Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
|
|
- Kerrie Hancock
- 6 years ago
- Views:
Transcription
1 Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC Cloud Service Terms governing the Customer s purchase of services identified in this Solution Pack. Managed Services Virtual Private Cloud Security Features, Release 9.4 ( Security Services ) Prerequisite Services Customer must purchase these Services prior to selecting the Services set out in this Solution Pack: Managed Services Virtual Private Cloud Service ( Managed VPC ) Mandatory Addenda Managed Services Acceptable Use Policy DXC Cloud Terms Glossary DXC Technology Page 1
2 Table of Contents 1. Statement of Work Introduction Scope of Service Description of Services Audit Assurance and Compliance Datacenter Security Encryption and Key Management Governance and Risk Management Identity and Access Management Infrastructure and Virtualization Security Security Incident Management, E-Discovery and Cloud Forensics Threat and Vulnerability Management Regulatory Compliance Managed VPC Continuity Service Security Supplement Service Levels Overview Service Levels and Credits Charges Security Service Related Charges Costs and Expenses 22 DXC Technology Page 2
3 1. Statement of Work 1.1 Introduction This Managed VPC Security Features Solution Pack shall apply to each Order placed under this Managed VPC Security Features Solution Pack and will remain in effect unless it is terminated or expires in accordance with the Governing Agreement. In the event of any conflict or inconsistency between this Managed VPC Security Features Solution Pack and the Managed VPC Solution Pack, this Managed VPC Security Features Solution Pack will prevail with respect to the subject matter of this Managed VPC Security Features Solution Pack. General descriptions or references to particular Security Services in this Managed VPC Security Features Solution Pack or elsewhere in the Agreement are subject to the more detailed descriptions below. Security Services are only available for purchase by Customers who have also purchased, and DXC will be obligated to provide Security Services only if Customer has purchased, Managed VPC Services as described in the Managed VPC Solution Pack. Security Service usage is limited to within the Customer s Managed VPC environment. Termination or suspension of all or any part of the Managed VPC Service for any reason shall automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Security Services under this Managed VPC Security Features Solution Pack. 1.2 Scope of Service DXC will provide to Customer the Services described by this Statement of Work following submission of Orders. DXC will deliver Security Services on a Managed VPC infrastructure in accordance with the Managed VPC Solution Pack except where otherwise specified below. Security Service components noted as are included with Managed VPC Services at no additional Charge. Security Service components noted as an or al will be made available to the Customer at an additional Charge. Customer acknowledges that because Unmanaged Servers are under its control, security features for Unmanaged Servers are more limited than for Managed Servers. Customer will use the Managed Services Portal to order Managed VPC Security Services offered under the Governing Agreement. A complete list of orderable items available in the requested data center can be viewed in the Managed Services Portal. Any Services ordered by the Customer in the Managed Services Portal that are not within scope of the Solution Pack(s) signed by the Customer will result in need for the Customer to sign an additional Solution Pack. This additional Solution Pack must be signed by the Customer before the Customer Order can be fulfilled. 1.3 Description of Services Audit Assurance and Compliance Service Overview (Audit Assurance and Compliance) DXC Technology Page 3
4 This section describes the options available to receive information regarding security and compliance in the environment. Customer may conduct audits using the Customer Audit Days option described below only if the available reports do not sufficiently cover specific controls Responsibility Matrix (Audit Assurance and Compliance) The table below describes Security Service components for Audit Assurance and Compliance along with responsibilities related to these components. (a) Server Penetration Test Report (b) Infrastructure Penetration Test Report Review and approve (as appropriate) the properly completed and signed indemnification form. Complete and sign (and cause any 3rd party auditors to sign) the DXC supplied Penetration Test Indemnification Form and conduct or commission (from DXC or an independent 3rd party) a penetration test of the VPC servers. Provide relevant findings to DXC. Commission a penetration test from an independent 3rd party and provide an annual summary copy of the report to the Customer. One time charge per report when conducted or commissioned by DXC. Contact DXC Account Team to request this option. One report is issued globally for the Managed VPC Service. This report covers a representative sample of the VPC infrastructure and includes tests that attempt to break out of a VM, break out of a tenant compartment, break into the Managed VPC Management Infrastructure, and penetrate from the public Internet. Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope. One time charge per report. There is no DXC Technology Page 4
