Maher Duessel Not for Profit Training July Agenda
|
|
- Zoe Allen
- 5 years ago
- Views:
Transcription
1 Maher Duessel Not for Profit Training July 2018 Agenda Review of ITGCs Review of IT Checklist Other Security Issues Questions 2 1
2 Review of General Computer Controls 3 ITGC What is that? Information Technology General Controls: Logical access controls System development lifecycle controls Program change management Data Center Physical and Logical security System and data backup and recovery controls Computer Operation Controls.and sometimes IT entity level controls 4 2
3 Why does it matter? SAS No (the risk based standards) specifically requires ITGC to be addressed ITGC weaknesses have the potential to increase the risk of material misstatement No opinion is provided on ITGC Cannot rely on IT systems or data without effective IT controls 5 Logical Access Controls Only authorized persons have access to the system(s) and they can only perform specifically authorized functions Segregation of incompatible duties exists within logical access (access to assets vs. access to accounting records) For most organizations, lack of logical access controls can result in control weaknesses that require reporting 6 3
4 System Development Lifecycle Controls Describes the process to plan, create, test, and deploy an information system Details include preliminary analysis, systems analysis and requirements, systems design, development, integration and testing, acceptance and installation, maintenance, evaluation, and disposal Generally applies to software developed in house and not necessarily relevant to purchased software, but could apply to spreadsheets 7 Program Change Management Changes to software and spreadsheets are authorized including upgrades, patches, and configuration changes Changes are tested Changes are approved Changes are monitored Segregation of incompatible duties exists (person making the change shouldn t approve the change) Lack of proper controls in this area could result in errors and reportable control weaknesses 8 4
5 Data Center Physical Security Typically in reference to server/computer room and data storage facility: Access only to appropriate IT staff Appropriate/ redundant power and cooling Appropriate fire prevention mechanism 9 System and data backup and recovery controls Backing up data requires copying and archiving computer data so that it is accessible in case of data deletion or corruption ransom Consider that data backup cannot always restore all of a system s data and settings. Servers may need additional forms of disaster recovery If you depend on being online all the time for ticket sales, registration, etc., lack of adequate backup systems could result in reportable control weaknesses 10 5
6 Computer Operation Controls System startup procedures Emergency procedures System shutdown procedures System and job status reporting instructions Instructions re: console messages Copies of system flowcharts Maintenance of operating logs Logs may be necessary audit documentation that should be retained 11 Review of IT Checklist 12 6
7 IT Service Provider IT Service Provider 1. Does the entity have an in-house IT person, or are IT services contracted? Who, or what company? 1a. If IT services are contracted, is there an agreement in place for the services to be provided, and what would happen to any data maintained or services supported by the contracted service provider if the relationship were to end? Do contracts include Cloud Services? Get a SOC2 Report Suggested procedure: If the client has a contract with significant IT services (i.e., outsources IT functions for security and back up), obtain a copy of the contract and review to verify that services outlined in this checklist are provided by the contractor. Pull the contract into the perm file. 13 IT Service Provider (1. and 1a.) What is important about these questions/what are we looking for? 1. Not specific ITGC, but provides an understanding of who is responsible for elements of the ITGC 2. We want to make certain that the vendor you are using has the correct understanding about the items contracted. For example, you think a vendor is updating your virus protection, but they think they were only hired to do initial installation 3. We want to ensure the contract allows you ongoing access to your data. Cloud Services? Get a SOC2 Report 14 7
8 Accounting Software ACCOUNTING SOFTWARE 2. Major accounting (and/or billing, membership, donor related) software used: Note that QuickBooks and Peachtree are typically not part of a complex IT environment, but most other software types are complex and Question #11 (#12 for Gov. Binder) at A Scoping should be answered " Yes." 3. Was this software purchased from a vendor, or created "in-house"? If it is "in-house," who created the software, and who has current access to the software code? System Development and Change Controls 4. Who determines the level of software access that a particular user will receive? 15 Accounting Software (2. 3. and 4.) What is important about these questions/what are we looking for? 1. We are looking for a complete list of any software that is part of recording entries or completing financial statements 2. We want to understand any custom/aspects of the software (including spreadsheets) you are using 3. We want to make certain the right person determines who has access to each item 16 8
