept to Security Services Delivery. 2017 Skillmine Technology Consulting Pvt. Ltd. The information in this document is the property

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.

More information

Information Technology Branch Organization of Cyber Security Technical Standard

Information Technology Branch Organization of Cyber Security Technical Standard Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:

More information

The IS Audit Process Part-1 Four key objectives

The IS Audit Process Part-1 Four key objectives The IS Audit Process Part-1 Four key objectives a. Defining auditing and auditors b. The audit planning process c. Risk analysis d. Internal controls Auditing & Auditors: an evaluation process of an org,

More information

Department of Management Services REQUEST FOR INFORMATION

Department of Management Services REQUEST FOR INFORMATION RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President

More information

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting

More information

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion

More information

Trust Services Principles and Criteria

Trust Services Principles and Criteria Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access

More information

Position Description IT Auditor

Position Description IT Auditor Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership

More information

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains

More information

Security Audit What Why

Security Audit What Why What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,

More information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not

More information

Apex Information Security Policy

Apex Information Security Policy Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8

More information

AUTHORITY FOR ELECTRICITY REGULATION

AUTHORITY FOR ELECTRICITY REGULATION SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...

More information

Security Solutions. Overview. Business Needs

Security Solutions. Overview. Business Needs Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.

More information

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Critical Security Control Solution Brief Version 6 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable,

More information

CompTIA Security+ Study Guide (SY0-501)

CompTIA Security+ Study Guide (SY0-501) CompTIA Security+ Study Guide (SY0-501) Syllabus Session 1 At the end of this session, students will understand what risk is and the basics of what it means to have security in an organization. This includes

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system

More information

Protecting your data. EY s approach to data privacy and information security

Protecting your data. EY s approach to data privacy and information security Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share

More information

ISO/IEC TR TECHNICAL REPORT

ISO/IEC TR TECHNICAL REPORT TECHNICAL REPORT ISO/IEC TR 27019 First edition 2013-07-15 Information technology Security techniques Information security management guidelines based on ISO/IEC 27002 for process control systems specific

More information

MIS5206-Section Protecting Information Assets-Exam 1

MIS5206-Section Protecting Information Assets-Exam 1 Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines

More information

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

WELCOME ISO/IEC 27001:2017 Information Briefing

WELCOME ISO/IEC 27001:2017 Information Briefing WELCOME ISO/IEC 27001:2017 Information Briefing Denis Ryan C.I.S.S.P NSAI Lead Auditor Running Order 1. Market survey 2. Why ISO 27001 3. Requirements of ISO 27001 4. Annex A 5. Registration process 6.

More information

ISO/IEC Information technology Security techniques Code of practice for information security management

ISO/IEC Information technology Security techniques Code of practice for information security management This is a preview - click here to buy the full publication INTERNATIONAL STANDARD ISO/IEC 17799 Second edition 2005-06-15 Information technology Security techniques Code of practice for information security

More information

Canada Life Cyber Security Statement 2018

Canada Life Cyber Security Statement 2018 Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability

More information

ISE Canada Executive Forum and Awards

ISE Canada Executive Forum and Awards ISE Canada Executive Forum and Awards September 19, 2013 "Establishing a Cost Effective PCI DSS Compliance Program by Having a Can Do Attitude Della Shea Chief Privacy & Information Risk Officer Symcor

More information

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations

More information

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005

More information

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ENERGY AUTOMATION - SMART GRID Restricted Siemens AG 20XX All rights reserved. siemens.com/answers Frederic Buchi, Energy Management Division, Siemens AG Cyber

More information

Practical IT Research that Drives Measurable Results OptimizeIT Strategic Planning Bundle

Practical IT Research that Drives Measurable Results OptimizeIT Strategic Planning Bundle Practical IT Research that Drives Measurable Results OptimizeIT Strategic Planning Bundle Info-Tech Research Group 1 An IT Strategy must lay out a roadmap and budget for investment to establish the systems,

More information

Security+ SY0-501 Study Guide Table of Contents

Security+ SY0-501 Study Guide Table of Contents Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators

More information

Education Network Security

Education Network Security Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or

