A Security Review of MVS/RACF: Part 2 Kurt Meiser Payoff
|
|
- Imogen Ryan
- 6 years ago
- Views:
Transcription
1 A Security Review of MVS/RACF: Part 2 Kurt Meiser Payoff An efficient and effective security review of an MVS/RACF system depends on several factors. Reviewers must use a well-considered methodology. They must be appropriately trained and understand how to evaluate an organization's security management, its MVS/RACF system integrity controls, and the security of its applications. This article discusses the last four of these factors. Problems Addressed The first part of this article, A Security Review of MVS/RACF: Part 1 ( ), describes the controls IBM Corp.'s Resource Access Control Facility (RACF) provides when added onto its MVS operating system, as well as a methodology for evaluating the security on an MVS/RACF system. The second part of this article describes the skills that security reviewers should possess to examine these systems and some considerations they should remember when reviewing the different control layers of MVS/RACF systems. Skills Requirements A security review is a team sport, and building the right team is a key factor for success. The audit team should have a balance of the following skills, personal preferences, and experiences: General versus specific security review skills. A procedural versus technical orientation focus. System knowledge versus application knowledge. General skill and experience in security review is, of course, a basic requirement for the planning and management of a security review. Exhibit 1 shows different review areas, and the subsequent paragraphs describe the skills required to perform a controls assessment. Skill Matrix General versus Specific Skills. Security controls are typically built on a system of policies, procedures, and standards that can be assessed by auditors with general controls experience. However, some system and application controls require specific knowledge. For example, an organization's MVS/RACF security standards can be effectively reviewed only by a reviewer with a solid MVS/RACF background. Procedural versus Technical Focus. Solid technical skills and experience are necessary. However, it is easier to teach a technical person the necessary procedural skills than to teach a generalist the technical knowledge required for a sound technical assessment. Technical skills are required for both system and application audits. System versus Application Knowledge.
2 It is usually a primary goal of a security review to assess application controls; however, application controls depend on system controls. Application audit findings therefore are reliable only if a recent system audit has established adequate system controls or if fundamental system controls are assessed at the same time. Staffing Considerations The high number of technical platforms can make it difficult even for large organizations to have the right level of technical skills available at all times. Consequently, it is often a good business decision to hire consultants in areas in which standard systems and applications require highly specialized technical skills and to have permanent staff focus on controls unique to the organization. For example, the security review of MVS/RACF systems and the Canadian Independent Computing Services Association application environments may be more effective and efficient if local reviewers are supported by specialists who have solid technical backgrounds and experience from a large number of similar audits. An extreme example is a penetration test, an approach that is rarely cost-justifiable without external specialists. Similarly, the audit of a standard application package can greatly benefit from the participation of a specialist for the particular package. In contrast, permanent, local staff can probably best assess controls in nonstandard, locally developed applications and application controls. Internal auditors are also best suited to make final judgments on questions of conflict, interest, and necessary privileges in application and system audits. In summary, the ideal review team consists of a mix of technical specialists for the relevant products and platforms and auditors familiar with the organization and its specific applications, structures, and policies. Exhibit 2 illustrates this mix. Optimal Staffing Mix Security Review Program Considerations This section discusses some considerations regarding security review programs for the following control layers: Security management. MVS/RACF system integrity controls. Application controls. Security Management Some important aspects of security management are addressed in the following paragraphs. They include security policy, security standards, and security administration and audit. Security Policy. An organization's security policy is a set of high-level security rules and guidelines pronounced by executive management. The absence of an adequate policy often indicates management's lack of interest in and support of coherent controls. If a security policy is not
3 available, a reviewer will use a personal model of controls instead. This often leads to unnecessary disagreements between reviewers and reviewees. Security Standards. Security standards are the technical interpretation of a security policy. They represent the technical plan according to which controls are built and maintained and the yardstick for security reviews. Organizations with solid security standards have effective computer controls and few disagreements among support staff, security administrators, and auditors. Security Administration and Audit. A review of security administration typically addresses organizational structures and administrative procedures. Frequently, security administration independence (from system support, for example) is regarded as more important than technical competence and experience. In one organization, Resource Access Control Facility administration responsibility was transferred, in response to independence issues raised in an audit, from system support to plant security an organization experienced in dealing with physical security rather than software security. As a result, RACF security degraded. It is better to accept a slight lack in segregation of duties than incompetent security administration. Audit, of course, should be independent of both functions. Status and event monitoring are important aspects of security administration. Security administration should perform these tasks, and the audit should ensure they have been performed consistently throughout the audit period. MVS/RACF System Integrity Controls System integrity controls can be categorized as follows: Security configuration and system protection. Security implementation options. System and security authorization and privileges. Critical system functions. System extensions and modifications. Host-based network controls. The following paragraphs address each category and its major control considerations. Security Configuration and System Protection. This category addresses the environment in which the security system to be audited exists. The security configuration should match the system configuration so that all resources are protected by a unique set of rules. If disks are shared among different operating systems, the RACF data base should also be shared. A test system, for instance, that shares disk volumes with a production system, but has its own RACF data base (i.e., does not share the production RACF data base), may expose production data. If disks are shareable, they will be shared, even if the security policy calls for separation.
