CISM Certified Information Security Manager
|
|
- Bethanie Ward
- 5 years ago
- Views:
Transcription
1 CISM Certified Information Security Manager Firebrand Custom Designed Courseware
2 Chapter 3 Information Security Program Development and Management
3 Course Flow Chapter One Information Security Governance Directs changes to Chapter Four Information Security Incident Management Influenced by Enforced by Chapter Two Information Risk Management Directs development of Chapter Three Develop and Manage a Security Program
4 Exam Relevance Ensure that the CISM candidate Understands how to manage the information security program in alignment with the information security strategy The content area in this chapter will represent approximately 25% of the CISM examination (approximately 50 questions). ISACA CISM Review Manual Page 140
5 Chapter 3 Learning Objectives Develop and maintain plans to implement an information security program that is aligned with the information security strategy Ensure alignment between the information security program and other business functions Identify internal and external resources required to execute the information security program Ensure the development of information security architectures ISACA CISM Review Manual Page 140
6 Learning Objectives cont. Ensure the development, communication, and maintenance of standards, procedures and other documentation that support information security policies Design and develop a program for information security awareness, training and education Integrate information security requirements into contracts and third party agreements ISACA CISM Review Manual Page 140
7 Definition Information security program management includes: Directing Overseeing Monitoring Information-security-related activities in support of organizational objectives. ISACA CISM Review Manual Page 157
8 Security Strategy and Program Relationship The security strategy is the long term plan of creating a security structure that will support the business goals of the organization The security program outlines the steps necessary to implement the security strategy The security program should be defined in business terms ISACA CISM Review Manual Page 158
9 Information Security Management Information Security management is primarily concerned with Ongoing, day-to-day operations of a security department Budget for security Planning Business case development for security projects Staff development and training ISACA CISM Review Manual Page 158
10 Importance of Security Management Achieving adequate levels of information security means: Implementing cost effective security solutions Supporting business operations Strategic planning and alignment between security and the business Compliance and reporting ISACA CISM Review Manual Page 158
11 Definition Information security program development is the integrated set of: Activities Projects Initiatives to implement the information security strategy ISACA CISM Review Manual Page 158
12 Effective Security Management Effective security management must demonstrate value to the organization Compliance with policies and procedures Cost effective Improved audit results Business process assurance ISACA CISM Review Manual Page 158
13 Security Program Development The elements essential to ensure successful security program design and implementation: A well defined and clear information security strategy Cooperation and support from management and stakeholders Effective metrics to measure program effectiveness ISACA CISM Review Manual Page 158
14 Outcomes of Information Security Program Development As seen in Chapter One, objectives for information security governance include: Strategic alignment Risk management Value delivery Resource management Assurance process integration Performance measurement ISACA CISM Review Manual Page 159
15 Governance of the Security Program Acceptance and support for the strategy and the objectives of the security program is the responsibility of executive management Everyone is responsible for compliance with security requirements
16 Information Security Program Development ISACA CISM Review Manual Page 160
17 Developing an Information Security Road Map The CISM must consider the security program from the perspective of: Data Applications Systems Facilities Processes
18 Defining Security Program Objectives Whether or not there is an existing information security program, there are some basic program components: Understand management s security objectives Develop key goal indicators (KGIs) that reflect and measure business priorities Ways to measure whether the program is heading in the right direction ISACA CISM Review Manual Page 160
19 Inventory of Information Systems Document all aspects of the information systems including: System categorization System description including system boundaries Network diagram and data flows Software and hardware inventory Users and system owners Business risk assessment System risk assessment Contingency plan System security plan ISACA CISM Review Manual Page 161
20 Elements of a Security Program Road Map A vital element of the information security program is the roles and responsibilities matrix (RACI - Responsible, Accountable, Consulted, Informed) Policy Development Business Continuity Incident Management CEO CISO CIO VP HR I R A C I C R I I A R C ISACA CISM Review Manual Page 166
21 Risk Elements of a Security Program Road Map An understanding of the general risk appetite of an organization and a review to discover any gaps or determine whether the information security program is operating at acceptable levels Current Risk Level Acceptable Risk Level Potential Loss due to Equipment Failure 75,000 50,000 25,000 0 ISACA CISM Review Manual Page 168