More information

QuickBooks Online Security White Paper July 2017

QuickBooks Online Security White Paper July 2017 QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a

More information

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security

More information

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Crown Jewels Risk Assessment: Cost- Effective Risk Identification

Crown Jewels Risk Assessment: Cost- Effective Risk Identification SESSION ID: GRC-W11 Crown Jewels Risk Assessment: Cost- Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll Information Security Risk Assessment

More information

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The

More information

Wireless e-business Security. Lothar Vigelandzoon

Wireless e-business Security. Lothar Vigelandzoon Wireless e-business Security Lothar Vigelandzoon E-business evolution Increased business drivers for cost efficiency & market penetration Increased Importance of brand reputation Distance between IT and

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

Threat and Vulnerability Assessment Tool

Threat and Vulnerability Assessment Tool TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...

More information

CISM Certified Information Security Manager

CISM Certified Information Security Manager CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 3 Information Security Program Development and Management Course Flow Chapter One Information Security Governance

More information

Version 1/2018. GDPR Processor Security Controls

Version 1/2018. GDPR Processor Security Controls Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in

More information

Protect Your Organization from Cyber Attacks

Protect Your Organization from Cyber Attacks Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers

More information

Cyber Security Program

Cyber Security Program Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by

More information

Oracle Data Cloud ( ODC ) Inbound Security Policies

Oracle Data Cloud ( ODC ) Inbound Security Policies Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009 Leveraging ITIL to improve Business Continuity and Availability Samuel Lo MBA, MSc, CDCP, PMP, CISSP, CISA Data Centre Services Manager COL Limited Strictly Business itsmf Conference 2009 25 February 2009

More information

IT risks and controls

IT risks and controls Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,

More information

IC32E - Pre-Instructional Survey

IC32E - Pre-Instructional Survey Name: Date: 1. What is the primary function of a firewall? a. Block all internet traffic b. Detect network intrusions c. Filter network traffic d. Authenticate users 2. A system that monitors traffic into

More information

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security HISPOL 003.0 The United States House of Representatives Internet/ Intranet Security Policy CATEGORY: Telecommunications Security ISSUE DATE: February 4, 1998 REVISION DATE: August 23, 2000 The United States

More information

IoT & SCADA Cyber Security Services

IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au

More information

Vulnerability Management Policy

Vulnerability Management Policy Vulnerability Management Policy Document Type: Policy (PLCY) Endorsed By: Information Technology Policy Committee Date: 4/29/2011 Promulgated By: Chancellor Herzog Date: 6/16/2011 I. Introduction IT resources

More information

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results. REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is

More information

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010 Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at

More information

How AlienVault ICS SIEM Supports Compliance with CFATS

How AlienVault ICS SIEM Supports Compliance with CFATS How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal

More information

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy. Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations

More information

CoreMax Consulting s Cyber Security Roadmap

CoreMax Consulting s Cyber Security Roadmap CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows

More information

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22301 Lead Implementer www.pecb.com The objective of the Certified ISO 22301 Lead Implementer examination is to ensure that the candidate

More information

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management INTERNATIONAL STANDARD ISO/IEC 17799 Second edition 2005-06-15 Information technology Security techniques Code of practice for information security management Technologies de l'information Techniques de

More information

Annual Report on the Status of the Information Security Program

Annual Report on the Status of the Information Security Program October 2, 2014 San Bernardino County Employees Retirement Association 348 W. Hospitality Lane, Third Floor San Bernardino, CA 92415-0014 1 Table of Contents I. Executive Summary... 3 A. Overview... 3

More information

Risk Management in Electronic Banking: Concepts and Best Practices

Risk Management in Electronic Banking: Concepts and Best Practices Risk Management in Electronic Banking: Concepts and Best Practices Jayaram Kondabagil BICENTENNIAL B1CBNTENNIAL John Wiley & Sons (Asia) Pte Ltd. Contents List of Figures xiii List of Tables xv Preface

More information

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported

More information

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004 Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches Bob Bradley Tizor Systems, Inc. December 2004 1 Problem Statement You re a DBA for an information asset domain consisting

More information