5 need to purchase more than one copy. Contact DXC Account Team to request this option. (c) ISAE 3402/SSAE16 SOC1 Type II Report Commission the report from an independent 3rd party for the Managed VPC infrastructure and provide a copy of the report to the Customer as and when available. One-time charge per report. Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope. Contact DXC Account Team to request this option. (d) AT Section 101 SOC2 Report Commission the report from an independent 3rd party for the Managed VPC infrastructure and provide a copy of the report to the Customer as and when available. One-time charge per report. Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope. Contact DXC Account Team to request this option. (e) Customer Audit Days Provide an audit coordinator and/or authorised escort. Use available audit reports to address as many audit needs as possible. For any remaining items, provide scope and request for audit access 22 business days in advance. Commission auditors (Customer or an independent 3rd party) to perform the audit. Provide relevant findings to DXC. Charge is per audit day plus expenses. One audit day is one business day in which access to DXC facilities or DXC personnel is required to respond to auditor questions or provide evidence of compliance to controls. Access to DXC facilities requires 22 business days prior notice. Access to DXC personnel requires 10 business days prior notice. DXC Technology Page 5
6 1.3.2 Datacenter Security Contact DXC Account Team to request this option. All Customer audits are subject to the requirements described in Section 1.7 (Customer Audits) of the Managed VPC Solution Pack Service Overview (Datacenter Security) This section describes the minimum basic controls in place at data centers hosting Managed VPC environments. Additional controls may exist and vary by location Responsibility Matrix (Datacenter Security) The table below describes Security Service components for Datacenter Security along with responsibilities related to these components. (a) Asset Management (b) Physical Security Perimeters (c) Secure Disposal of Media Maintain an inventory of physical assets in the DXC data center. Provide multiple physical perimeters with restricted access to sensitive areas of the DXC data center. Provide access controls employing electronic badges and a second factor (i.e. passcode or biometrics). Securely erase data before reuse of media and securely dispose of media that is physically decommissioned and not reused. DXC Technology Page 6
7 (d) Guards Provide 24x7 guards to patrol and monitor the DXC data center. (e) Video Surveillance (f) Redundant Infrastructure (g) Wireless Access Point Scanning Provide monitoring and recording of entry and exit points in and around the DXC data center. Provide redundant power to be available in the forms of multiple power feeds where possible and backup power in all locations. Perform quarterly scans to detect and remove unauthorised wireless access points allowing connectivity to the VPC infrastructure Encryption and Key Management Service Overview (Encryption and Key Management) This section describes the encryption related services currently available for Managed VPC Responsibility Matrix (Encryption and Key Management) The table below describes Security Service components for Encryption and Key Management along with responsibilities related to these components. (a) Encryption of Off-Site Backup Tapes Included when Customer purchases off-site backup services DXC Technology Page 7
8 Encrypt data backed up to tape for removal to off-site storage. as described in the Managed VPC Backup Solution Pack Governance and Risk Management Service Overview (Governance and Risk Management) This section describes services performed by DXC to manage risk within the Managed VPC delivery environment and to prevent configuration drift. There are no Customer deliverables or ordering options associated with any services listed below. DXC reserves the right to test or scan any Managed Server(s) for security issues at any time Responsibility Matrix (Governance and Risk Management) The table below describes Security Service components for Governance and Risk Management and responsibilities related to these components. (a) Annual Risk Assessment Conduct a risk assessment of the Managed VPC Service offering at least annually. (b) Security Policy Configure Customer VPC servers (Managed and Unmanaged Servers) and infrastructure with settings compliant to DXC policies. Never circumvent or disable DXC provided security settings, tools, or controls without DXC authorization. Determine the appropriate security policy for Customer Managed operating systems. DXC Technology Page 8
