Follow-up to Information Technology Security Audit
|
|
- Sophie Rice
- 5 years ago
- Views:
Transcription
1 Follow-up to Information Technology Security Audit July 2004
2 Report Clearance Steps Follow-up process initiated September 2003 Report completed March 2004 Follow-up report approved by Departmental Audit and July 22, 2004 Evaluation Committee Acronyms used in the report AEB DAEC EC IM IT NCR Audit and Evaluation Branch Departmental Audit and Evaluation Committee Information Management Information Technology National Capital Region i
3 New Follow-up Process As of the May 23, 2003, meeting of the Departmental Audit and Evaluation Committee (DAEC) a new approach to follow-ups is being taken. While the practice in the past had been for the Audit and Evaluation Branch (AEB) to conduct them, it is now the responsibility of the relevant program managers to conduct follow-ups to recommendations resulting from audits or evaluations of their own programs. This information is provided in table format in Appendix 1 of this report. The information provided by program managers has been reviewed by the AEB and a brief context is provided below. Context This follow-up to the Information Technology Security Audit completed in the Spring of 2001 is being done to determine the adequacy, effectiveness and timeliness of management action taken to implement the recommendations and management proposed actions made in the initial Review. Follow-ups are important, as they give senior management a crucial indicator as to the implementation rate of recommendations and adjustments made in relation to the management responses. The Treasury Board Secretariat requires departments to audit their Information Technology Security. At the time the initial audit was to be conducted, the department was also to embark on the development of an IM/IT Strategy and had to assess the level of its IT security. Therefore, the Audit took a broader approach that included several areas of IT security including: organization and administration of IT security, personnel security, physical security, hardware and software, communications security and operations security. Furthermore, EC has a Government-wide Mission Critical level A system for the Meteorological Services of Canada requiring 24hour/7day operations. The initial audit concluded that EC has a well managed IT Security system as demonstrated by the Y2K preparedness exercise, the 1998 ice storm and the I luv you virus. It was also found that the MSC maintains high value information and the department generally uses many best practices. However, it was also indicated that as the level of awareness of IT management improves, there will be an increased need for training. The report also found that those involved in the development of secret or sensitive documents did not have secure tools to conduct department wide consultations, and the Government On Line initiative will add higher demands on the system. The Report made five recommendations to address areas of concerns. IM/IT Management agreed with the recommendations and provided responses including a plan of action. Current Status Recommendations made in the initial audit and responses from IM/IT management are provided in Appendix 1. Also included in the Appendix are measures taken or planned to address the proposed actions. The follow-up audit has concluded that program managers have implemented or are implementing all proposed actions. 1
4 Based on the recommendations made in the initial audit and the management response in Appendix 1, AEB has not identified any unacceptable risks. Future Actions Since all agreed actions have been implemented, AEB recommends no further action is required. 2
5 Appendix 1 FOLLOW-UP AUDIT OF INFORMATION TECHNOLOGY SECURITY - TABLE OF RECOMMENDATIONS - Prepared by Director General Information Management and Technology Services Human Resources and Service Innovations as of October 23, 2003 Note: this document contains references to the Systems and Informatics Directorate (SID). SID was integrated into the Information Management and Information Technology Directorate (IM-ITD) in June IM-ITD is now responsible for the implementation of the recommendations contained in this follow-up audit. 3
6 APPENDIX 1 PROGRAM RESPONSE: FOLLOW-UP TO AUDIT OF INFORMATION TECHNOLOGY SECURITY RECOMMENDATION 1: MANAGEMENT Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN The Department has in place the decision-making infrastructure, namely the business tables and ITAC, to improve the management and administration of Information Technology Security as well as to ensure consistency in policy and procedures application and monitoring across the Department. The business tables are the key decision points of the Department and ITAC is composed of the most senior informatics advisors, experts and managers. However, currently ITAC is not currently aligned with reporting to Management, Administration and Policy (MAP) table. Given that CMC/MSC plays an important role network s structure, a realignment of its role on ITAC should be considered. The adjustment