The Global Information Security Compliance Packet (GISCP): The World's most In-Depth set of professionally researched and developed information

Transcription

1 The Global Information Security Compliance Packet (GISCP): The World's most In-Depth set of professionally researched and developed information security policies, procedures, forms, checklists, templates, provisioning & hardening documents, and so much more.

2 In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company name] has established a formal policy and supporting procedures concerning the Primary Account Number (PAN) and the system used to protect it. This policy is to be implemented immediately. It will be evaluated on a(n) [annual, semi-annual, quarterly] basis for ensuring its adequacy and relevancy regarding [company name] s needs and goals [Company name] will ensure that the Primary Account Number (PAN) and the system used to protect it adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (PCI DSS Requirements and Security Assessment Procedures, Version 3.0): Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: o One-way hashes based on strong cryptography, (hash must be of the entire PAN) o Truncation (hashing cannot be used to replace the truncated segment of PAN) o Index tokens and pads (pads must be securely stored) o Strong cryptography with associated key-management processes and procedures. Appropriately configure, examine, and confirm system settings and all necessary configurations for system components to ensure that the PAN is rendered unreadable Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text). Appropriately configure, examine, and confirm system settings and all necessary configurations for system components to ensure that the PAN is rendered unreadable onremovable media. Appropriately configure, examine, and confirm system settings and all necessary configurations for system components to ensure that the PAN is rendered unreadable on audit logs or removed from the logs completely (a). (b). (1). user. [Company name] has developed and implemented a comprehensive program regarding the Primary Account Number (PAN) system protection, which encompasses the categories and supporting activities listed below. These policy directives will be fully enforced by [company name] for ensuring configuration standards initiatives are executed in a formal manner and on a consistent basis for all system type of Unique Identifier or other Employee ID Number Used by Organizations & Governments all Throughout the Globe General Information for Terminated User User Name and Contact Information General User Information Guest Information Company Name Street Address City State Zip Country Name of Guest User AUTHORIZATION FORM FOR USER ACCESS GUESTS Last Name First Name Middle Name Social Security Number or Internal EMPLOYEE SEPARATION FORM Have all the following applicable due diligence procedures been executed and fully completed by to granting access for the given guest user: (1). Confirmation from authorized personnel that guest user has a valid business justification & reasoning for accessing [company name] system resources. Last Name First Name Middle Name Social Security Number, Internal Employee ID Number, Type Of User (Circle one): Employee Guest Vendor Other Requirement 3.4 Over 2,500+ Pages of Professionally Developed Security Material Primary Account Number (PAN) System Protection Policy and Procedures 3.4 Overview 3.4 Policy 3.4 Procedure Item Number (a). (b). (c). (d). (2). (3). [company name] prior Yes No N/A Date of Completion: Enter Date (2). General business due diligence checks conducted on guest user. Yes No N/A Date of Completion: Enter Date (3). Reference and Background Checks conducted on specific guest user. Yes No N/A Date of Completion: Enter Date (4). Please list any other due diligence procedures that were performed: Please provide any additional comments and/or necessary information regarding the applicable due diligence procedures: Month: Day: Year: Voluntary Involuntary If user was involuntary terminated, please provide a brief overview as to the nature and reason for this: User Information Type of User: Title Job Function Telephone Expiration Date applicable) (if Department Division Office Immediate Supervisor Secondary Supervisor Responsible for Responsible for oversight of Guest User oversight of Guest User Name: Name: Please provide a general explanation and overview of why the specified Guest User is being granted access to [company ystem name] resources: List all applicable "identities" granted to guest user: Business Justification & Reasoning: Authorization and Access Rights Date of Termination Type of Termination (Circle one): Street Address City State ZIP Country (a). (b). (c). (d). Physical Office Address Where User Resided Administrative Actions (Financial and Legal) to Initiate for Terminated User Task or Action to be Performed Date Performed Determine financial amount ("wages") that are owed to terminated user, which must include any vacation, bonuses. or any other type of compensation issue that must be factored into consideration. Determine what deductions are necessary from final amount owed to terminated user. Determine if company has any obligations to terminated user regarding stock options or any other type of other securities and/or instruments. (a). (b). (c). (d). Determine if any legal actions (i.e., civil, criminal, other) are pending or are being considered against terminated (c). (d). Determine if any non-compete, confidentiality, trade secret rights are in place and enforceable, if necessary. (a). (b). General Notes and/or Comments System Name Type of Access Duties to be Performed Other Date of Request Hundreds of Pages of Provisioning & Hardening Checklists Included! Vital for HIPAA, NIST, FISMA, Safe Harbor, SOX, PCI DSS Compliance Over 200+ High Quality Information Security Templates Great Resource for all ISO Publications A Must-Have for I.T. and Compliance Auditors Includes 175 pages and PPT Slides of Security Awareness Training Material! The Global Information Security Compliance Packet (GISCP) comes complete with over information security, operational, and business specific policies, procedures, forms, checklists, templates, provisioning and hardening documents and much more consisting of over 2,500 pages of material. Hundreds of pages of essential provisioning and hardening documents for network devices (firewalls and more), operating systems (Windows, UNIX, Linux), web servers (Apache, Tomcat, IIS), databases (Oracle, MySQL, MS SQL Server, PostgreSQL), DNS, Active Directory, MS Exchange, and more. Incredibly in-depth set of information security policies and procedures for Change Management, Incident Response, SDLC, PII, Backups, Asset Inventory, Patch Management, Vulnerability Management, Access Control, Wireless Security, Encryption, Data Backup and Recovery, Virtualization, Remote Access, and all other essential security categories and domains. Developed by leading cyber security, military, computer forensic and compliance specialists from North America, Europe and other select countries, and in accordance with industry leading, globally accepted information security benchmarks, standards, frameworks, and best practices Excellent Resource for HIPAA, NIST, FISMA, Safe Harbor, SOX, PCI DSS Compliance, FERC, NERC, Banking, Financial Services, Drug & Clinical compliance, Cloud Computing, and virtually any other global and/or regional compliance, legislative and/or industry specific mandate. Comes complete with over 500 pages of PCI DSS 3.0 information security policies, procedures, forms, checklists, and template, each mapped directly to each Requirement put forth by the Payment Card Industry Data Security Standards. Includes comprehensive Security Awareness Training Program, consisting of in-depth PowerPoint (PPT) presentation, employees training manual, certificate of acknowledgement, and more.