9 (c) Server Policy Compliance Scanning Conduct compliance scans on any Managed Server(s) without notice. (d) Server Policy Compliance Scanning Reports Provide access to Server Policy Compliance Scanning Reports on VPC servers in the Customer s VPC compartment. Identify Customer VPC servers (Managed and Unmanaged Servers) to be included in the scanning report. Recurring monthly Charge per server. Orderable through Managed Services Portal. Scanning may occur on any frequency deemed appropriate by the Customer, as frequently as weekly. Select servers may be scanned more frequently than weekly in troubleshooting circumstances, but not as a routine Identity and Access Management Service Overview (Identity and Access Management) This section outlines the controls in place for account management, access management, and authentication. Administrative access to Managed Servers is subject to DXC control with only temporary access provided to the Customer during which period the server s availability SLAs will be suspended. DXC support personnel will not have access to Unmanaged Servers, so it is the Customer s responsibility to manage access to those servers Responsibility Matrix (Identity and Access Management) The table below describes Security Service components for Identity and Access Management along with responsibilities related to these components. (a) DXC Administrative Access Cause all DXC support personnel to securely authenticate with an individually identifiable access method and a minimum of 2-factor authentication before DXC Technology Page 9
10 accessing the Customer s VPC compartment. (b) Customer Administrative Access Upon request from an authorised requester, allow temporary administrative access to Managed Servers. Provide a permanent administrative account for Unmanaged Servers. (c) Role d Access Control Determine DXC support personnel access based upon job role and subject to an authorised approver. (d) Password Controls Configure password controls on Customer VPC servers (Managed and Unmanaged Servers) and infrastructure to comply with current DXC password policies. (e) User Access Authorization Require and record authorization for Managed VPC provisioned access credentials. (f) User Access Reviews Conduct quarterly reviews of all elevated access permissions to VPC DXC Technology Page 10
11 systems for DXC personnel. (g) User Access Revocation Remove access for DXC personnel whose access is no longer appropriate. Remove access for Customer personnel as directed by authorised requester. Notify DXC of any Customer user access which is no longer required. (h) Accountability Ensure DXC user accounts are traceable to an individual and are not shared. Assume responsibility for any actions performed by Customer employees. (i) Multi-Factor Authentication on the Managed Services Portal Cause the Managed Services Portal to be federated with Authentication Authority for two factors of authentication for all accounts before access is granted to the Managed Services Portal. If Customer does not provide their own 2 nd factor service for Managed Services Portal authentication, DXC will supply a 2 nd factor service for up to five Customer users at no charge. Identify and supply an LDAP or AD compatible If the Customer does not have an LDAP or AD compatible Authentication Authority for 1 st factor authentication, this can be purchased as a service from DXC. DXC Technology Page 11
12 Authentication Authority for 1 st factor authentication to be federated with the Managed Services Portal for authenticating Customer users with a username and password. Identify and supply a RADIUS compatible Authentication Authority for 2 nd factor authentication to be federated with the Managed Services Portal or purchase the service from DXC. Cause all Customer users of the Managed Services Portal to maintain reasonably secure password credentials (keep credentials secret and use industry standard complexity requirements) Infrastructure and Virtualization Security Service Overview (Infrastructure and Virtualization Security) This section describes services related to infrastructure and virtualization security Responsibility Matrix (Infrastructure and Virtualization Security) The table below describes Security Service components for Infrastructure and Virtualization Security along with responsibilities related to these components. (a) Time Synchronization of Management Infrastructure Cause all Managed VPC infrastructure systems to synchronize with a central and consistent time source. DXC Technology Page 12
13 (b) Customer Dedicated Virtual Firewall Cause virtual firewall instance to be dedicated to Customer and configure rules into and out of the Customer compartment as directed by the Customer and as required by DXC to provide the contracted support. Notify DXC of any changes to the firewall rules as required by the Customer or use a DXC provided interface to apply such rules. (c) Customer Segregation Multiple firewalls are configured to prevent routing between Customer compartment and other tenant compartments. (d) OS Hardening Configure Managed VPC operating systems to then current pre-hardened DXC Gold Images. (e) Virtual Server Access Configure virtualization layer so that access through the virtualization layer to Virtual Server operating systems is not allowed. Access Virtual Server operating systems as required from Customer compartments via jump servers. DXC Technology Page 13