4 System Protection. System resources must be RACF-protected, and access must be restricted to system support staff. Public access to system data sets is rarely required, because the system provides implicit access to most commonly needed functions. Recovery and Performance. Recoverability and acceptable performance of the security function are important ingredients of a security implementation. Good recovery requires that the Resource Access Control Facility option to maintain an active backup data set be used and that periodic backup copies be taken. RACF performance management makes use of options such as resident RACF blocks, resident profiles, and adequate global table entries. Security Implementation Options. These are the global settings representing security policy and governing the overall shape of the access control system. Protection Mode. The protection mode is determined by a number of fundamental settings, such as: PROTECTALL. This is a default protection; it ensures that all data sets areracfprotected. BATCHALLRACF. All batch jobs must have a valid RACF-defined user ID. TAPEDSN. Data on tape is protected at the data set level. It is also determined by implementation decisions forcing RACF registration of all TSO and Canadian Independent Computing Services Association users. Active RACF interfaces of various system products are part of the overall protection mode as well. Protection Options. Protection options are other RACF settings that determine the strength of security controls. They include: Password control parameters, such as minimum length and automatic expiration. Profile styles, generic or discrete group, or entity profiles. Erase-on-scratch, the erasure of residual data. Security labels, the use of security classification controls. Some of these options may fall into the category of advanced controls, in contrast to baseline controls, (e.g., erase-on-scratch or mandatory access control through security labels). Logging and Recording. Another part of security implementation options is related to security event recording. These options determine the amount of RACF logging for authorized access or unauthorized access attempts as specified by data owners and their administrators or as set
5 by auditors individually or globally. Logging of privileged activities (e.g., SAUDIT, OPERAUDIT) and real-time notification definitions are other examples of the logging and recording function. System and Security Authorization and Privileges. This category addresses special system and user privileges that must be assigned and monitored carefully. Authorized Programs. The Authorized Program Facility is an external interface through which the installation defines additional system program libraries. The protection of these libraries and adequate access control to them are a major security concern. All libraries must be RACF protected; no public update access should be granted. Specific write access must be limited, and the contents of authorized program libraries must be adequately managed. Special Properties. Special privileges can be assigned to authorized programs through such tables as the Program Properties Table and the started procedures table. These tables must be properly designed and maintained. User Privileges. Privileges to administer RACF (RACF's SPECIALattribute), to perform global system maintenance tasks (RACF'sOPERATIONS attribute), and to monitor privileged users (RACF'sAUDITOR attribute) can be assigned in RACF. These privileges must be assigned restrictively to users with a true need only; their scope should be limited and, when possible, more specific controls should be used instead (e.g., DASDVOL authorization and system managed storage controls rather than OPERATIONS). Critical System Functions. In this category, critical but necessary functions are covered. They must be restricted to a limited number of trusted users. Command Authorities. MVS and Job Entry Subsystem commands can technically be issued from many software environments; for example TSO, IBM's Netview, Candle's Omegamon, and batch jobs. Controls can be implemented through the Resource Access Control Facility OPERCMDSand CONSOLEclasses. If these controls are not used, all environments from which commands can be issued must be secured and reviewed individually. Started Procedures. The started procedures environment must be secured in a way that unauthorized users cannot alter or abuse existing procedures or implant their own to gain unauthorized access or privileges. The security review must address controls overprocedure Libraries and the design of the RACF started procedures table. This table should assign individual user IDs, which have no operations attribute, and contain the privileged or trusted attributes only when they are required by vendor code and are documented accordingly. Unknown started procedures should not be given privileges.