3 Included within the GISCP Packet are the Following Sections: Firewall Policies and Procedures Firewall Provisioning and Hardening Checklists, Forms, and Templates Routers Provisioning and Hardening Checklists, Forms, and Templates Switches Provisioning and Hardening Checklists, Forms, and Templates Microsoft Windows Server Operating System Policies and Procedures Microsoft Windows Server Provisioning and Hardening Checklists, Forms, and Templates Microsoft Active Directory Services Policies and Procedures Red Hat Linux Directory Services Policies and Procedures Microsoft Active Directory Services Provisioning and Hardening Checklists,Forms, and Templates Red Had Linux Directory Services Provisioning and Hardening Checklists, Forms, and Templates Microsoft Exchange Policies and Procedures Microsoft Exchange Provisioning and Hardening Checklists, Forms, and Templates Microsoft SharePoint Policies and Procedures Microsoft SharePoint Provisioning and Hardening Checklists, Forms, and Templates Linux Operating System Policies and Procedures Linux Operation System Provisioning and Hardening Checklists, Forms, and Templates Virtualization Policies and Procedures Virtualization Provisioning and Hardening Checklists, Forms, and Templates Database Policies and Procedures Database Provisioning and Hardening Checklists, Forms, and Templates Web Server Policies and Procedures Web Server Provisioning and Hardening Checklists, Forms, and Templates All-in-One PCI Policies Packet (Policies, Procedures, Forms, and More) Security Awareness Training Documentation Risk Management Policies and Procedures Risk Assessment Template Business Continuity and Disaster Recovery Planning (BCDRP) Documentation Systems Software Development Life Cycle (SDLC) Policies and Procedures Anti-Virus and Anti-Malware Policies and Procedures

4 Included within the GISCP Packet are the Following Sections: Access Control Policies and Procedures Change Management Policies and Procedures Configuration Management Policies and Procedures Data and Information Classification Policies and Procedures Data Backup and Recovery Policies and Procedures Domain Name Service (DNS) Policies and Procedures Domain Name Service (DNS) Provisioning and Hardening Checklists, Forms, and Templates Encryption & Key Management Policies and Procedures Fraud Manual Policies and Procedures Incident Response Policies and Procedures Information Asset Inventory Policies and Procedures Information Technology Due Diligence Network Time Synchronization (NTP) Policies and Procedures OFAC Compliance Policies and Procedures Patch Management Policies and Procedures Personally Identifiable Information (PII) Policies and Procedures Protected Health Information (PHI) Policies and Procedures Physical Security and Environmental Security Policies and Procedures Remote Access Rights Policies and Procedures Removal Media Policies and Procedures Social Media Policies and Procedures Vendor Management Policies and Procedures Vulnerability Management Policies and Procedures Wireless Security Policies and Procedures Workstation Security Policies and Procedures Usage Policies and Procedures

