CHAPTER 2 COMPLIANCE AND OPERATIONAL SECURITY
|
|
- Jocelin Kelly
- 6 years ago
- Views:
Transcription
1 CHAPTER 2 COMPLIANCE AND OPERATIONAL SECURITY 2.1 EXPLAIN THE IMPORTANCE OF RISK RELATED CONCEPTS. Control types (Technical, Management, Operational) There are many ways to classify controls. Some prefer to have them classified as physical, technical, or administrative, while others use the classification of Technical, Management, and Operational. Technical controls are safeguards incorporated in hardware, software and/or devices. They are sometimes referred to as logical controls. Administrative controls are management controls covering constraints, operational procedures, accountability procedures, etc. Operational controls deal specifically with operational procedures. False positives Some vulnerabilities identified by automated detection tools may not represent real vulnerabilities. When this happens, it is known as a false positive. False negatives Some vulnerabilities may not be properly identified by automated detection tools. When this happens, it is known as a false negative. The key strategy to mitigate these is to keep the threat database updated at all times. Importance of policies in reducing risk Many different types of policies exist to reduce risk. Examples include Privacy policy, Acceptable use, Security policy, Mandatory vacations, Job rotation, Separation of duties, Least privilege, etc. Risk calculation Risk calculation is the process of determining the level of security risk for a network. There are many different ways to perform risk calculation, such as Likelihood assessment, ALE, Impact, SLE, ARO, MTTR, MTTF, MTBF, etc. The Single Loss Expectancy (SLE) model is the model that serves as the foundation of the Annualized Loss Expectancy (ALE) and Cumulative Loss Expectancy (CLE) models. The Annualized rate of occurrence (ARO) characterizes the frequency with which a threat is expected to occur yearly. The Exposure factor (EF) tells the magnitude of loss on the value of an asset.
2 Quantitative vs. qualitative Qualitative assessment relies heavily on professional judgment, while quantitative methods are more statistical and based upon actual numbers. Vulnerabilities A threat indicates a potential occurrence, while a vulnerability is a weakness. Countermeasures are used to address the vulnerabilities. Threat vectors A threat is an undesired event and a potential occurrence, while a threat vector describes the method a threat uses to reach the target. Probability / threat likelihood Likelihood assessment are performed to estimate the frequency or chance of a threat happening. It takes into account the presence, tenacity, and strengths of threats. Simply put, it is about probability of occurrence. Risk avoidance, transference, acceptance, mitigation, deterrence When dealing with risks there are different strategies. These include risk avoidance, transference, acceptance, mitigation, and deterrence. Each describes a security behavior and design model including approaches that achieve the specific strategy. Risks associated with Cloud Computing and Virtualization Cloud Computing and Virtualization are not without risks. For cloud computing, the service provider is in charge of the actual implementation and must be relied upon to secure the connection and data. For virtualization, when the hosting platform is compromised every virtualized environment being hosted is at risk. Recovery time objective and recovery point objective Recovery Time Objective (RTO) defines the time frame between an unplanned interruption and the resumption at a reduced level of service. Recovery Point Objective (RPO) defines how much work in progress can be lost.
3 2.2 DESIGN A NAME RESOLUTION SOLUTION STRATEGY On boarding/off boarding business partners In the context of identity management, onboarding means adding a new employee or business partner to the identity and access management system. Offboarding is the opposite. Social media networks and/or applications Social media networks (Facebook, Twitter etc) may become a serious security threat when employees are free to share information with strangers. A policy must be in place to ensure internal information is not being shared over those platforms. Interoperability agreements (SLA, BPA, MOU, ISA) There are different types of interoperability agreements, including SLA, BPA, MOU, and ISA.With a service level agreement (SLA), the level of service is formally defined and legally binding. A Memorandum of Understanding (MOU) is different in that it is not necessarily legally binding. A Blanket Purchase Agreement (BPA) is nothing more than a pre arranged purchase agreement. Privacy considerations The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information, to the minimum necessary for accomplishing the intended purpose. Protecting privacy is needed to avoid legal liabilities. Risk awareness To ensure successful security training, the factors of Risk Awareness, Training and Education must be considered. Security awareness must be promoted to top management, and should be done by performing information security education/training. Unauthorized data sharing Unauthorized data sharing is obviously a huge security risk and must be prohibited. All staff members should be made aware of and agree to this policy. Data ownership Ownership of company data and critical information should be assigned to capable individuals, with responsibilities fully defined and accepted.