9 Accounting Software 5. Are user rights within the software documented, such as who has rights to what areas of the accounting system (ex: A/R, A/P, GL, printing checks)? 6. Please list all employees/positions with access to the accounting software ( including billing, membership, and donor software), and whether or not that access is restricted at any level: Name and/or position Restriction level (full access, limited to AR/AP/HR/Payroll functions, etc.) Logical Access Controls Suggested procedure: Verify access controls via review of access levels onscreen with the Software Administrator or via review of access levels via printout. Verify there are no potential segregation of duties issues. Access to certain modules should be limited to their performed duties - cross-reference to the Internal Controls Narrative in the B-series. Also, be sure to document user access to other financial applications that are material to the financial statements (i.e., billing software that is separate from the financial accounting software). Investigate any Administrative, Guest, or similar user accounts for propriety. 17 Accounting Software (5. and 6.) What is important about these questions/what are we looking for? 1. We are going to match the responses here to what is in the software 2. We are going to test for appropriate logical access controls/ segregation of duties 18 9
10 Appropriate Access Controls No shared passwords or logins Consider an agreement if third party vendor has access ( HIPPA?) Guest passwords should be temporary and only when on site with appropriate limits IT shouldn t be able to approve accounting transactions Accounting shouldn t have admin level IT access What if we have to combine admin and accounting = keep a log so someone can review it and use different passwords for accounting vs. admin function (Admin can stop logging events, change passwords, give people access) Same issues as in a paper system 19 Accounting Software 7. Is any financial reporting information (for example, Excel spreadsheets that detail fixed assets, loans information, etc.) maintained outside the accounting/ accounting related software, on the network? If so, is access to these folders/spreadsheets restricted at any level? Logical Access Controls Suggested procedure (Note: only for spreadsheets maintained out of the accounting system that have a material impact on the financial statements and where there is a risk of spreadsheet alteration by an unauthorized user): Observe where the spreadsheet is saved and verify user access. If access is not restricted, are there compensating controls in place that would detect significant alterations to the spreadsheet? 8. How is file and folder access determined on the network servers, and who defines who has access to what? Has a recent evaluation been performed of the access levels provided to various employees? Logical Access Controls 20 10
11 Accounting Software 9. Are logins and passwords used to access both computer terminals and the accounting software? If so, is the password sufficiently complex and required to be changed at intervals based on assessed level of risk? Logical Access Controls Suggested procedures: Observe a person without access to the accounting system attempt to log in and observe a person with access to the accounting system attempt to log in with the incorrect password. If the client asserts that the accounting system automatically changes passwords periodically, observe the Administrator pull up the specific property in the system to verify that automatic passwords are taking place. 10. Who maintains the master information for all user names and passwords, both with the network, and with the accounting software program? Logical Access Controls 21 Accounting Software (9. and 10.) NIST provides current guidance on best practice for passwords Recommend phrases of 16 characters Change when there is a breach or event No repeat passwords Lock out after certain number of attempts Policy should be developed based on risk No longer mandatory change of passwords at specific intervals 22 11
12 Accounting Software 11. What approvals are required for new, changed, or terminated passwords? 12. Is there a written acceptable usage policy that users must sign (network, , Internet usage, etc.), and can this be provided for our review? Are all employees required to sign at employment, or yearly, etc.? Entity Level Controls 13. What is the procedure for disabling and removing user accounts from the network as it relates to termination of employment? 23 Disaster Contingency DISASTER CONTINGENCY 14. Does a formal disaster contingency plan exist? Consider inquiring about whether Cybersecurity insurance has been purchased as part of the plan. System and data backup and recovery controls 15. Is the disaster contingency plan tested on a regular basis? If yes, please explain how frequently. Can it be provided for review? More than just doing backups 24 12