6 Critical Programs and Functions. Programs containing functions to alter the system or security environment must be restricted. Some need to be controlled globally through Resource Access Control Facility program protection, others have built-in granular controls that should be interfaced with RACF. Examples of critical programs that should have program protection are: Programs performing volume initialization. Programs performing backup or restore operations. Programs performing general file manipulation (e.g., IBM's Superzap). Examples of critical programs to be secured by means of a RACF interface are Omegamon, Netview, and System Display and Spool Facility. System Extensions and Modifications. Interfaces to extend and modify standard MVS and RACF processing are addressed in this category. Installation Exits. Installation exits can change the results of system processing. Some of them have security and integrity implications, for example: All RACF exits. Many job entry subsystem exits. Most system management facilities exits. Most TSO exits. Some MVS exits. They should be well documented as to purpose, function, and origin and reviewed for coding in agreement with general IBM guidelines and individual coding rules established by the organization. User Supervisor Calls. The same rules apply to user supervisor calls (SVCs). They are a major area of observed integrity exposures. Faulty Switched Virtual Circuit fall into two categories: Those designed to provide program authorization or security bypass, and trap doors. (They often have pseudo-security features that can be defeated.) Those written in violation of SVCs coding rules. (They can be abused to perform authorization functions they were not designed for.) When source code is not available or code review is not practical, vendor integrity statements should be obtained for SVCs delivered as part of third-party products.
7 System Modifications. These modifications are difficult if not impossible to detect unless they are implemented openly (i.e., throughsystem Modification Program or Modified Link Pack Area techniques). To a limited degree, generating a check sum for modules or libraries to detect unauthorized modifications can be helpful. Host-Based Network Controls. This category addresses some controls that can be used to prevent importing weaknesses from a network or other hosts on the network. VTAM Application Protection. RACF provides protection of Virtual Telecommunications Access Method applications to prevent the implanting of bogus online applications that might, for example, be used to capture passwords. Network Job Entry and Remote Job Entry Controls. Remote job entry and particularly Network Job Entry can be implemented to accept jobs without proper local authentication. This acceptance is often based on trust in another system on the network that may not always be justified. An audit of these areas may be a necessary part of a system review. Secondary Authentication. User authentication, particularly in a network environment, can be strengthened through the use of secondary authentication. Similar to most software security systems, Resource Access Control Facility uses password checking as its primary authentication mechanism. Secondary authentication can be implemented through tokens and authentication devices that the authorized user has or uses to sign on. Application Controls A methodology for reviewing application controls should address the following categories: Security design The authentication of users, the transaction environment, and the design of rules. Security administration The administration of users and protection of resources. Production control The confinement of users in their designated environment, the separation of test and production, and security monitoring and auditing. These generic categories apply to all application environments; however, they may contain slightly different controls for different areas, such as TSO and batch or Canadian Independent Computing Services Association production environments. Security Design. The overall security design should be evaluated before the details of application protection. Sound security design is a prerequisite for security, and assessing the design helps in the planning and directing of subsequent tests.