5 Firewall Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of firewalls. Topics Covered: Planning, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Testing, Placement within Network Architecture, Firewall Configuration and Rule sets, Documented Business Needs, Review and Auditing, Access Rights, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporting topics. Frameworks Utilized: Developed in accordance with best practices derived from industry specific vendor administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US- CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Ten (10) comprehensive documents, totaling approximately 253 pages. 1. Cisco PIX Firewall Policy and Procedures 2. Cisco ASA Firewall Policy and Procedures 3. Juniper Networks NetScreen & SSG Firewall Policy and Procedures 4. Linux Iptables Firewall Policy and Procedures 5. SonicWALL Firewall Policy and Procedures 6. Fortinet FortiGate Firewall Policy and Procedures 7. Palo Alto Firewall Policy and Procedures 8. Checkpoint Firewall Policy and Procedures 9. Barracuda Web Filter Firewall Policy and Procedures 10. WatchGuard Firewall Policy and Procedures

6 Firewall Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring firewalls are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Operating System Security, Systems Auditing, System Access Controls, User Account Privilege Controls, Local Security Options, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from industry specific vendor administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US- CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Thirty (30) comprehensive documents, totaling approximately 125 pages. 1. Cisco PIX Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 2. Cisco ASA Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 3. Juniper Networks NetScreen & SSG Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 4. Linux Iptables Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 5. SonicWALL Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 6. Fortinet FortiGate Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 7. Palo Alto Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 8. Checkpoint Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 9. Barracuda Web Filter Firewall Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist 10. WatchGuard Firewall 1050 and 2060 Provisioning and Hardening Checklist, Business Needs Checklist, Review and Audit Checklist

7 Routers Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring routers are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Initial Hardening, System Hardening, System Access Controls, User Account Privilege Controls, Local Security Options, and much more. Frameworks Utilized: Developed in accordance with best practices derived from industry specific vendor administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US- CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 12 pages. 1. Cisco Routers (800, 1000, 2000, 3000 Series) Provisioning and Hardening Checklist

8 Switches Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring switches are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Initial Hardening, System Hardening, System Access Controls, User Account Privilege Controls, Local Security Options, and much more. Frameworks Utilized: Developed in accordance with best practices derived from industry specific vendor administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US- CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Three (3) comprehensive documents, totaling approximately 47 pages. 1. Adtran Switch (Netvanta Series) Provisioning and Hardening Checklist 2. Cisco Switches (2900,3000,4000, Nexus Series) Provisioning and Hardening Checklist 3. Juniper Switch (SRX and EX Series) Provisioning and Hardening Checklist

9 Microsoft Windows Server Operating System Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of the Microsoft server series of operation systems. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Three (3) comprehensive documents, totaling approximately 72 pages. 1. Windows Server 2003 (Win2K3) Policy and Procedures 2. Windows Server 2008 (Win2K8) Policy and Procedures 3. Windows Server 2008 R2 (Win2K8R2) Policy and Procedures

10 Microsoft Windows Server Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring Microsoft Operating Systems are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Operating System Security, Systems Auditing, System Access Controls, User Account Privilege Controls, Networking Security, Local Security Options, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Three (3) comprehensive documents, totaling approximately 51 pages. 1. Windows Server 2003 (Win2K3) Provisioning and Hardening Checklist 2. Windows Server 2008 (Win2K8) Provisioning and Hardening Checklist 3. Windows Server 2008 R2 (Win2K8R2) Provisioning and Hardening Checklist

11 Microsoft Active Directory Services Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of Microsoft Active Directory. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 22 pages. 1. Microsoft Active Directory Services Policy and Procedures

12 Red Hat Linux Directory Services Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of Red Hat Linux Directory services. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Red Hat specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 23 pages. 1. Red Hat Linux Directory Services Policy and Procedures

13 Microsoft Active Directory Services Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring Microsoft Active Directory is properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Implementation, Configuration, Directory Service Integrity, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 11 pages. 1. Microsoft Active Directory Services Provisioning and Hardening Checklist