14 1.3.7 Security Incident Management, E-Discovery and Cloud Forensics Service Overview (Security Incident Management, E-Discovery and Cloud Forensics) This section describes services related to management of security incidents and events Responsibility Matrix (Security Incident Management, E-Discovery and Cloud Forensics) The table below describes Security Service components for Security Incident Management, E-Discovery and Cloud Forensics along with responsibilities related to these components. (a) Security Incident Management (b) E-Discovery & Cloud Forensics (c) Evidence Gathering for Customer Employ 24x7 monitoring and triage of securityrelated events with escalation for resolution and/or Incident management. Notify the designated Customer contact of any material security Incidents directly impacting the Customer. Manage Customer security incidents. Notify the designated DXC contact of any material security incidents directly impacting the VPC environment. Designate Customer contact to receive notification of material security incidents Provide E-Discovery & Cloud Forensics services under direction of the Customer. Subscribe to or purchase ad-hoc services if or as desired. Provide copies of data or evidence appropriate for Subscription or ad-hoc services available Contact DXC Account Team to request quotation. This service is provided from a separate DXC organization to provide a level of separation. Contact DXC Account Team to request quotation. DXC Technology Page 14
15 Managed Incidents chain of custody requirements as required. Protect the availability and confidentiality of the data of other customers. Provide DXC with detailed requests for data gathering if and when required Threat and Vulnerability Management Service Overview (Threat and Vulnerability Management) This section describes services related to the discovery and management of malicious code and vulnerabilities. DXC reserves the right to scan any Customer VPC servers (Managed and Unmanaged Servers) for security issues and vulnerabilities at any time Responsibility Matrix (Threat and Vulnerability Management) The table below describes Security Service components for Threat and Vulnerability Management along with responsibilities related to these components. (a) Antivirus Software on Windows Cause antivirus software to be installed and maintained on all Managed Servers using Windows OS. Configure signature updates to occur continuously or daily. Install and manage antivirus software on all Unmanaged Servers using Windows OS. (b) Antivirus Software on Linux Cause antivirus software to be installed and maintained on designated Managed Servers using Linux OS. Configure signature updates to occur continuously or daily. Recurring monthly Charge per server Orderable through Managed Services Portal. The agent scans for Windows virus signatures on the Linux managed volumes. DXC Technology Page 15
16 (c) Patch Management Cause patches for Managed VPC operating systems to be tested and installed on a regular cycle and as deemed appropriate by DXC. Avoid unnecessary deferrals of patching for Customer VPC servers (Managed and Unmanaged Servers). Cause patches for Unmanaged Servers operating systems to be installed within a reasonable time. (d) Vulnerability Scanning Conduct vulnerability scans on any Customer VPC servers (Managed and Unmanaged Servers) without notice or restriction. (e) Vulnerability Scanning Reports Provide access to vulnerability scanning reports on servers in the Customer s VPC compartment. Identify servers to be included in the scanning report. Recurring monthly Charge per server Orderable through Managed Services Portal. Scanning may occur on any frequency deemed appropriate by the Customer, as frequently as weekly. Select servers may be scanned more frequently than weekly in troubleshooting circumstances, but not as a routine. DXC Technology Page 16
17 (f) External Vulnerability Scanning Reports Provide Customer a selfservice vulnerability scan of public facing IP addresses using a scanner on the public Internet. Deliver an external vulnerability scan report. One time Charge per server per scan Orderable through Managed Services Portal. Scanning may occur on any frequency deemed appropriate by the Customer. Scanning is fully automated Regulatory Compliance Service Overview (Regulatory Compliance) This section describes features and services not mentioned elsewhere that are important for various compliance requirements Responsibility Matrix (Regulatory Compliance) The table below describes Security Service components for Regulatory Compliance along with responsibilities related to these components. (a) HIPAA Conduct infrastructure, operating system, and server management in a manner compliant with HIPAA requirements. Available at no additional cost to Customer. Identify and provide or purchase security options as required to meet HIPAA requirements (if any) applicable to the Customer Managed VPC Continuity Service Security Supplement Service Overview (Managed VPC Continuity - Security Supplement) This section describes the additional layers of security that apply when select disaster recovery services described in the Managed Virtual Private Cloud Continuity ( Managed VPC Continuity ) Solution Pack are purchased by the Customer for Managed Servers in conjunction with Managed VPC Services. These Managed VPC Continuity security service component s will apply in the event of a conflict with any or al security services components stated elsewhere in this Managed VPC Security Features Solution Pack. DXC Technology Page 17