of the reporting relationship has already been noted in the Review of Office Technology conducted AGREE SID is working with representatives from the Services/Regions in evaluating the role of all groups reporting to the e-government Integration Committee (EGIC). ITAC is being addressed as part of this exercise. We recognize the importance of having all players involved in Information Technology Security (Information Technology Security) and all program/table interests addressed through this exercise. The resulting realignment of roles and reporting relationships will, hopefully, allow us to address the concerns that you have identified in this area. Timeline: June 2001 Proposed Action: Complete EGIC EGIC review of committees was initiated and the membership, role and responsibilities of ITAC were included. Before the renewed ITAC could be put in place, the roles of EGIC and MAP were reviewed as well. This is now completed and a revised ITAC can now be implemented. Two committees will be put in place The first one will deal with Information technology (IT) and the second with Information Management (IM). Governance processes for the committees are under development. Implementation is expected before the end of FY 03/04. The committees mandate will be closely integrated with the revised EGIC and MAP committee to ensure synergy and maximized program participation. Memorandum of Understanding and/or Service Level Agreement will be developed between MAP and MSC for the management of the departmental network. These will include the management if Information Technology Security 4
7 by the Review Branch in It is recommended that the ADM of Corporate Services in consultation with the ADM of MSC review the role of ITAC. This review should include: 1. a revised mandate for the committee and its subcommittees; 2. a change in the reporting relationship of the committee; and 3. an examination of membership and roles to ensure all stakeholders are appropriately represented. Review of Reporting Sub- Committees, under responsibility of DG/SID. This recommendation should be implemented in with minimal costs. 5
8 RECOMMENDATION 2: MANAGEMENT Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN Although roles and responsibilities between SID and MSC are defined and being updated, the dispersion of responsibilities across the Department has led to fragmentation in the management and administration of Information Technology Security across the Department and as a result departmental policies and procedures are inconsistently applied. A review and redefinition of roles and detailed responsibilities would be beneficial to increase policy compliance and improve efficiency. The accountability structure between the following positions and organizations should be included in this review: Information Technology Security I Headquarters and the Regions; Business lines within Headquarters, SID and the Regions; Government On-Line secretariat; and SID and the Departmental Security Officer (DSO). It was found that some programs AGREE SID has, as part of the IM/IT Strategy development process, been examining the roles and responsibilities relating to the Information Technology Security management framework. We recognize that there are numerous shortcomings relating to functional and operational activities in this domain and have requested and will be receiving funding through Program Integrity II to address them. However, this supplementary funding is only available for the next two years. Timeline: March 2002 Proposed Action: We will take steps to clarify roles, improve policy application consistency; improve Information Technology Security planning/reporting. Specific actions will include: 1) strengthening the Information Technology Security team by creating more positions to support the program in the NCR; 2) developing/updating departmental guidelines/policies in the role of 1) Two positions were staffed in the NCR and funded through program integrity to the end of ) Incident response procedures were developed for the IT security coordinators. A process was put in place to distribute information on required software patches to guard against the rapidly growing virus threats. 3) Internet monitoring tools and tools to automatically update the desktop virus scan software were purchased. Additional support was added to existing contracts for antivirus software giving IT security coordinators an additional mechanism for obtaining assistance. Funding for was received for IT security. This will be used to fund the positions in the NCR and regions and purchase of the ongoing software licenses. Ongoing funding is required for the NCR and regional IT security officer positions and the ongoing software licences. Licence costs have increased with the increase in virus threats. A proposal for funding for IT security will be included in the long term IM/IT funding plan. Since these recommendations were made, the number, complexity and severity of virus attacks and hacking has increased dramatically and substantial amounts of time are being spent in this area across the country. Additional security measures and a redesigned IT infrastructure will be implemented over the next 4-6 months to protect EC s critical infrastructure. 6