13 Disaster Contingency (14. and 15.) Components of a disaster contingency plan: Communication plan and role assignments Plan for equipment (protect/replace) Data continuity system what do you need to be able to operate and related logistics Backup check Inventory of workstations, software, scanners, etc., needed on a daily basis (might include photos) Vendor communication and service restoration plan 25 Backups BACKUPS 16. How often are server backups performed (daily, weekly, etc.), and who performs the backup? Is this backup file saved onsite, offsite, or online? When was the last time the backup was tested to ensure it was functioning as intended? System and data backup and recovery controls 17. If you use an online backup software/service, what is the software/service? Have you ever tested the service to ensure all necessary items that are expected to be backed up actually are being backed up? If so when/how often? 18. What would happen to old backup versions if you stop using the backup software/service - can they be downloaded/still accessed, etc. Could they be transferred to another service provider? 26 13
14 Backups ( and 18.) We want to make certain that backups of crucial data are occurring We want to make certain that backup files are accessible and usable when needed 27 Backups 19. Is there a backup solely for the accounting/ accounting related systems (other than the server backup)? Is this an onsite/offsite/online backup? 20. How are files on individual computers backed up (such as Excel spreadsheets)? 28 14
15 Security SECURITY 21. Describe the physical security of the data center (i.e., server/server room), including how access is gained (physical key, fob, door code, etc.), and who determines access. Is there a procedure in place in the event a key is lost, or if a code is used: Data Center Physical security 22. Are Anti-malware systems (Norton, McAfee, etc.) in place? How is the software updated and how often? Who handles any issues that arise? Data Center Logical Access controls and Computer Operation Controls- virus protection 23. Are controls over perimeter and network security in place? Such controls may include firewalls, routers, terminal service devices, wireless security, intrusion detection, and vulnerability assessments and encrypting data, where appropriate. Data Center Logical Access 29 Perimeter Security What resources need to be protected Servers, workstations websites Credit cards, PII, HIPPA, financial data Who are you protecting them against Outside attacker servers/website Inside attacker What are your business needs Cost Website needed for daily transactions? 30 15
16 Perimeter 31 Security Basics Firewall a physical device or set of related programs located at a network gateway server that protects the resources of the network from outside users (Strainer). Needs to be configured and password Router a networking device that forwards data packets between computer networks (Traffic Cop). Needs to be properly configured with appropriate password protection Terminal Service Devices hardware device or server that provides terminals (PCs, printers) with a common connection point to a network 32 16
17 Current News During May 2018, the FBI made an urgent request for anyone using internet routers to turn them off and back on again. The FBI was attempting to thwart a sophisticated malware system linked to Russia. 33 Other Security Issues Intrusion detection Intrusion Prevention Vulnerability assessments identifying quantifying, and prioritizing system vulnerabilities Penetration testing Try to exploit any weaknesses (hack in) These items are important, especially if reliant on website and/or internet sales 34 17
18 Other Security Issues Wireless (WiFi) security Are you using encryption and authentication procedures? Do you have Guest WiFi and, if so, which systems can be accessed? Cell Phone what if a cell phone is lost? ipads What if ipad is lost? Privacy issues? Remote Access VPN or Virtual Network Secure encrypted access to an organization s network via internet 35 Other Security Issues Encryption do you have PII or HIPPA issues? Policy do you have an employee policy regarding data? Training do you train your staff about risks of clicking on s, downloading items? Phishing attempts do you practice phishing inhouse to determine compliance with policies? 36 18