22 Elements of a Security Program Road Map Ability to link the security program with business objectives and demonstrate justification for the evolution from a security concept towards a security architecture and finally into the selection and implementation of security tools and technologies Security Context Security Concept Logical Architecture Physical Architecture Component ISACA CISM Review Manual Page 173
23 Security Programs and Projects The overall security program will almost always consist of a series of individual projects designed to meet security objectives Security Program Policy Creation Project Firewall Implementation project Awareness Sessions ISACA CISM Review Manual Page 176
24 Program Objectives Implement the objectives of the security strategy Operational controls Technical controls Administrative controls ISACA CISM Review Manual Page 166
25 Security Program and Project Development A gap analysis will identify a series of projects required to implement the information security program Each project should have time, budget, milestones, deliverables, and measurable results Each project should be clearly defined and integrated with other projects and departments HR, Finance, Physical security ISACA CISM Review Manual Page 168
26 Security Program and Project Development cont. Security projects should be prioritized so that: Most important projects are given priority Projects do not overlap or cause a delay for other projects Resources are appropriately allocated Results are documented and reported to management ISACA CISM Review Manual Page 175
27 Security Project Planning Determine project needs Oversight / timelines Equipment Personnel (skills) Outsourcing or contract staff Infrastructure Networks, databases, facilities, etc. ISACA CISM Review Manual Page 175
28 Selection of Controls Controls are Technical Managerial Physical Tools designed to provide reasonable assurance that: Business objectives will be achieved Undesirable events will be prevented or detected and corrected ISACA CISM Review Manual Page 182
29 Common Control Practices Common control practices include: Logical Access control Principle of least privilege / need to know Compartmentalization to minimize damage Domains Segregation of duties Transparency
30 Security Program Elements Policies Standards Procedures Guidelines Outsourced security providers Facilities Environmental security Technologies Personnel security Organizational structure
31 Acceptable Use Policy An acceptable use policy Should provide a user-friendly summary of what should and should not be done to comply with policy Must detail in everyday terms the obligations of all users Must be communicated to all users Must be read and understood by all users Should be provided to new personnel ISACA CISM Review Manual Page 181
32 Acceptable Use Policy cont. Rules of use for all personnel include the policies and standards for Access control Classification of data Marking and handling of documents Reporting requirements and disclosure constraints Rules regarding and Internet use ISACA CISM Review Manual Page 181
33 Standards Standards ensure that systems are configured and operated in a similar manner Compliance with standards should be automated Ensure that system configurations do not (intentionally or unintentionally) deviate from policy compliance Standards are used to implement policy Deviations from a standard must have formal approval ISACA CISM Review Manual Page 193
34 Procedures Procedures provide a defined, step-by-step method of completing a task i.e., new user registration / user ID creation; incident management Allow actual activity to be reviewed for compliance with the required procedures Helps ensure consistency of operations
35 Guidelines Provide recommendations for better security practices: Password creation, use of social media Are only recommendations, not mandatory
36 Technology One of the most important elements of a security program Without the right tools, an effective security program is not feasible Many tools available
37 Personnel Security Protect staff from being harmed Duress alarms, cameras Having the right people: Skills / Education required Awareness Management and oversight Disciplinary action when required Separation of duties ISACA CISM Review Manual Page 176
38 Training and Skills Matrix Determine the level of training needed by staff according to job responsibilities Develop training matrix Perform gap analysis Manager Administrator User Level III CISM CCSP SEC + Level II SEC + GSEC Awareness Level I Awareness SEC + Awareness ISACA CISM Review Manual Page 176
39 Outsourced Security Providers Outsourcing security and monitoring may have many benefits Provide necessary expertise Monitor all corporate systems Correlate activity from several systems Centralized reporting ISACA CISM Review Manual Page 195
40 Third-party Service Providers When using a third party: Ensure data is stored and secured adequately in the service provider environment Define data destruction and data sanitization processes Create channels of communication and liaison with outsourced firm Maintain accountability in the service provider organization for policy enforcement Remember that prime liability for data protection is with the organization, not with the outsourced firm ISACA CISM Review Manual Page 195
41 Facilities Secure operational areas Server rooms Equipment rooms Administrator, developer, and operator work areas Consider factors such as: Age of building (fire codes) Shared facility with other companies ISACA CISM Review Manual Page 207
42 Facilities Security Physical controls may include: Smart cards or access controls based on biometrics Security cameras Security guards Fences Lighting Locks Sensors ISACA CISM Review Manual Page 207
43 Information Security Concepts Access Control Identification Authentication Authorization Accounting / Auditability Criticality Sensitivity Trust Models ISACA CISM Review Manual Page 162