4 Data backups The frequency of the data backups depends on the frequency of changes and the criticality of the data. Backup copies of the critical data must always be maintained. Less critical end user data should be backed up following a frequency determined by the user. Follow security policy and procedures Security policy and procedures must be followed. A Baseline Security Policy is a top level directive statement that sets the minimum standards of a security specification for all departments. Security Guidelines should introduce general concepts and elaborate interpretations on the Baseline Policy. Review agreement requirements to verify compliance and performance standards It is important to review the agreement requirements as well as to verify the relevant compliance and performance standards. This is a security concern and also a legal concern. 2.3 GIVEN A SCENARIO, IMPLEMENT APPROPRIATE RISK MITIGATION STRATEGIES. Change management Change controls are for regulating changes to system. The purpose of Change Management is to establish and maintain the integrity of the system change process. Incident management Incident management is the process of responding to and controlling an incident following the emergency response procedures. User rights and permissions reviews Access rights reviews are user rights and permissions reviews intended to reduce unwarranted data access by aligning user rights and permissions with the overall security policy. Setting up a proper review workflow is important for making a repeatable process for effective permissions management. Perform routine audits The board and senior management should ensure that the security program is independently reviewed by the internal or external auditor, at least annually. Additionally, they should review and approve the associating audit report.
5 Enforce policies and procedures to prevent data loss or theft An enforcement mechanism for the various policies and procedures is needed to prevent data loss or theft in a practical way. Policies must be enforced or they are meaningless. Enforce technology controls Data Loss Prevention (DLP) Data loss prevention (DLP) attempts to detect and prevent potential data breach through monitoring and detecting when sensitive data is being used, in motion and at rest (i.e. data storage). Some other terms associated with it includes Information Leak Detection and Prevention (ILDP) and Information Leak Prevention (ILP). 2.4 GIVEN A SCENARIO, IMPLEMENT BASIC FORENSIC PROCEDURES. Order of volatility When collecting data for a forensic investigation, there is an order of volatility that you should follow since some data will be lost faster than the others. In the case of computer systems, follow this order: RAM contents > Swap space > Network processes > System processes > File system > Raw data blocks Capture system image After capturing an image of a running system (system image) in addition to an image of the storage system, perform memory analysis to check and examine the state of the system accordingly. Network traffic and logs Network traffic logs are used to check for suspicious traffic. There are a lot of free tools that can be used for this purpose. Keep in mind, the traffic data logged through devices (firewalls, IDS, etc.) is very useful for tracing back to the source of the attack. Capture video and Record time offset Through special software it is possible to capture video of what is happening on another network computer. Record offset is simply the intentional misplacement of the recorded video.
6 Take hashes Hashing is a process that cuts down large inputs to something smaller and fixed in size. During the forensics process, certain cryptographic hashing algorithms (such as MD5 and SHA 1) are especially useful. Hashes may be used to identify and even remove junk data, de duplicate files, and also to form a solid foundation of evidence security. Screenshots Screenshots are captures from a desktop of the activity occurring at the time of the capture. Screenshots can be valuable evidence in a forensic case. Witnesses Human witnesses may be asked to testify in court. Typically, a key witness statement must be obtained in order to place charges against the suspect. Track man hours and expense During the investigation effort, the man hours and expense should be tracked to determine the costs involved. Chain of custody Chain of Custody refers to the movement and location of evidence from the time it is acquired until it is presented in court. Hashes form a solid foundation of evidence security (through comparing hash values). Big Data analysis Big data analysis involves examining an extremely large amount of different types of data (referred to as big data) so as to discover hidden patterns and unknown correlations. 2.5 SUMMARIZE COMMON INCIDENT RESPONSE PROCEDURES. Preparation For proper Incident Response preparation, steps to be taken during an incident response effort must be planned and cover general and specific courses of action for an organization.