14 Red Had Linux Directory Services Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring Red Hat Directory is properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Implementation, Configuration, Directory Service Integrity, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Red Hat administrator specific guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 12 pages. 1. Red Hat Linux Directory Services Provisioning and Hardening Checklist

15 Microsoft Exchange Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of Microsoft Exchange. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Two (2) comprehensive documents, totaling approximately 44 pages. 1. Microsoft Exchange Policy and Procedures 2. Microsoft Exchange 2010 Policy and Procedures

16 Microsoft Exchange Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring Microsoft Exchange is properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Availability, Confidentiality, Integrity, Deployment, Configuration, Unified Messaging and Information Rights Management, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Two (2) comprehensive documents, totaling approximately 26 pages. 1. Microsoft Exchange Provisioning and Hardening Checklist 2. Microsoft Exchange 2010 Provisioning and Hardening Checklist

17 Microsoft SharePoint Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of Microsoft SharePoint. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 22 pages. 1. Microsoft SharePoint Policy and Procedures

18 Microsoft SharePoint Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring Microsoft SharePoint is properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Availability, Confidentiality, Integrity, Deployment, Configuration, Unified Messaging and Information Rights Management, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Microsoft specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Two (2) comprehensive documents, totaling approximately 23 pages. 1. Microsoft SharePoint Provisioning and Hardening Checklist 2. Microsoft SharePoint 2010 Provisioning and Hardening Checklist

19 Linux Operating System Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of the various Linux operation system distributions. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Linux specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Three (3) comprehensive documents, totaling approximately 72 pages. 1. Linux Distributions Policy and Procedures 2. Red Hat Enterprise Linux (RHEL) 5 Policy and Procedures 3. Red Hat Enterprise Linux (RHEL) 6 Policy and Procedures

20 Linux Operation System Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring Linux operation systems are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Operating System Security, Systems Auditing, System Access Controls, User Account Privilege Controls, Networking Security, Local Security Options, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from Linux specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Three (3) comprehensive documents, totaling approximately 50 pages. 1. Linux Distributions Provisioning and Hardening Checklist 2. Red Hat Enterprise Linux (RHEL) 5 Provisioning and Hardening Checklist 3. Red Hat Enterprise Linux (RHEL) 6 Provisioning and Hardening Checklist

21 Virtualization Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of the various virtualization platforms currently available, such as Citrix XenServer, Microsoft Hyper-V, VMware, and Red Hat Enterprise Virtualization (RHEV). Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Hypervisor security, Guest Operating System Security, Host Operating System Security, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from virtualization specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US- CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Four (4) comprehensive documents, totaling approximately 101 pages. 1. VMware Virtualization Policy and Procedures 2. Microsoft Hyper-V Virtualization Policy and Procedures 3. Citrix XenServer Virtualization Policy and Procedures 4. Red Hat Enterprise Virtualization (RHEV) Policy and Procedures

22 Virtualization Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring various virtualization platforms are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Operating System Security, Systems Auditing, System Access Controls, User Account Privilege Controls, Networking Security, Local Security Options, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from virtualization specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US- CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Four (4) comprehensive documents, totaling approximately 51 pages. 1. VMware Vsphere 4.0 and 5.0 Virtualization Provisioning and Hardening Checklist 2. Microsoft Hyper-V Provisioning and Hardening Checklist 3. Citrix XenServer Virtualization Provisioning and Hardening Checklist 4. Red Hat Enterprise Virtualization (RHEV) 3.0 Provisioning and Hardening Checklist

23 Database Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of the various databases available for commercial use. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from database specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Seven (7) comprehensive documents, totaling approximately 173 pages. 1. Oracle 11 Database Policy and Procedures 2. MySQL 5 Database Policy and Procedures 3. Microsoft (MS) SQL Server 2005 Policy and Procedures 4. Microsoft (MS) SQL Server 2008 Database Policy and Procedures 5. Microsoft (MS) SQL Server 2008 R2 Database Policy and Procedures 6. Microsoft (MS) SQL Server 2012 Database Policy and Procedures 7. PostgreSQL Database Policy and Procedures

24 Database Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring various databases available for commercial use are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Operating System Security, Systems Auditing, System Access Controls, User Account Privilege Controls, Networking Security, Local Security Options, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from database specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Seven (7) comprehensive documents, totaling approximately 112 pages. 1. Oracle 11 Database Provisioning and Hardening Checklist 2. MySQL 5 Database Provisioning and Hardening Checklist 3. Microsoft (MS) SQL Server 2005 Provisioning and Hardening Checklist 4. Microsoft (MS) SQL Server 2008 Provisioning and Hardening Checklist 5. Microsoft (MS) SQL Server 2008 R2 Provisioning and Hardening Checklist 6. Microsoft (MS) SQL Server 2012 Provisioning and Hardening Checklist 7. PostgreSQL Provisioning and Hardening Checklist