9 or regions employ excellent practices while others partially meet policy requirements. If all the best practices currently employed in parts of the department (outlined in Annex 2) were to be come universal, there would be much progress to improving Information Technology Security as well as increase departmental compliance with TB Policy. national Information Technology Security Coordinator, and; 3) by acquiring tools to maintain operations. Actions will be under the responsibility of DG/SID. It is recommended that the DG of SID undertake to strengthen the management framework for Information Technology Security in the department. This would include: 1. greater clarification of roles and responsibilities of Information Technology Security; 2. improved coordination and consistency in policy application and procedures; 3. enhanced Information Technology Security planning; and, reporting. This recommendation should be implemented in with minimal costs. 7
10 RECOMMENDATION 3: COMMUNICATION AND TRAINING Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN Within the Department one key to achieving good Information Technology Security practices is the user community. With the exception of a few select areas, user awareness was identified as a key factor in improving Information Technology Security. Users tend to have little or no Information Technology Security training and awareness about potential threats is also generally low. In addition, the existing policies and procedures have, in many instances, a low impact on the user community. This is mainly due to a lack of communication/ marketing strategy of. Information Technology Security A comprehensive Department-wide IT awareness program tied to a communication / marketing strategy should include the following attributes: one website with all Information Technology Security policies & procedures; improved information packaging and messaging to increase the impact on users AGREE We are very supportive of an Information Technology Security awareness campaign. We have, to date, taken some limited measures (regular notices to staff, special messages when particularly notable threats have been identified, etc.) and ITAC has asked that we do more. We will be promulgating more substantive products on this in the coming months. Timeline: March 2002 Proposed Action: We will be taking steps to improve information packaging and messaging to improve impact and prepare training material for delivery to staff on an as-andwhen required basis. National and Regional Information Technology Security Coordinators are assembling a communications plan to inform users on the role of Information Technology Security and why certain measures are necessary to secure the network infrastructure. This plan will Improved security information is available on the IM-IT Central web site and on the HR Orientation web site. Regular message are sent to staff informing them of virus threats. A brochure on security was created and distributed during security awareness week. A poster campaign was conducted in FY 03/04 to ensure continued attention to Information Technology Security The Use of Networks Policy has recently been approved by MAP and a communications plan for the policy will include: a log on screen, brochures, posters, Qs and As and roles and responsibilities for implementation. As part of the ITAC communications plan, improved communications materials for IT security will continue to be developed. 8
11 and ensure a consistent message across the Department (e.g., periodic refreshers; regular updates to cover new technology done in conjunction with other training; and potential for computerbased module on on-line training); and mandatory training for all employees; (e.g., a specialized package for visiting scientist/students; an orientation session). Any actions should be linked to the development of the existing commitment for the DSO launch of a department-wide security awareness program at EC. Given the wide range of responsibilities, it would be prudent that all appropriate parties be consulted in the preparation stages. combine NCR and Regional office activities to increase national consistency. Actions will be under the responsibility of DG/SID. It is recommended that the DG of SID, in consultation with the Director of Informatics at MSC, the DG, HR and the Departmental Security Office (DSO), develop an Information Technology Security awareness/ communication/marketing strategy. This recommendation should be implemented in ; the cost should be assessed by SID DG including the DSO. 9