44 Access Control Controlling who and what has access to the facilities, systems, people and data of the organization Ensuring the right people have the right level of access Preventing inappropriate use, modification or destruction of organizational resources Tracking all activity to the responsible entity ISACA CISM Review Manual Page 162
45 Identification Access control starts with knowing who or what is accessing our systems, data, facilities or other resources. Unique (trackable to the correct person/process) Removed when no longer required i.e., IDs, customer account numbers, fingerprints ISACA CISM Review Manual Page 162
46 Authentication Validating the claimed identity is the person requesting access really who they say they are? Knowledge (password) Ownership (Token, smartcard, badge) Characteristic (biometrics) ISACA CISM Review Manual Page 162
47 Authorization Granting the authenticated user the correct level of permissions needed Read Write Execute Create Delete ISACA CISM Review Manual Page 162
48 Accounting / Auditability Logging, monitoring and tracking of activity Ability to associate activity with a specific user Audit log: Protection Review Analysis ISACA CISM Review Manual Page 162
49 Criticality How much is the ability of the organization to deliver its products and services dependent on: Information? Information systems? What would the extent of the impact be on the business (quantitatively and qualitatively) if they were not available This is a measure of the criticality of the resource ISACA CISM Review Manual Page 162
50 Sensitivity How much is the organization dependent on the accuracy or confidentiality requirements for: Information? Information systems? This is a measure of the sensitivity of the resource ISACA CISM Review Manual Page 162
51 Trust Models Multi-level security Users have different levels of trust (access) Domains of trust Departmentalization/compartmentalization Security perimeters Trusted links between systems ISACA CISM Review Manual Page 162
52 Technology-based Security Technology-based controls Many technologies available Are used to implement controls Have controls built into their implementation Must be enabled Must be monitored / updated ISACA CISM Review Manual Page 162
53 Technologies There are numerous technologies relevant to security that the CISM should be familiar with including: Firewalls Routers and switches IDS, NIDS, HIDS Cryptographic techniques (PKI, DES) Digital signatures Smart cards ISACA CISM Review Manual Page 162
54 Security in Technical Components Native control technologies Security features built into equipment and applications. Access control on switches, routers Error handling in applications Many products feature Out-of-the-box security features that can be configured to protect business information systems Generally configured and operated by IT ISACA CISM Review Manual Page 207
55 Security in Technical Components cont. Supplemental control technologies Security control devices added to an information system IDS (Intrusion Detection Systems), Firewall, PKI (Public Key Infrastructure) Operate as a form of layered defense ISACA CISM Review Manual Page 162
56 Security intechnical Components cont. Management supports technologies Provide support for management to monitor systems and controls Examples include security information event management (SIEM) tools, compliance monitoring scanners and security event analysis systems Are often used by information security groups independently of information technology ISACA CISM Review Manual Page 162
57 Security in Technical Components cont. The effectiveness of the security technologies must be evaluated Use clear, repeatable metrics Evaluate: Control placement Control effectiveness Control efficiency Control policy Control implementation ISACA CISM Review Manual Page 162
58 Operations Security Operational security Monitoring of systems Maintenance of systems Procedures Change control Backups User access management Patch Management Usually performed by IT administrators ISACA CISM Review Manual Page 162
59 Technologies Access Control Lists Access control lists (ACLs) Designate levels of access accorded to users, processes Based on either the rights of the users or the protection levels accorded to the protected resource ISACA CISM Review Manual Page 162
60 Filtering and Content Management Data Loss Prevention (DLP) Scans documents s, etc. for sensitive data. Will block unauthorized transmission of data Web Filtering Scans web, , and IM traffic for inappropriate content Blocks mobile code, inappropriate links, cookies, etc. ISACA CISM Review Manual Page 162
61 Technologies - SPAM filtering to weed out unsolicited May contain malicious code Causes network and storage congestion Disables links and potentially malicious attachments ISACA CISM Review Manual Page 162
62 Technologies Databases and DBMS Databases Electronic storage of data May be accessed remotely Need stringent security controls architecture, access, backup, journaling Database Management System (DBMS) Manages the database (retrieves, updates, logs, organizes data) Ensures changes meet with rules ISACA CISM Review Manual Page 162
63 Environmental Security Heating, ventilation and humidity controls Reliable power supplies ISACA CISM Review Manual Page 162
64 Encryption Allows data to be stored, transmitted or displayed in a secure format unreadable except to authorized personnel Changes the format/structure of the data Provides Confidentiality Integrity Authenticity Access control Non-repudiation ISACA CISM Review Manual Page 162
65 Technologies Cryptography Symmetric key algorithms Use the same key to encrypt and decrypt a message Fast and excellent for confidentiality ISACA CISM Review Manual Page 162
66 Technologies Cryptography cont. Asymmetric Use a mathematically-related key pair Private key (only known to key owner) Public key (can be distributed freely) Provide Confidentiality Proof of origin / non-repudiation (digital signatures) Integrity Access control ISACA CISM Review Manual Page 162