8 Naming Conventions. Key design criteria are naming conventions (for users, groups, data sets, transactions and any other RACF-protected resources) and the RACF group design. Poor naming conventions usually increase the number of necessary Resource Access Control Facility definitions and make them unnecessarily volatile. This is particularly true for pooly designedracf groups. User Authentication. Full RACF user authentication is another important element of good security. The presence of undefined users and their authentication outside RACF can significantly weaken the overall security of an application. The reviewer must assess the potential exposure from such users. When users are authenticated byresource Access Control Facility, RACF IDs should be used for all decisions within applications. Resource Control. Full RACF control of the transaction environments represents sound design. Protection concepts allowing for unprotected resources are always prone to errors. For environments without default protection (i.e., Internet Multicasting Service), catch-all RACF profiles should be used to prevent access to unprotected entities. When default protection is not implemented, the reviewer must evaluate potential exposures from unprotected resources in addition to assessing access rules for protected ones. The design of rules (e.g., discrete, generic, group profiles) is also assessed. Security Administration. An application's security administration is evaluated to determine whether segregation of duties has been implemented adequately and whether least-necessary privileges have been assigned. Using RACF tools makes these evaluations effective and efficient. For example, Consul/RACF provides reports on the scope of a user's authority. This report contains all access that a user may have through: Public access such as Universal Access, ID(*), Global Table, and Warn Mode. Explicit access list entries for the user's ID or any group connection. Implicit access through profile ownership. User Administration. The user administration analysis focuses on the validity and integrity of the user definitions and tests for invalid but active IDs, inactive users, and unjustified access and use privileges. When user definitions are maintained outside RACF, the proper synchronization of the definitions is checked. Resource Protection. The analysis of RACF rules should check for adequate public access universal access and ID(*), specific access, and constrained access. It should be performed from two angles, from the perspective of the user and of resource protection. In addition, potential discrepancies must be identified (e.g., conflicting access rules in RACF profiles and the global table). An important protection element to be reviewed is the RACF audit option, the profile option controlling the creation of an audit trail.
9 Production Control. Production controls are designed to confine users to certain execution environments, to separate test and production activities, and to verify that production was properly executed and completed. User Confinement. The reviewer should verify controls that prevent users from breaking out of their designated environment. Typical examples are Canadian Independent Computing Services Association users who manage to submit batch jobs that inherit the (usually much higher) authorization of the Canadian Independent Computing Services Association production region or users of TSO-based applications who successfully use the attention key to terminate current operations and gain full TSO capabilities. Separation Test and Production. The security review should determine how effectively test and production environments are separated. Programmers frequently have access to production programs and data, and production jobs call programs from development libraries. It is necessary to assess change management procedures and the RACF definitions that enforce them. Monitoring. The protection status of production resources and the audit trails generated while they are accessed and used are important monitoring activities. The reviewer should assess the completeness and effectiveness of monitoring during the security review. Recommended Course of Action MVS/RACF security reviews can be effective and efficient if the following conditions are met. Security reviewers should possess the proper mix of technical skills and professional experience, and they must work within the framework of a sound methodology. system integrity should be assessed as the basis for application security, and technical assessment must take priority over procedural tests. Finally, reasonable security standards must be in place or be adopted during the security review. This article describes how to meet many of these conditions. Those it does not cover are explained in its companion, A Security Review of MVS/RACF: Part 1 ( ). Author Biographies Kurt Meiser Kurt H. Meiser is director of ITSS International, Inc., a consulting firm based in Poughkeepsie NY that specializes in computer security. Previously, Meiser was a manager at Coopers & Lybrand in New York for six years, with responsibility for design, development, and security of information technology security services. Before that he was systems engineer for IBM Corp. for 22 years, with emphasis of MVS and RACF integrity and security.
10
11
IBM Security Identity Manager Version Planning Topics IBM
IBM Security Identity Manager Version 7.0.1 Planning Topics IBM IBM Security Identity Manager Version 7.0.1 Planning Topics IBM ii IBM Security Identity Manager Version 7.0.1: Planning Topics Table of
More informationIs Your z/os System Secure?
Ray Overby Key Resources, Inc. Info@kr-inc.com (312) KRI-0007 A complete z/os audit will: Evaluate your z/os system Identify vulnerabilities Generate exploits if necessary Require installation remediation
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationIntroduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?
Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationINFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II
Adopted: July 2000 Revised : April 2004; August 2009; June 2014; February 2018 INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst
More informationPost-Class Quiz: Access Control Domain
1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.
More informationPerforming a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals
Performing a z/os Vulnerability Assessment Part 2 - Data Analysis Presented by Vanguard Integrity Professionals Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved.
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationGeneral Information System Controls Review
General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County
More information20331B: Core Solutions of Microsoft SharePoint Server 2013
20331B: Core Solutions of Microsoft SharePoint Server 2013 Course Details Course Code: Duration: Notes: 20331B 5 days This course syllabus should be used to determine whether the course is appropriate
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationMicrosoft Core Solutions of Microsoft SharePoint Server 2013
1800 ULEARN (853 276) www.ddls.com.au Microsoft 20331 - Core Solutions of Microsoft SharePoint Server 2013 Length 5 days Price $4290.00 (inc GST) Version B Overview This course will provide you with the
More informationMANEWS Issue Number 21 the Mainframe Audit News
This newsletter tells you stuff you need to know to audit IBM mainframe computers runinng with z/os and the MVS operating system. This issue we show you how to plan the data gathering for your audit. Table
More informationTHE TEXAS A&M UNIVERSITY SYSTEM RECORDS RETENTION SCHEDULE
2.1.001 02.100.10 01.404.10 Curriculum Files, including Revisions, Departmental US+5 01.405.10 Instructor/Faculty Evaluations +1 =Academic term 01.406.10 Instructor Grade Books +1 =Academic term 01.407.10
More informationEVALUATION AND APPROVAL OF AUDITORS. Deliverable 4.4.3: Design of a governmental Social Responsibility and Quality Certification System
EVALUATION AND APPROVAL OF AUDITORS Deliverable 4.4.3: Design of a governmental Social Responsibility and Quality Certification System 1 TABLE OF CONTENTS 1. Scope and field of Application 3 2. Normative
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationPART 5: INFORMATION TECHNOLOGY RECORDS
PART 5: INFORMATION TECHNOLOGY RECORDS SECTION 5 1: RECORDS OF AUTOMATED APPLICATIONS GR5800 01 AUDIT TRAIL RECORDS Files needed for electronic data audits such as files or reports showing transactions
More informationContents. Why You Should Read This Manual...ix. 1. Introduction... 1
Contents Why You Should Read This Manual...ix 1. Introduction... 1 Understanding Security... 2 Group and User Accounts... 2 Application Features... 3 Security Areas... 3 Using Windows Security... 7 Synchronizing
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationApplication Control Review. August 4, 2012
Application Control Review August 4, 2012 Application Controls Review - Scope Web security Access Controls Password Controls Service Level Agreement Database Access Controls Perimeter Security Controls
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationAgenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background
Identity and Access Management IIA Detroit Chapter Dinner Meeting Vis Ta Tech Conference Center January 8, 2008 Stuart McCubbrey Director, Information Technology Audit General Motors Corporation Sajai
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationPerforming a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals
Performing a z/os Vulnerability Assessment Part 3 - Remediation Presented by Vanguard Integrity Professionals Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved.
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationHow to Go About Setting Mainframe Security Options
How to Go About Setting Mainframe Security Options Stu Henderson stu@stuhenderson.com 5702 Newington Road Bethesda, MD 20816 www.stuhenderson.com (301) 229-7187 ABSTRACT 2 If you don't think that checklists
More informationEleven Steps to Make Mainframe Security Audits More Effective and Efficient
Eleven Steps to Make Mainframe Security Audits More Effective and Efficient These are some things I ve learned about auditing IBM mainframe computers by trying a lot of approaches, some of which worked
More informationOffice of Human Resources 3/28/13 Page 1 of 7
JOB FAMILY CONCEPT This job family consists of eight levels of Information Systems Technical work distinguished by the complexity of the responsibilities assigned and characterized by the type of equipment,
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationCASA External Peer Review Program Guidelines. Table of Contents
CASA External Peer Review Program Guidelines Table of Contents Introduction... I-1 Eligibility/Point System... I-1 How to Request a Peer Review... I-1 Peer Reviewer Qualifications... I-2 CASA Peer Review
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More information<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.
Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More informationControl System Security for Social Infrastructure
277 Hitachi Review Vol. 63 (201), No. 5 Featured Articles Control System Security for Social Infrastructure Toshihiko Nakano, Ph.D. Katsuhito Shimizu Tsutomu Yamada Tadashi Kaji, Dr. Info. OVERVIEW: The
More informationSQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD The Payment Card Industry Data Security Standard (PCI DSS), currently at version 3.2,
More informationPart 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More informationAdministering a SQL Database Infrastructure
Administering a SQL Database Infrastructure 20764B; 5 Days; Instructor-led Course Description This five-day instructor-led course provides students who administer and maintain SQL Server databases with
More informationHow to get started with CaseWare Cloud
How to get started with CaseWare Cloud Introduction The aim of this guide is to assist the CaseWare Cloud Administrator to follow these simple steps on how to set up your firm s instance of CaseWare Cloud.
More informationGUIDELINES FOR SUBMITTING CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS
GUIDELINES FOR SUBMITTING CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 1 of 16 CONTENTS Introduction... 3 CPE Record Keeping... 4 CPE Credit
More informationDuration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced)
Administering a SQL Database Infrastructure Duration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced) Overview: This five-day instructor-led course provides students who administer
More informationDATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD
DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW Version 2, Release 5 28 October 2016 Developed by for the DoD 28 October 2016 Developed by for the DoD Trademark Information Names, products,
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationRecordkeeping Standards Analysis of HealthConnect
Recordkeeping Standards Analysis of HealthConnect Electronic Health Records: Achieving an Effective and Ethical Legal and Recordkeeping Framework Australian Research Council Discovery Grant, DP0208109
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationOverview. Business value
PRODUCT SHEET CA Top Secret for z/vse CA Top Secret for z/vse CA Top Secret for z/vse provides innovative and comprehensive security for business transaction environments which enable your business to
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationGUIDELINES FOR SUBMITING CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS
GUIDELINES FOR SUBMITING CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS (ISC) 2 CISSP Recertification Guidelines Page 1 of 14 CONTENTS Introduction... 3 CPE Record Keeping... 4 CPE Credit Requirements...
More informationISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.
ISSUE N 1 MAJOR MODIFICATIONS Version Changes Related Release No. 01 First issue. 2.8.0 PREVIOUS VERSIONS HISTORY Version Date History Related Release No. N/A N/A N/A N/A APPROVAL TABLE Signatures below
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationRecords Retention Schedule
Retention Schedule Form C must Record Title Storage 1. Page 18 of 104 106 Category 2: Electronic Data Processing Section 2.1 Automated Applications 2.1.001 38 Automated Files - Processing Files Machine-readable
More informationvrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4
vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4 vrealize Operations Manager Customization and Administration Guide You can find the most up-to-date technical
More informationMicrosoft Administering a SQL Database Infrastructure
1800 ULEARN (853 276) www.ddls.com.au Microsoft 20764 - Administering a SQL Database Infrastructure Length 5 days Price $4290.00 (inc GST) Version C Overview This five-day instructor-led course provides
More informationNSIF APPROVED DOCUMENT. Common Applications Requirements for SONET NE Security System
NSIF APPROVED DOCUMENT NSIF-037-2000 (NSIF Document #NSIF-CA-9910-110R3) WORK GROUP: Security TITLE: Common Applications Requirements for SONET NE Security System DATE: EDITOR: Name: Ron Roman Voice: (732)
More informationAgenda. Bibliography
Humor 2 1 Agenda 3 Trusted Digital Repositories (TDR) definition Open Archival Information System (OAIS) its relevance to TDRs Requirements for a TDR Trustworthy Repositories Audit & Certification: Criteria
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationMay 2016 RACF Options Survey Responses Presented by Richard K. Faulhaber
Presented by Richard K. Faulhaber rkf@newera.com twitter: @faulhaber_rk April 16 RACF Password Environment Survey Responses http://www.newera-info.com/ebooks.html Specifies that data sets created by users
More informationSession 4.07 Accountability for Use or Disclosure of a Patient s Electronic Record
Session 4.07 Accountability for Use or Disclosure of a Patient s Electronic Record Requirements for a Security and Privacy Audit System Presented By: John Travis, CPA, MSA, CHFP Director, Solution Management
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationI. PURPOSE III. PROCEDURE
A.R. Number: 2.11 Effective Date: 2/1/2009 Page: 1 of 5 I. PURPOSE This policy outlines the procedures that third party organizations must follow when connecting to the City of Richmond (COR) networks
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationINFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationISO Gap Analysis Excerpt from sample report
ISO 27001 Gap Analysis Excerpt from sample report Protect Comply Thrive (The below excerpts do not represent the entire report, and only provide a small sample of the information provided in the full report).