12 RECOMMENDATION 4: TOOLS Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN Monitoring is required in order to ensure processes and procedures are adhered to and implemented consistently on a departmental level in order to facilitate the detection of Information Technology Security breaches. To achieve an increased degree of assurance, stronger monitoring is required in the following areas: Information Technology Security logs built-in mechanisms related to the implementation of policies and procedures such as sign off sheets for Threat and Risk assessments. The need for external audits (RCMP) should be assessed by ITAC and the decision made at the MAP table. AGREE This recommendation has raised some technical issues that we will be addressing with regional and service IT staff (required hardware, software, technical skills, personnel required, etc.) in the coming weeks. We will provide further feedback following our discussions with these groups. Timeline: June 2001 Proposed Action: Review recommendation with technical staff and provide a formal response to Review Branch under direction of DG/SID. Funding for IT security for was obtained and is being used to improve the staffing levels and training in the NCR and regions. Monitoring and logging procedures were reviewed and enhanced. Active monitoring of network is performed on an on-going basis, in addition to log monitoring Software was acquired to enhance monitoring capacity Software is being acquired to improve Information Technology Security capacity. Long term funding is required in order to train and staff positions at the necessary levels. Acquired software and implement new processes. This will be included in the IM-IT long term plan. It is recommended that the DG of SID, in consultation with ITAC members, review options to implement appropriate software to monitor Information Technology Security logs on a departmental level. 10
13 This assessment should be conducted every two years, starting in , thus giving sufficient time to implement the recommendations of this audit. The costs should be evaluated by the DG of SID. 11
14 RECOMMENDATION 5: TOOLS Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN The Department lacks efficient and effective digital tools for handling sensitive information. Personnel handling sensitive information may not be aware of alternate communications methods available and may not have adequate information to make an informed decision when electronically transmitting sensitive information. Additionally, alternate communication tools, such as secure fax machines have only recently been made operational. This has led to a situation where sensitive information is not consistently transmitted in a secure manner. Staff needs secure and efficient tools to consult rapidly their colleagues across the Department and meet the short deadlines of senior management. Staff should have tools to allow them to communicate sensitive information as efficiently as they do with regular documents. The pilot project to implement secure messaging by 2001 using PKI is certainly one step to a longer term solution. However, steps towards AGREE We are presently involved in planning for a secure messaging pilot. As you may be aware, the government-wide efforts in this area will only allow for transmission of documents up to the Secure B level. The results from our pilot should provide us with a better understanding of the relative costs and benefits of implementing the tools and processes needed to transmit at the B level. Timeline: September 2001 Proposed Action: SID to work with regions on pilot project to exchange encrypted and/or digitally signed messages up to Protected B level. Other decisions with respect to feasibility/implementation to follow. Actions will be under the responsibility of DG/SID. The pilot of PKI was successfully completed. Implementation is on hold pending the identification of EC business requirements and the related funding for the initiative. The TBS initiative for the electronic transmission of secret information was cancelled and no mechanism other than the secure fax machines has been approved for secret information in the short term. Required funding for PKI implementation will be included in the IM-IT long term plan, once departmental needs are identified. Requirements for secure communications for program related applications should be included in the development and ongoing funding for those initiatives as these requirements have not been included in the IM-IT long term plan. 12
15 improved security by examining OGDs as well as educating users of risk avoidance options may, in shorter term, result in tangible improvements. It is recommended that the DG of SID, in consultation with the Director of Informatics at MSC and the Departmental Security Office, identify and make available improved electronic tools to facilitate the transmission of secure communication. This recommendation should be implemented in ; the cost should be assessed by the DG, SID and the DSO. 13
Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003
More informationAudit of Information Technology Security: Roadmap Implementation
ASSISTANT DEPUTY MINISTER (REVIEW SERVICES) Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED. Audit of Information Technology Security: Roadmap Implementation
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationAboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.