18 Responsibility Matrix (Managed VPC Continuity - Security Supplement) The table below describes Security Service components for Managed VPC Continuity along with responsibilities related to these components. (a) Physical Security Perimeters (b) Perimeter Network Intrusion Prevention System (NIPS) (c) DXC Administrative Access (d) Customer Dedicated Virtual Firewall Provide multiple physical perimeters with restricted access to sensitive areas of the DXC data center. Provide access controls employing electronic badges and a second factor authentication (i.e. passcode or biometrics). Place Network Intrusion Prevention Sensors (NIPS) on the perimeter of the infrastructure to filter all inbound traffic. Maintain and tune the NIPS filters as deemed appropriate by DXC. Cause all DXC support personnel to securely authenticate with an individually identifiable access method and a minimum of 2-factor authentication before accessing the Customer s VPC compartment. Cause virtual firewall instance to be dedicated to Customer and configure rules into and out of the Customer compartment as directed by the Customer and as required by DXC to Standard feature when purchasing Managed VPC Continuity Service Standard feature when purchasing Managed VPC Continuity Service Standard feature when purchasing Managed VPC Continuity Service Standard feature when purchasing Managed VPC Continuity Service DXC Technology Page 18
19 provide the contracted support. Notify DXC of any changes to the firewall rules as required by the Customer or use a DXC provided interface to apply such rules. (e) Customer Segregation Configure multiple firewalls to prevent routing between Customer compartment and other tenant compartments. Standard feature when purchasing Managed VPC Continuity Service (f) Virtual Server Access Configure virtualization layer so that access through the virtualization layer to Virtual Server operating systems is not allowed. Access Virtual Server operating systems as required from Customer compartments via jump servers. Standard feature when purchasing Managed VPC Continuity Service (g) Encryption in Transit Provide an encryption capability for Customer use when transmitting Customer Data over the public Internet. Standard feature when purchasing Managed VPC Continuity Service (h) Secure Data Deletion Subject SAN-attached discs to a three (3) pass wipe process when removing from operational use. Standard feature when purchasing Managed VPC Continuity Service DXC Technology Page 19
20 DXC Technology Page 20
21 2. Service Levels 2.1 Overview This section describes Service Levels for the Security Services, the manner in which they are measured and reported, and the consequences of Faults. 2.2 Service Levels and Credits Security Services are included in Managed VPC Service Levels and Service Credit calculations specified in the Managed VPC Solution Pack. No additional Service Levels apply to al Security Services specified in this Managed VPC Security Features Solution Pack unless otherwise noted in the section of the relevant table. DXC Technology Page 21
22 3. Charges The following terms apply in addition to those set forth in the Managed VPC Solution Pack. 3.1 Security Service Related Charges Customer agrees to pay one-time Charges and recurring service Charges applicable to Security Services expressly as documented in approved Order(s). 3.2 Costs and Expenses DXC Charges include the services expressly described by Section 1, Statement of Work of this Managed VPC Security Features Solution Pack. Customer remains responsible for all of its other costs and expenses related to receipt and use of the Security Services, including those related to Managed VPC Services. DXC Technology Page 22
23 Solution Pack Revision History Offering: Managed Services Virtual Private Cloud Security Features Solution Pack Version# Offering Release# Revision Date Section Reference(s) Description of Change V1.0 R Dec V1.1 R Dec-2016 All Conversion from Hewlett Packard Enterprise to Enterprise Services, LLC as contracting party. V2.0 R Apr-2017 All (a) Conversion from Enterprise Services LLC to DXC Technology V2.1 R Jun V2.2 R Sep All (b) Applied updates from Cloud Terms Glossary (c) Removed Perimeter Network Intrusion Prevention System Protection as a Managed VPC Feature for all new business. To be replaced with an improved service option in a future release. DXC Technology Page 23
Solution Pack. Managed Services Virtual Private Cloud Managed Database Service Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Managed Database Service Selections and Prerequisites Subject Governing Agreement Term DXC Services Requirements Agreement between DXC and Customer
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationSolution Pack. Managed Services for Virtual Private Cloud Selections and Prerequisites
Solution Pack Managed Services for Virtual Private Cloud Selections and Prerequisites Subject Governing Agreement DC Services Requirements Agreement between DC and Customer including DC Cloud Service Terms