25 Web Server Policies and Procedures Purpose: Offer documentation that encompasses, formalizes, and documents all essential policies, procedures, and processes relating to the configuration, use, and administration of the various web servers available for commercial use. Topics Covered: Data and Information Classification, Security Categorization, Physical Security, Personnel, Security Awareness Training, Provisioning and Hardening, Reference Material, Time Synchronization, Access Rights, Remote Access, Malware, Change Control Change Management, Patch Management, Backup and Storage, Encryption, Event Monitoring, Configuration and Change Monitoring, Performance and Utilization Monitoring, Logging and Reporting, Incident Response, Performance and Security Testing, Disaster Recovery, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from web server specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Four (4) comprehensive documents, totaling approximately 96 pages. 1. Apache (Version 2.2) Linux Web Server Policy and Procedures 2. Apache (Version 2.2) Windows Web Server Policy and Procedures 3. Apache Tomcat Web Server Policy and Procedures 4. Microsoft Internet Information Services (IIS) Web Server Policy and Procedures

26 Web Server Provisioning and Hardening Checklists, Forms, and Templates Purpose: Provide industry leading documentation for ensuring various databases available for commercial use are properly provisioned, hardened, secured, and locked down in accordance with best practices for ultimately ensuring their confidentiality, integrity, and availability (CIA). Topics Covered: Operating System Security, Systems Auditing, System Access Controls, User Account Privilege Controls, Networking Security, Local Security Options, and other supporing topics. Frameworks Utilized: Developed in accordance with best practices derived from database specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: Ten (10) comprehensive documents, totaling approximately 107 pages. 1. Apache (Version 2.2) Linux Web Server Provisioning and Hardening Checklist 2. Apache (Version 2.2) Linux Web Server Final Checklist 3. Apache (Version 2.2) Windows Web Server Provisioning and Hardening Checklist 4. Apache (Version 2.2) Windows Web Server Final Checklist 5. Apache Tomcat Web Server Provisioning and Hardening Checklist 6. Apache Tomcat Web Server Final Checklist 7. Apache Tomcat 5.5 to 7.0 Web Server Provisioning and Hardening Checklist 8. Apache Tomcat 5.5 to 7.0 Web Server Final Checklist 9. Microsoft Internet Information Services (IIS) Web Server Provisioning and Hardening Checklist 10. Microsoft Internet Information Services (IIS) Web Server Final Checklist

27 All-in-One PCI Policies Packet (Policies, Procedures, Forms, and More) Purpose: Provide industry leading documentation for ensuring that merchants and service providers have all necessary information security policies and procedures as mandated by the Payment Card Industry Data Security Standards (PCI DSS). Topics Covered: All material as mandated from Requirement 1 to Requirement 12 of the PCI DSS standards. Frameworks Utilized: Developed in accordance with best practices derived from database specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. Length: One (1) comprehensive document, totaling approximately 238 pages. 1. Formal Process for Testing and Approval of All Network Connections and Changes to Network Configurations 2. Current Network Diagram with All Connections to Cardholder Data, Including Wireless Networks 3. Firewall Requirements Policy and Procedures 4. Description of Groups, Roles and Responsibilities for Logical Management of Network Components 5. Documentation and Business Justification for Use of All Services, Protocols and Ports Allowed 6. All Services, Protocols and Ports Checklist 7. Requirements to Review Firewall and Router Rules Sets at least Every Six (6) Months 8. Firewall and Router Review Checklist 9. Firewall and Router Configurations Policy and Procedures 10. DMZ Configuration and Internet Access to the Cardholder Data Environment Policy and Procedures 11. DMZ Configuration Checklist 12. Personal Firewall Software Policy and Procedures 13. Changing of Vendor Supplied Default Settings Policy and Procedures 14. Changing of Vendor Supplied Default Checklist 15. Configuration Standards for All System Components Policy and Procedures 16. Configurations Standards Checklist 17. Non-Console Administrative Access Policy and Procedures 18. Inventory of System Components Matrix 19. Data Retention and Disposal Policy and Procedures 20. Sensitive Authentication Data (SAD) Storage Policy and Procedures 21. Sensitive Authentication Data Checklist for System Components