Aboriginal Affairs and Northern Development Canada Internal Audit Report Summary Audit of Information Technology Security Prepared by: Audit and Assurance Services Branch April 2015 NCR#7367040 - NCR#7358318
More informationREPORT: Audit of Information Technology (IT) Security. AAFC Office of Audit and Evaluation CFIA Audit and Evaluation Branch
REPORT: Audit of Information Technology (IT) Security AAFC Office of Audit and Evaluation CFIA Audit and Evaluation Branch The AAFC Audit Committee recommended this audit report for approval by the Deputy
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationREPORT 2015/010 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint
More informationNHS Fife. 2015/16 Audit Computer Service Review Follow Up
NHS Fife 2015/16 Audit Computer Service Review Follow Up Prepared for NHS Fife April 2016 Audit Scotland is a statutory body set up in April 2000 under the Public Finance and Accountability (Scotland)
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationMinistry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report
Chapter 3 Section 3.06 Ministry of Government and Consumer Services ServiceOntario Standing Committee on Public Accounts Follow-Up on Section 4.09, 2015 Annual Report In March 2016, the Committee held
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationMemorandum APPENDIX 2. April 3, Audit Committee
APPENDI 2 Information & Technology Dave Wallace, Chief Information Officer Metro Hall 55 John Street 15th Floor Toronto, Ontario M5V 3C6 Memorandum Tel: 416 392-8421 Fax: 416 696-4244 dwwallace@toronto.ca
More informationWye Valley NHS Trust. Data protection audit report. Executive summary June 2017
Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationCERTIFICATE IN LUXEMBOURG COMPANY SECRETARIAL & GOVERNANCE PRACTICE
CERTIFICATE IN LUXEMBOURG COMPANY SECRETARIAL & GOVERNANCE PRACTICE POLICY ILA asbl 19, rue de Bitbourg L-1273 Luxembourg TABLE OF CONTENTS Program Entry 3 Eligibility criteria 3 Training program 4 Application
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationGovernment Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security
Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:
More informationArchitecture and Standards Development Lifecycle
Architecture and Standards Development Lifecycle Architecture and Standards Branch Author: Architecture and Standards Branch Date Created: April 2, 2008 Last Update: July 22, 2008 Version: 1.0 ~ This Page
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More informationREPORT 2015/186 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/186 Audit of information and communications technology operations in the Secretariat of the United Nations Joint Staff Pension Fund Overall results relating to the effective
More informationAudit of the Departmental Control Framework for the Management of Personal Information (Privacy)
Unclassified Internal Audit Services Branch Audit of the Departmental Control Framework for the Management of Personal Information (Privacy) August 2015 SP-1107-01-16E You can download this publication
More informationAUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014
UNITED NATIONS DEVELOPMENT PROGRAMME AUDIT OF UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY Report No. 1173 Issue Date: 8 January 2014 Table of Contents Executive Summary
More informationSSC Transformation Initiative Fairness Monitoring Services
SSC Email Transformation Initiative Fairness Monitoring Services Fairness Monitoring Final Report Date of Submission: 14 June, 2013 Submitted To: Director General Operational Integrity Sector Departmental
More informationSTRATEGIC PLAN. USF Emergency Management
2016-2020 STRATEGIC PLAN USF Emergency Management This page intentionally left blank. Organization Overview The Department of Emergency Management (EM) is a USF System-wide function based out of the Tampa
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationAudit and Compliance Committee - Agenda
Audit and Compliance Committee - Agenda Board of Trustees Audit and Compliance Committee April 17, 2018, 1:30 2:30 p.m. President s Board Room Conference Call-In Phone #1-800-442-5794, passcode 463796
More informationAppendix 3 Disaster Recovery Plan
Appendix 3 Disaster Recovery Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A3-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationAcademic Program Review at Illinois State University PROGRAM REVIEW OVERVIEW
Academic Program Review at Illinois State University PROGRAM REVIEW OVERVIEW For Research and Service Centers Submitting Self-Study Reports Fall 2017 INTRODUCTION Primary responsibility for maintaining
More informationUnofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)
Unofficial Comment Form Project 2016-02 Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i) Do not use this form for submitting comments. Use the electronic form to submit
More informationOrganization/Office: Secretariat of the United Nations System Chief Executives Board for Coordination (CEB)
United Nations Associate Experts Programme TERMS OF REFERENCE Associate Expert (JPO) INT-021-14-P014-01-V I. General Information Title: Associate Expert in Interagency Coordination / Special to the Director
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationUCLA AUDIT & ADVISORY SERVICES
UCLA AUDIT & ADVISORY SERVICES Edwin D. Pierce, CPA, CFE Director September 4, 2015 10920 Wilshire Boulevard, Suite 700 Los Angeles, California 90024-1366 310 794-6110 Fax: 310 794-8536 SENIOR VICE PRESIDENT/CHIEF
More informationINTERNAL AUDIT DIVISION REPORT 2017/138
INTERNAL AUDIT DIVISION REPORT 2017/138 Audit of business continuity in the United Nations Organization Stabilization Mission in the Democratic Republic of the Congo There was a need to implement the business
More informationManager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre
IDENTIFICATION Department Position Title Infrastructure Manager, Infrastructure Services Position Number Community Division/Region 32-11488 Yellowknife Technology Service Centre PURPOSE OF THE POSITION
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationManagement s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)
APPENDI 2 ommendation () () 1. The City Manager in consultation with the Chief Information Officer give consideration to the establishment of an IBMS governance model which provides for senior management
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationIntroduction to SURE
Introduction to SURE Contents 1. Introduction... 3 2. What is SURE?... 4 3. Aim and objectives of SURE... 4 4. Overview of the facility... 4 5. SURE operations and design... 5 5.1 Logging on and authentication...