19 Evaluation Evaluation Note that a "NO" answer above does not necessarily mean a comment needs carried to A-09 as a potential ML comment, or to A-08-6 as a risk. It is important that the answers to all of the above questions be evaluated in the aggregate, along with activity controls at other B narratives. A client could have four "NO" answers above, but all of these could be mitigated by controls noted at the other B narratives. If this is the case, it is recommended that the reasoning be documented at this wp. A different client could have a single NO" answer above, but due to a lack of other controls, that single "NO" answer would be significant in evaluating internal controls. IT controls are deemed adequate based upon the size and nature of the client. IT controls have deficiencies as noted above, and carried to A-09. However, these items are considered advisory in nature, and are not deemed to be major deficiencies of the system. IT controls have deficiencies as noted above, and carried to A-09. These items are considered to be deficiencies within the system, and have been carried to the A wp as a risk, and will be responded to at that wp. 37 Questions? Contact Me! Lisa Ritter, CPA, CFE, CITP 3003 North Front Street Suite 101 Harrisburg, PA Lritter@md cpas.com Pittsburgh Harrisburg Butler State College Erie Lancaster cpas.com 38 19
University of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationCybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls
Cybersecurity Hospitality Finance and Technology Professionals June 27, 2017 Presented by: Harvey Johnson, CPA Partner Overview Define Cyber Security Importance of Cyber Security 2017 Cyber Trends 1 About
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationCyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)
Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationPTS Customer Protection Agreement
PTS Customer Protection Agreement Revised: July 26, 2017 Thank you for choosing as your IT provider. Customer s Network environments with the most success have an in-house Network Administrator or someone
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationPOLICY 8200 NETWORK SECURITY
POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationUnderstanding IT Audit and Risk Management
Understanding IT Audit and Risk Management Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation We need
More informationVendor Security Questionnaire
Business Associate Vendor Name Vendor URL Vendor Contact Address Vendor Contact Email Address Vendor Contact Phone Number What type of Service do You Provide Covenant Health? How is Protected Health Information
More information2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along
2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management Today s Speakers Olivia Munro Senior Marketing Specialist Eze Castle Integration Bob Shaw Director, Technical Architecture Eze Castle
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationCyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No
PROPOSAL FORM Cyber Insurance Underwritten by The Hollard Insurance Co. Ltd, an authorised Financial Services Provider www.itoo.co.za @itooexpert ITOO is an Authorised Financial Services Provider. FSP.
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationGoing Paperless & Remote File Sharing
Going Paperless & Remote File Sharing Mary Twitty Family Services Director Earnest L. Hunt-Director of Sub-recipient Monitoring Tammy Smith Program Director Introduction Define the subject matter Move
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationAudit Network Security. University System of New Hampshire
Audit Network Security Presenter Ashish Jain, CPA, CIA, CISA, CA Director of Internal Audit University System of New Hampshire 1 University System of New Hampshire 34,000 enrolled students 4 institutions
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationGetting Started with Cybersecurity
2 Incidents per week: Since 2016, U.S. K-12 school districts have experienced more than two cyber incidents per week on average. Fastest growing cyber incidents in K12 schools Most common cyber incidents
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationWELCOME ISO/IEC 27001:2017 Information Briefing
WELCOME ISO/IEC 27001:2017 Information Briefing Denis Ryan C.I.S.S.P NSAI Lead Auditor Running Order 1. Market survey 2. Why ISO 27001 3. Requirements of ISO 27001 4. Annex A 5. Registration process 6.
More informationData Sharing Agreement. Between Integral Occupational Health Ltd and the Customer
Data Sharing Agreement Between Integral Occupational Health Ltd and the Customer 1. Definitions a. Customer means any person, organisation, group or entity accepted as a customer of IOH to access OH services
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationAdministration and Data Retention. Best Practices for Systems Management
Administration and Data Retention Best Practices for Systems Management Agenda Understanding the Context for IT Management Concepts for Managing Key IT Objectives Aptify and IT Management Best Practices
More informationCyber Essentials Questionnaire Guidance
Cyber Essentials Questionnaire Guidance Introduction This document has been produced to help companies write a response to each of the questions and therefore provide a good commentary for the controls
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationSOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE
SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE SECURE AIRBORNE CONNECTIVITY: OVERVIEW Gogo Business Aviation realizes the ever-pressing need to be vigilant in staying ahead of potential
More informationCTS performs nightly backups of the Church360 production databases and retains these backups for one month.