28 22. Primary Account Number (PAN) Policy and Procedures for Masking & Displaying the PAN Digits 23. Primary Account Number (PAN) System Protection Policy and Procedures 24. Disk Encryption Policy and Procedures 25. Protection of Keys used for Encryption of Cardholder Data Policy and Procedures 26. Key Management Policy and Procedures 27. Strong Cryptography and Protocols Policy and Procedures 28. Unencrypted Primary Account Numbers (PAN) Policy and Procedures 29. Anti-Virus Policy and Procedures 30. Security Patch Management Installation Policy and Procedures 31. Software Development Life Cycle Processes 32. Custom Application Code Change Reviews Policy and Procedures 33. Change Control Policy and Procedures 34. Software Development Secure Coding Guidelines and Training Policy and Procedures 35. Data Control & Access Control Policies and Procedures 36. Unique ID & Authentication Methods Policy and Procedures 37. Shared, Group, Generic, and Other Authentication Methods Policy and Procedures 38. Database Access & Configuration Settings Policy and Procedures 39. Physical Security Controls Checklist 40. Personnel and Visitor Access Checklist 41. Media Storage, Distribution and Classification Policy and Procedures 42. Media Destruction Policy and Procedures 43. Media Device Protection Policy and Procedures 44. Audit Trails Checklists 45. Time-Synchronization Technology Policy and Procedures 46. Securing of Audit Trails Policy and Procedures 47. Security Logs & Events Policy and Procedures 48. Review of Security Logs Checklist 49. Wireless Security & Access Points Policy and Procedures 50. Wireless Access Points Checklist 51. Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Change Detection Software (CDS) Policy and Procedures 52. Security Monitoring & Testing Policy and Procedures 53. Risk Assessment Matrix 54. Usage Policies and Procedures 55. Information Security Responsibility Policy and Procedures 56. Formal Security Awareness Program 57. Management of Service Providers Policy and Procedures 58. Incident Response Plan

29 Security Awareness Training Documentation Purpose: Provide industry leading documentation for helping organizations put in place comprehensive security awareness & training initiatives for all employees and workforce members. Topics Covered: The Importance of Security Awareness Training, Data Security Breaches, What is Information Security?, Roles and Responsibilities, Information Security Solutions, Defense-in-Depth, Layered Security, Cyber Security, Cloud Computing, HIPAA Introduction, HITECH Introduction, HIPAA Security Awareness Training Requirements, HIPAA Security Rule, HIPAA Privacy Rule, Covered Entities, Business Associates, Final Omnibus Ruling (January, 2013), Helpful HIPAA Resources, FERPA, FACTA, Red Flags Rule, 12 PCI DSS Requirements and their Relation to Security Awareness, The Payment Card Industry Data Security Standards Council, The Importance of PCI Compliance, Cardholder Data, GLBA, Other Regulations, Security Awareness Topics, Account Security and Access Rights, Malware, Security Updates, Clean Desk Policy, Workstation Security, Laptop Security, Software Licensing and Usage, Internal Threats, Physical Security and Environmental Security, Incident Response, Personally Identifiable Information (PII), Protecting Information (Hard-Copy), Protecting Information (Electronic Format), Data Retention, Identity Theft, Online Security and Mobile Computing, Shopping Online, Securing Your Home Network, Protecting your Children Online, Security Tips for Travelling, Other Important Security Awareness Considerations and Top Internet Scams, If you see something, say something Immediately, Top 20 Security Considerations for I.T. Personnel, Security Awareness Resources Frameworks Utilized: Developed in accordance with best practices derived from database specific administrator guides, NIST SP 800 publications, FIPS publications, ISO series of standards, COBIT, US-CERT, NSA hardening documents, DIACAP, DISA STIGs, industry leading cloud computing publications, Defense-In-Depth and Layered Security best practices, along with numerous other globally recognized benchmarks, standards, frameworks, association, and publications within the broader field of information security. and Microsoft PowerPoint (PPT) Length: Training Manual: 68 Pages. PowerPoint (PPT) Presentation: 143 Slides. Policy Document: 18 Pages. 1. Comprehensive PowerPoint Slide Presentation. 2. In-Depth Security Awareness Training Manual. 3. Security Awareness Secure Coding Training Checklist. 4. Employee Tracking Sheet. 5. Certificate of Completion Template. 6. Security Awareness Training Policy and Procedures