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationWireless Network Policy and Procedures Version 1.5 Dated November 27, 2002
Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002 Pace University reserves the right to amend or otherwise revise this document as may be necessary to reflect future changes made
More informationIBM. Enterprise Systems Architecture/ Extended Configuration Principles of Operation. z/vm. Version 6 Release 4 SC
z/vm IBM Enterprise Systems Architecture/ Extended Configuration Principles of Operation Version 6 Release 4 SC24-6192-01 Note: Before you use this information and the product it supports, read the information
More informationThis regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.
UAR NUMBER: 400.01 TITLE: Wireless Network Policy and Procedure INITIAL ADOPTION: 11/6/2003 REVISION DATES: PURPOSE: Set forth the policy for using wireless data technologies and assigns responsibilities
More informationWHITEPAPER. Vulnerability Analysis of Certificate Validation Systems
WHITEPAPER Vulnerability Analysis of Certificate Validation Systems The US Department of Defense (DoD) has deployed one of the largest Public Key Infrastructure (PKI) in the world. It serves the Public
More informationIntroduction to DB2 11 for z/os
Chapter 1 Introduction to DB2 11 for z/os This chapter will address the job responsibilities of the DB2 system administrator, what to expect on the IBM DB2 11 System Administrator for z/os certification
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationEvaluating Client/Server Operating Systems: Focus on Windows NT Gilbert Held
5-02-30 Evaluating Client/Server Operating Systems: Focus on Windows NT Gilbert Held Payoff As organizations increasingly move mainframe-based applications to client/server platforms, Information Systems
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationMinimum Requirements For The Operation of Management System Certification Bodies
ETHIOPIAN NATIONAL ACCREDITATION OFFICE Minimum Requirements For The Operation of Management System Certification Bodies April 2011 Page 1 of 11 No. Content Page 1. Introduction 2 2. Scope 2 3. Definitions
More information3Lesson 3: Web Project Management Fundamentals Objectives
3Lesson 3: Web Project Management Fundamentals Objectives By the end of this lesson, you will be able to: 1.1.11: Determine site project implementation factors (includes stakeholder input, time frame,
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationHIPAA Controls. Powered by Auditor Mapping.
HIPAA Controls Powered by Auditor Mapping www.tetherview.com About HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More information<PROJECT NAME> IMPLEMENTATION PLAN
IMPLEMENTATION PLAN Version VERSION HISTORY [Provide information on how the development and distribution of the Project Implementation Plan was controlled and tracked.
More informationIntegration of Agilent UV-Visible ChemStation with OpenLAB ECM
Integration of Agilent UV-Visible ChemStation with OpenLAB ECM Compliance with Introduction in Title 21 of the Code of Federal Regulations includes the US Federal guidelines for storing and protecting
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationTexas A&M University: Learning Management System General & Application Controls Review
Overall Conclusion Overall, the controls established over the primary learning management system at Texas A&M University, Blackboard Learn (ecampus), are effective in providing reasonable assurance that
More informationCERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION
CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION Introduction The IFFO RS Certification Programme is a third party, independent and accredited
More informationThe checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.
3 Design The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you. Data oriented design requirements Minimise and
More information