67 Technologies Encryption cont. Protect data at various levels Application layer encryption PGP Session / transport layer encryption SSH, SSL, TLS Network Layer encryption IPSEC Link layer encryption ISACA CISM Review Manual Page 162
68 Technologies Hashing Algorithms Compute a fixed length value from a message that can be used to verify message integrity Message has not be altered or changed Either intentionally or accidentally Are used in digital signatures ISACA CISM Review Manual Page 162
69 Technologies Operating Systems Provide interface between hardware and user applications Manage the use of system resources ISACA CISM Review Manual Page 162
70 Technology - Firewalls Regulate traffic flows between networks Operate at various network layers Application proxies Session layer proxies Network layer Packet Filtering ISACA CISM Review Manual Page 162
71 Due Diligence Standard of due care Reasonable security controls are in place ISACA CISM Review Manual Page 192
72 Policies Provide authority and direction for security program from management High level versus functional policies Are interpreted by standards, procedures, baselines What are the characteristics of effective policies? What makes a policy effective? ISACA CISM Review Manual Page 193
73 Compliance Monitoring Policy compliance Standards compliance Resolution of non-compliance Compliance enforcement ISACA CISM Review Manual Page 193
74 Emerging Technologies The CISM must be aware of emerging technologies and their impact on the information security program: Virtual environments Cloud computing Mobile computing Apple and Android Apps VOIP SCADA (ICS) networks ISACA CISM Review Manual Page 197
75 Risk Assessment Business Impact Analysis Vulnerability assessments Threat assessments Resource dependency assessments ISACA CISM Review Manual Page 194
76 Intrusion Detection Policies and Processes The CISM should understand and manage intrusion detection systems and procedures, including: Personnel who run and monitor intrusion detection systems have adequate training Intrusion detection software and hardware runs continuously Intrusion detection software can be easily modified to adapt to changing environments Intrusion detection systems do not impose excessive overhead, especially excessive network overhead ISACA CISM Review Manual Page 162
77 Intrusion Detection Systems An organization should ideally use two types of intrusion detection systems (IDSs) Host-based Network-based Sensors should be suitably placed to provide adequate coverage of the network typology ISACA CISM Review Manual Page 162
78 IDS / IPS Intrusion detection and prevention systems should: Identify and record any attempts to exploit a system by an attacker Adequately protect networks and systems from security breaches Be monitored and maintained daily Protect logs for use in future investigations ISACA CISM Review Manual Page 162
79 Password Cracking Many tools available Software Hardware (keystroke loggers) Should be forbidden by policy except for extraordinary, authorized purposes Brute force attacks Dictionary attacks Rainbow tables Restrict access to password files Store passwords as hashed values ISACA CISM Review Manual Page 162
80 Vulnerability Assessments Discover potential weaknesses or gaps in the security controls Open ports or services Lack of training Improper rule-base configurations Poor incident handling ISACA CISM Review Manual Page 194
81 Vulnerability Assessments cont. A vulnerability assessment can include assessing Network visibility and accessibility Information leakage Presence of unneeded software and/or utilities Unpatched equipment Application-level vulnerabilities (including databases) Weak security policies and standards ISACA CISM Review Manual Page 194
82 Vulnerability Assessments cont. Assessment Tools Scans May indicate many false positives Require analysis to determine true level of vulnerability Testing inline, integrated test facility Observation ISACA CISM Review Manual Page 194
83 Penetration Testing Attempt to exploit a perceived vulnerability Usually more focused than a vulnerability scan Indicates whether the vulnerability does pose a serious risk of breach Allows determination of potential impact Can be done by external or internal testing teams Must have prior approval ISACA CISM Review Manual Page 194
84 Penetration Testing cont. Risk of system failure / interruption Areas to test Web applications Firewalls / proxy devices Operating systems Applications and Utilities Physical access ISACA CISM Review Manual Page 194
85 Cloud Computing (NIST) A model for enabling quick, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction ISACA CISM Review Manual Page 197
86 Five Essential Characteristics of Cloud On-demand self-service Broad network access Resource pooling Elasticity Measured service ISACA CISM Review Manual Page 197
87 Services Software-as-a-Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Identity as a Service (IdaaS) Disaster Recovery as a Service (DRaaS) ISACA CISM Review Manual Page 198
88 Cloud Advantages Optimized Resource Utilization Cost savings Better responsiveness Faster cycle of innovation Reduced time for implementation Resilience ISACA CISM Review Manual Page 199
89 Third Party Security Reviews Advantages Objective Not influenced by that is how we have always done it around here excuse Expertise May not be available in-house Disadvantages Need Non-disclosure agreements Cost
90 Security Management Considerations Change Management Release Management Configuration Management ISACA CISM Review Manual Page 202
91 Controls Logical access control Secure failure Least privilege Compartmentalization Segregation of duties Transparency Trust/Lack of Trust ISACA CISM Review Manual Page 205