More informationOnline Services Security v2.1
Online Services Security v2.1 Contents 1 Introduction... 2 2... 2 2.1... 2 2.2... 2 2.3... 3 3... 4 3.1... 4 3.2... 5 3.3... 6 4... 7 4.1... 7 4.2... 7 4.3... 7 4.4... 7 4.5... 8 4.6... 8 1 Introduction
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationGeneral Data Protection Regulation
General Data Protection Regulation Workshare Ltd ( Workshare ) is a service provider with customers in many countries and takes the protection of customers data very seriously. In order to provide an enhanced
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017
ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS December 1, 2017 Table of Contents Oracle Managed Security Database Encryption Service for Oracle IaaS... 3 Oracle Managed Security Database
More informationIBM Case Manager on Cloud
Service Description IBM Case Manager on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients of the
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationIBM Security Intelligence on Cloud
Service Description IBM Security Intelligence on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients
More information1 Data Center Requirements
1 Data Center Requirements The following are MassDOT s standard Data Center requirements. 1.1 Data Center General Requirements 1.1.1 The CSC Operator shall furnish, or contract with a third-party provider
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationEpicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)
Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017) GENERAL TERMS & INFORMATION A. GENERAL TERMS & DEFINITIONS 1. This Services Specification
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationData Processing Amendment to Google Apps Enterprise Agreement
Data Processing Amendment to Google Apps Enterprise Agreement The Customer agreeing to these terms ( Customer ) and Google Inc., Google Ireland, or Google Asia Pacific Pte. Ltd. (as applicable, Google
More informationStatus: February IT Security Directive External Service Providers
Status: February 2016 IT Security Directive External Service Providers 1. Scope and purpose This safety directive is obligatory for all external service providers who work for a HYDAC affiliate. The stipulations
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationSecurity and Compliance at Mavenlink
Security and Compliance at Mavenlink Table of Contents Introduction....3 Application Security....4....4....5 Infrastructure Security....8....8....8....9 Data Security.... 10....10....10 Infrastructure
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationEU Data Protection Agreement
EU Data Protection Agreement This Data Protection Agreement ("Agreement") is entered into by and between TechTarget, Inc., a Delaware corporation with a principle place of business at 275 Grove Street,
More informationCloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com
Cloud Computing Faculty of Information Systems Duc.NHM nhmduc.wordpress.com Evaluating Cloud Security: An Information Security Framework Chapter 6 Cloud Computing Duc.NHM 2 1 Evaluating Cloud Security
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationSERVICE DESCRIPTION MANAGED BACKUP & RECOVERY
Contents Service Overview.... 3 Key Features... 3 Implementation... 4 Validation... 4 Implementation Process.... 4 Internal Kick-Off... 4 Customer Kick-Off... 5 Provisioning & Testing.... 5 Billing....
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationService Description CloudCore
CloudCore TITLE: CloudCore DOCUMENT REF NO: QMS REC117 DESCRIPTION: Service description for the CloudCore service. OWNER / AUTHORITY: QMS / ISMS DOCUMENT CROSS REFERENCE: Director of Product and Service
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSecurity Note. BlackBerry Corporate Infrastructure
Security Note BlackBerry Corporate Infrastructure Published: 2017-03-02 SWD-20170302091637541 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations... 8 Cyber Security
More informationIBM Managed Security Services - Vulnerability Scanning
Service Description IBM Managed Security Services - Vulnerability Scanning This Service Description describes the Service IBM provides to Client. 1.1 Service IBM Managed Security Services - Vulnerability
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationOUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE
CONTENTS 1 ABOUT THIS PART... 2 2 GENERAL... 2 3 CLOUD INFRASTRUCTURE (FORMERLY UTILITY HOSTING)... 2 4 TAILORED INFRASTRUCTURE (FORMERLY DEDICATED HOSTING)... 3 5 COMPUTE... 3 6 BACKUP & RECOVERY... 8
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationPCI Compliance Assessment Module with Inspector
Quick Start Guide PCI Compliance Assessment Module with Inspector Instructions to Perform a PCI Compliance Assessment Performing a PCI Compliance Assessment (with Inspector) 2 PCI Compliance Assessment
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationFormFire Application and IT Security
FormFire Application and IT Security White Paper Last Update: 2015-03- 04 Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 4 Infrastructure and Security Team...