Church360 is a cloud-based application software suite from Concordia Technology Solutions (CTS) that is used by churches of all sizes to manage their membership data, website, and financial information.
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationAltius IT Policy Collection
Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software
More informationNetwork Performance, Security and Reliability Assessment
Network Performance, Security and Reliability Assessment Presented to: CLIENT NAME OMITTED Drafted by: Verteks Consulting, Inc. 2102 SW 20 th Place, Suite 602 Ocala, Fl 34474 352-401-0909 ASSESSMENT SCORECARD
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationExam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo
Exam : 646-578 Title : ASAM Advanced Security for Account Managers Exam Version : Demo 1. When do you align customer business requirements with the needed solution functionality? A. when preparing for
More informationSample Security Risk Analysis ASP Meaningful Use Core Set Measure 15
Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice
More informationDisaster Recovery Self-Audit
Disaster Recovery Self-Audit Disaster Recovery Audit There are 3 steps to this process: 1. Identify all data and IT-related functions (like credit card processing, documents on your file server, member
More informationIntroduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?
Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011
More informationQuestions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP
Questions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP 1. If we cannot attend the September 27 pre-bid meeting in-person, will there be conference call capability
More informationNIST Cybersecurity Framework Protect / Maintenance and Protective Technology
NIST Cybersecurity Framework Protect / Maintenance and Protective Technology Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More informationJudiciary Judicial Information Systems
Audit Report Judiciary Judicial Information Systems August 2016 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY For further information concerning this report
More informationHIPAA RISK ADVISOR SAMPLE REPORT
HIPAA RISK ADVISOR SAMPLE REPORT HIPAA Security Analysis Report The most tangible part of any annual security risk assessment is the final report of findings and recommendations. It s important to have
More informationSERVICE DESCRIPTION MANAGED BACKUP & RECOVERY
Contents Service Overview.... 3 Key Features... 3 Implementation... 4 Validation... 4 Implementation Process.... 4 Internal Kick-Off... 4 Customer Kick-Off... 5 Provisioning & Testing.... 5 Billing....
More informationIT SECURITY FOR NONPROFITS
IT SECURITY FOR NONPROFITS COMMUNITY IT INNOVATORS PLAYBOOK April 2016 Community IT Innovators 1101 14th Street NW, Suite 830 Washington, DC 20005 The challenge for a nonprofit organization is to develop
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationOUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE
CONTENTS 1 ABOUT THIS PART... 2 2 GENERAL... 2 3 CLOUD INFRASTRUCTURE (FORMERLY UTILITY HOSTING)... 2 4 TAILORED INFRASTRUCTURE (FORMERLY DEDICATED HOSTING)... 3 5 COMPUTE... 3 6 BACKUP & RECOVERY... 8
More informationTake Risks in Life, Not with Your Security
Take Risks in Life, Not with Your Security Redefining Cybersecurity Why We re Here agio.com Agenda The Problem(s): Threat Landscape Current Threat Landscape People are the Problem Protect Yourself Solutions
More informationHeavy Vehicle Cyber Security Bulletin
Heavy Vehicle Cyber Security Update National Motor Freight Traffic Association, Inc. 1001 North Fairfax Street, Suite 600 Alexandria, VA 22314 (703) 838-1810 Heavy Vehicle Cyber Security Bulletin Bulletin
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationRAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures
RAPID7 INFORMATION SECURITY An Overview of Rapid7 s Internal Security Practices and Procedures 060418 TABLE OF CONTENTS Overview...3 Compliance...4 Organizational...6 Infrastructure & Endpoint Security...8
More information2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager
2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager NIST Cybersecurity Framework (CSF) Executive Order 13636 Improving Critical Infrastructure Cybersecurity tasked the National
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More information