92 Measuring Control Effectiveness Implementation of new or enhanced controls Reporting Reassessment of risk Reporting to management Covered in Detail in Chapter One ISACA CISM Review Manual Page 213
93 Challenges in Developing an Information Security Program The process of setting a program in place and measuring its results requires a great deal of cooperation among everyone in the organization who handles data Information security program development is not usually hampered by technology choices available, but rather by people, processes and policy issues that conflict with program objectives and see security as a hindrance to business operations ISACA CISM Review Manual Page 216
94 Challenges in Developing an Information Security Program cont. The challenges faced by the CISM while developing a security program may include: Organizational resistance due to: Changes in areas of responsibility A perception that increased security will impact productivity and access Unfair monitoring / restrictions Lack of adequate budget, personnel, skills or support Unanticipated problems with existing controls, systems or ongoing projects ISACA CISM Review Manual Page 216
95 Reasons for Security Program Failure Poorly understood requirements Lack of understanding about what is important and why Lack of funding or resources Lack of will to make security a priority Too much technical focus ISACA CISM Review Manual Page 216
96 Organizational Structure Who should security report to Normal reporting Incident reports Adequate: Budget Authority Scope ISACA CISM Review Manual Page 218
The Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationCASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)
CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001) Gregg, Michael ISBN-13: 9781118083192 Table of Contents Foreword xxi Introduction xxvii Assessment Test xliv Chapter 1 Cryptographic
More informationAdvent IM Ltd ISO/IEC 27001:2013 vs
Advent IM Ltd ISO/IEC 27001:2013 vs 2005 www.advent-im.co.uk 0121 559 6699 bestpractice@advent-im.co.uk Key Findings ISO/IEC 27001:2013 vs. 2005 Controls 1) PDCA as a main driver is now gone with greater
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationControlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:
Page 1 of 6 I. Common Principles and Approaches to Privacy A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals
CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals This course contains copyrighted material used by permission of Logical Operations, Inc. Slide 1 Course 01: Security Fundamentals The Information
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationManchester Metropolitan University Information Security Strategy
Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationInformation Security for Mail Processing/Mail Handling Equipment
Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationCyber Criminal Methods & Prevention Techniques. By
Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationCloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com
Cloud Computing Faculty of Information Systems Duc.NHM nhmduc.wordpress.com Evaluating Cloud Security: An Information Security Framework Chapter 6 Cloud Computing Duc.NHM 2 1 Evaluating Cloud Security
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationCourse overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)
Overview This course is intended for those wishing to qualify with CompTIA Security+. CompTIA's Security+ Certification is a foundation-level certificate designed for IT administrators with 2 years' experience
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationSoftware Development & Education Center Security+ Certification
Software Development & Education Center Security+ Certification CompTIA Security+ Certification CompTIA Security+ certification designates knowledgeable professionals in the field of security, one of the
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationKantanMT.com. Security & Infra-Structure Overview
KantanMT.com Security & Infra-Structure Overview Contents KantanMT Platform Security... 2 Customer Data Protection... 2 Application Security... 2 Physical and Environmental Security... 3 ecommerce Transactions...
More information<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.
Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationتاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم
بنام خدا تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم امنیت بخشی به سیستمهای فناوری اطالعات Securing Information Systems 1 Learning Objectives Describe the business value of security and control.
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationCompTIA Cybersecurity Analyst+
CompTIA Cybersecurity Analyst+ Course CT-04 Five days Instructor-Led, Hands-on Introduction This five-day, instructor-led course is intended for those wishing to qualify with CompTIA CSA+ Cybersecurity
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationAwareness Technologies Systems Security. PHONE: (888)
Awareness Technologies Systems Security Physical Facility Specifications At Awareness Technologies, the security of our customers data is paramount. The following information from our provider Amazon Web
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationCompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)
CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001) Course Outline Course Introduction Course Introduction Lesson 01 - The Enterprise Security Architecture Topic A: The Basics of Enterprise Security
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationManaging SaaS risks for cloud customers
Managing SaaS risks for cloud customers Information Security Summit 2016 September 13, 2016 Ronald Tse Founder & CEO, Ribose For every IaaS/PaaS, there are 100s of SaaS PROBLEM SaaS spending is almost
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More information