More informationINSPIRE status report
INSPIRE Team INSPIRE Status report 29/10/2010 Page 1 of 7 INSPIRE status report Table of contents 1 INTRODUCTION... 1 2 INSPIRE STATUS... 2 2.1 BACKGROUND AND RATIONAL... 2 2.2 STAKEHOLDER PARTICIPATION...
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationPOSITION DESCRIPTION
POSITION DESCRIPTION Engagement Manager Unit/Branch, Directorate: Location: Outreach & Engagement, Information Assurance and Cyber Security Directorate Auckland Salary range: H $77,711 - $116,567 Purpose
More informationREQUEST FOR EXPRESSIONS OF INTEREST
REQUEST FOR EXPRESSIONS OF INTEREST (CONSULTING SERVICES FIRMS SELECTION) Country : INDIA Project : FINANCING PUBLIC PRIVATE PARTNERSHIP THROUGH SUPPORT TO THE INDIA INFRASTRUCTURE FINANCE COMPANY LIMITED
More informationBirmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018
1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess
More informationGoverning Body 313th Session, Geneva, March 2012
INTERNATIONAL LABOUR OFFICE Governing Body 313th Session, Geneva, 15 30 March 2012 Programme, Financial and Administrative Section PFA FOR INFORMATION Information and communications technology questions
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationDefensible Security DefSec 101
Defensible Security DefSec 101 Security Day November 2017 Information Security Branch Paul Falohun Senior Security Analyst Dan Lathigee Senior Project Manager Content 1 Introduction 2 DefSec for PSO 3
More informationExam Requirements v4.1
COBIT Foundation Exam Exam Requirements v4.1 The purpose of this document is to provide information to those interested in participating in the COBIT Foundation Exam. The document provides information
More informationCompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]
s@lm@n CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ] Topic break down Topic No. of Questions Topic 1: Volume A 117 Topic 2: Volume B 122 Topic
More informationPolicy. Business Resilience MB2010.P.119
MB.P.119 Business Resilience Policy This policy been prepared by the Bi-Cameral Business Risk and Resilience Group and endorsed by the Management Boards of both Houses. It is effective from December to
More informationIT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive
IT Governance ISO/IEC 27001:2013 ISMS Implementation Service description Protect Comply Thrive 100% guaranteed ISO 27001 certification with the global experts With the IT Governance ISO 27001 Implementation
More informationREAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY
SEPTEMBER 11 13, 2017 BOSTON, MA REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY HealthcareSecurityForum.com/Boston/2017 #HITsecurity Brian Selfridge Partner, Meditology Services https://www.meditologyservices.com/
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationRCMP Support / Bylaw Services Department
RCMP Support / Bylaw Services Department business plan 2012-2014 TABLE OF CONTENTS 1. Our Services 1.1 Our Mandate 1.2 Lines of Business 2. Accomplishments 3. Implementing Sustainability 3.1 Strategy 1
More informationINTERNAL AUDIT DIVISION REPORT 2017/151. Audit of business continuity in the United Nations Interim Force in Lebanon
INTERNAL AUDIT DIVISION REPORT 2017/151 Audit of business continuity in the United Nations Interim Force in Lebanon The Mission needed to develop and implement a mission-wide business continuity plan,
More informationChapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017
Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017 Copyright 2017 International Finance Corporation. All rights reserved. The material in this publication is copyrighted by International
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationPosition Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.