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationPRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT
PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT Last Revised: 2/1/2017 1. Private Mobile Connection - Custom APN. Pursuant to the terms and conditions of
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationAltius IT Policy Collection
Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationClearswift Managed Security Service for
Clearswift Managed Security Service for Email Service Description Revision 1.0 Copyright Published by Clearswift Ltd. 1995 2019 Clearswift Ltd. All rights reserved. The materials contained herein are the
More informationIntegrated Cloud Environment Security White Paper
Integrated Cloud Environment Security White Paper 2012-2016 Ricoh Americas Corporation R i c o h A m e r i c a s C o r p o r a t i o n R i c o h A m e r i c a s C o r p o r a t i o n It is the reader's
More informationSERVICE DESCRIPTION MANAGED FIREWALL/VPN
Contents Service Overview.... 3 Key Features... 3 Service Features... 3 Responsibilities... 5 Additional Services.... 5 Implementation... 6 Validation... 6 Implementation Process.... 6 Customer Kick-Off...
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationCourse overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)
Overview This course is intended for those wishing to qualify with CompTIA Security+. CompTIA's Security+ Certification is a foundation-level certificate designed for IT administrators with 2 years' experience
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationNS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director
NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments Hunter Downey, Cloud Solution Director Why Organizations are investing in the Cloud Pressure on IT and business
More informationSAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2
APPENDIX 2 SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION This document contains product information for the Safecom SecureWeb Custom service. If you require more detailed technical information,
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationApril Appendix 3. IA System Security. Sida 1 (8)
IA System Security Sida 1 (8) Table of Contents 1 Introduction... 3 2 Regulatory documents... 3 3 Organisation... 3 4 Personnel security... 3 5 Asset management... 4 6 Access control... 4 6.1 Within AFA
More informationOracle Managed Cloud Services for Software as a Service - Service Descriptions. February 2018
Oracle Managed Cloud Services for Software as a Service - Service Descriptions February 2018 Table of Contents Oracle Managed Cloud GxP Compliance for SaaS...3 Oracle Managed Cloud Helpdesk for SaaS...5
More informationSecurity White Paper. Midaxo Platform Krutarth Vasavada
Security White Paper Midaxo Platform 2017-12-20 Krutarth Vasavada +358 40 866 8825 security@midaxo.com www.midaxo.com Kumpulantie 3 Helsinki, 00520, Finland Executive Summary Midaxo is committed to maintaining
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationTable of Contents. Page 1 of 6 (Last updated 27 April 2017)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationVendor Security Questionnaire
Business Associate Vendor Name Vendor URL Vendor Contact Address Vendor Contact Email Address Vendor Contact Phone Number What type of Service do You Provide Covenant Health? How is Protected Health Information
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationBT Assure Cloud Identity Annex to the General Service Schedule
1 Defined Terms The following definitions apply, in addition to those in the General Terms and Conditions and the General Service Schedule of the Agreement. Administrator means a Customer-authorised person
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationVersion v November 2015
Service Description HPE Quality Center Enterprise on Software-as-a-Service Version v2.0 26 November 2015 This Service Description describes the components and services included in HPE Quality Center Enterprise
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationService Description VMware Workspace ONE
VMware Workspace ONE Last Updated: 05 April 2018 The product described in this Service Description is protected by U.S. and international copyright and intellectual property laws. The product described
More informationCloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017
Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and
More informationHP Standard for Information Protection and Security for Suppliers/Partners
HP Standard 14-04 for Information Protection and Security for Suppliers/Partners Document Identifier HX-00014-04 Revision and Date D, 01-Oct 2017 Last Re-validation date Abstract This standard describes
More informationIBM Information Server on Cloud
Service Description IBM Information Server on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means the contracting party and its authorized users and recipients
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More information