Position Description Engagement Manager Business unit: Position purpose: Direct reports: Directorate overview: Business Unit Overview Remuneration indicator: Outreach & Engagement Information Assurance
More informationThe Smart Campaign: Introducing Certification
The Smart Campaign: Introducing Certification Elisabeth Rhyne, Managing Director Center for Financial Inclusion at ACCION Responsible Finance Forum Washington, DC April, 2012 Introducing The Smart Campaign
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationPhysical Security Reliability Standard Implementation
Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days,
More informationBusiness Continuity Management Standards A Side-by-Side Comparison
Business Continuity Standards A Side-by-Side Comparison By Brian Zawada (CBCP) & Jared Schwartz (CBCP) Whether your organization has begun a grassroots initiative to develop a business continuity plan
More informationThe IDN Variant TLD Program: Updated Program Plan 23 August 2012
The IDN Variant TLD Program: Updated Program Plan 23 August 2012 Table of Contents Project Background... 2 The IDN Variant TLD Program... 2 Revised Program Plan, Projects and Timeline:... 3 Communication
More informationClient Services Procedure Manual
Procedure: 85.00 Subject: Administration and Promotion of the Health and Safety Learning Series The Health and Safety Learning Series is a program designed and delivered by staff at WorkplaceNL to increase
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationInternational Atomic Energy Agency Meeting the Challenge of the Safety- Security Interface
Meeting the Challenge of the Safety- Security Interface Rhonda Evans Senior Nuclear Security Officer, Division of Nuclear Security Department of Nuclear Safety and Security Outline Introduction Understanding
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationResponse to Wood Buffalo Wildfire KPMG Report. Alberta Municipal Affairs
Response to Wood Buffalo Wildfire KPMG Report Alberta Municipal Affairs Background To ensure continuous enhancement and improvement of Alberta s public safety system, the Alberta Emergency Management Agency
More informationOrganizational Privacy Transformation: A case study from Critical Issues to Award Winning Success
Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success Norine Primeau-Menzies VP Customer Services, Chief Privacy Officer May 2012 Agenda Overview of OTN Setting
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationPrivacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016
Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016 Pēteris Zilgalvis, J.D., Head of Unit for Health and Well-Being, DG CONNECT Table of Contents 1. Context
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationBUILD YOUR CYBERSECURITY SKILLS WITH TRASYS INTERNATIONAL
BUILD YOUR CYBERSECURITY SKILLS WITH TRASYS INTERNATIONAL BECOME A PECB CERTIFIED ISO 27001 AUDITOR OR INSTRUCTOR Trasys International established a partnership with the Professional Evaluation and Certification
More informationUnclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities
Meeting Paper title Executive Team Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities Agenda item 5 Discussion time Purpose of paper Decision [If a decision you must
More informationSTRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government
ATIONAL STRATEGY National Strategy for Critical Infrastructure Government Her Majesty the Queen in Right of Canada, 2009 Cat. No.: PS4-65/2009E-PDF ISBN: 978-1-100-11248-0 Printed in Canada Table of contents
More informationPublic Disclosure Copy
Public Disclosure Authorized AFRICA Ethiopia Economic Policy Global Practice Recipient Executed Activities Investment Project Financing FY 2014 Seq No: 2 ARCHIVED on 29-Jun-2015 ISR19269 Implementing Agencies:
More informationACTIVE SHOOTER RESPONSE CAPABILITY STATEMENT. Dynamiq - Active Shooter Response
ACTIVE SHOOTER RESPONSE CAPABILITY STATEMENT ACTIVE SHOOTER RESPONSE Responding to armed assault acts of terrorism and active shooter incidents Acts of terrorism and shootings in public places have become
More informationGuide to cyber security/cip specifications and requirements for suppliers. September 2016
Guide to cyber security/cip specifications and requirements for suppliers September 2016 Introduction and context The AltaLink cyber security/cip specification and requirements for suppliers (the standard)
More informationVMware BCDR Accelerator Service
AT A GLANCE The rapidly deploys a business continuity and disaster recovery (BCDR) solution with a limited, pre-defined scope in a non-production environment. The goal of this service is to prove the solution
More informationInformation Security Governance and IT Governance
Information Security Governance and IT Governance Overview NC State is redesigning its IT governance process (see external document, NC State IT Governance Redesign at http://go.ncsu.edu/it-governance-redesign-final
More informationActivities of TCE 3. Accreditation and Certification Program for Official Statistical Professionals in OIC Member Countries (OStat Program)
ORGANIZATION OF ISLAMIC COOPERATION S E S R I C Activities of TCE 3 Accreditation and Certification Program for Official Statistical Professionals in OIC Member Countries (OStat Program) 10 April 2013
More informationSession 5: Business Continuity, with Business Impact Analysis
Session 5: Business Continuity, with Business Impact Analysis By: Tuncay Efendioglu, Acting Director Internal Oversight Division, WIPO Pierre-François Gadpaille, Audit Specialist (Information Systems),
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationOCM ACADEMIC SERVICES PROJECT INITIATION DOCUMENT. Project Title: Online Coursework Management
OCM-12-025 ACADEMIC SERVICES PROJECT INITIATION DOCUMENT Project Title: Online Coursework Management Change Record Date Author Version Change Reference March 2012 Sue Milward v1 Initial draft April 2012
More informationData Protection and GDPR
Data Protection and GDPR At DPDgroup UK Ltd (DPD & DPD Local) we take data protection seriously and have updated all our relevant policies and documents to ensure we meet the requirements of GDPR. We have
More informationBringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016
Bringing cyber to the Board of Directors & C-level and keeping it there Dirk Lybaert, Proximus September 9 th 2016 Dirk Lybaert Chief Group Corporate Affairs We constantly keep people connected to the
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationAssessment of the progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society
ECOSOC Resolution 2008/3 Assessment of the progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society The Economic and Social Council, Recalling
More informationReport on the activities of the Independent Integrity Unit, November 2016 to September 2017
Meeting of the Board 30 September 2 October 2017 Cairo, Arab Republic of Egypt Provisional agenda item 8 GCF/B.18/Inf.12 29 September 2017 Report on the activities of the Independent Integrity Unit, November
More informationRESOLUTION 45 (Rev. Hyderabad, 2010)
212 RESOLUTION 45 (Rev. Hyderabad, 2010) The World Telecommunication Development Conference (Hyderabad, 2010), recalling a) Resolution 45 (Doha, 2006) of the World Telecommunication Development Conference
More informationBudget Review Process (BRP) Preliminary List of Business Initiatives. Stakeholder Meeting April 10, 2017
2017-18 Budget Review Process (BRP) Preliminary List of Business Initiatives Stakeholder Meeting April 10, 2017 Purpose / Agenda The purpose of this presentation is to: Provide stakeholders with a BRP
More informationFiscal 2015 Activities Review and Plan for Fiscal 2016
Fiscal 2015 Activities Review and 1. The Ricoh Group s Information Security Activities In response to changes emerging in the social environment, the Ricoh Group is promoting its PDCA management system
More informationKENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)
KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT) 1. DIRECTOR, LEARNING & DEVELOPMENT - LOWER KABETE Reporting to the Director General, Campus Directors will be responsible for
More informationCouncil, 8 February 2017 Information Technology Report Executive summary and recommendations
Council, 8 February 2017 Information Technology Report Executive summary and recommendations Introduction This report provides the Council with an update into the work of the Information Technology Directorate
More informationBusiness Continuity: How to Keep City Departments in Business after a Disaster
Business Continuity: How to Keep City Departments in Business after a Disaster Shannon Spence, PE Red Oak Consulting, an ARCADIS group Agenda Security, Resilience and All Hazards The Hazards Cycle and
More informationFSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN
FOREST STEWARDSHIP COUNCIL INTERNATIONAL CENTER FSC STANDARD Standard for Multi-site Certification of Chain of Custody Operations FSC-STD-40-003 (Version 1-0) EN 2007 Forest Stewardship Council A.C. All
More information