7 Incident identification The person who discovers the incident must notify the IR team. Possible sources of personnel who may discover the incident should be identified. Also, these identified sources should be equipped with the proper contact procedure and contact list. Escalation and notification Procedures for escalation and notification should be planned. Generally, when an incident involves Personal Information or Protected Information, it should be escalated to the attention of someone higher up in the management structure, such as the Chief Information Security Officer, to create an incident response report. Mitigation steps Procedures to mitigate should be planned based upon the incident assessment. Possible types of procedures which cover the mitigation steps may include Worm response procedure, Virus response procedure, System failure procedure, Active intrusion response procedure, Inactive Intrusion response procedure, System abuse procedure, Property theft response procedure, Denial of service response procedure, Spyware response procedure, etc. Lessons learned After the incident, the team should come together to review and discuss the lessons learned so that the incident response plan can be augmented via creation of additional procedures as needed. Reporting After an incident is adequately and properly handled, a report should be issued to detail the root cause and total cost of the incident. This report should also talk about the steps that should be taken to prevent future incidents. Recovery/reconstitution procedures At the Recovery stage there are recovery/reconstitution procedures to be performed. They may be performed when active incident response is no longer needed to successfully resolve the case. The activities needed may include evidence collection, analysis and investigation, forensics, remediation, and full recovery. Common resolutions for correcting system vulnerability usually involve upgrading and patching. Some alternatives include physical, network, host, and access restrictions. First responder The staff member who discovered the incident should refer to his contact list for management personnel and incident response members to be contacted. Those designated on the list should be notified.
8 Incident isolation (Quarantine, Device removal) Incident isolation means containment. Resources with vulnerabilities found should be contained until the vulnerabilities are resolved. Activities may include Quarantine and Device removal. Data breach When there is a data breach, the way to handle it depends on the type of data involved. It should be based on a proper data classification scheme. Damage and loss control In terms of damage and loss control, the ultimate goal is to limit damage and reduce recovery time. This is considered reactive rather than proactive. Best practice is to proactively avoid damage whenever possible. 2.6 EXPLAIN THE IMPORTANCE OF SECURITY RELATED AWARENESS AND TRAINING. Security policy training and procedures Security awareness is made possible by providing security policy training and procedures, possibly via computer based training or by supplying specialized security awareness education material. Staff should be provided with guidance to help them understand the material. Role based training Some suggest that the best possible security training strategy is role based, which centers the training in the context of the role and what it takes to perform the role securely. Personally identifiable information Personally identifiable information (PII) is a term that can be found in US privacy law. It refers to information that can be useful to identify, contact, or identify an individual in context.
9 Information classification (High, Medium, Low, Confidential, Private, Public) Proper security measures should be implemented based on the classification of information. It is common to classify information into High, Medium, Low, Confidential, Private, and Public. Different classes of information define the levels of security protection needed based upon the level of data sensitivity and subsequent impact. Normally, public information when exposed produces very little risk. Data labeling, handling and disposal A proper Data Management Program to perform data labeling, handling and disposal is key in providing maximum economy and efficiency in the creation, labeling, use, maintenance, and disposition of data. The goal is to ensure data is retained as long as needed and unneeded data is not created or retained beyond its usefulness. Furthermore, a data disposition schedule may be used to specify the length of time and the manner in which data is retained or disposed. Compliance with laws, best practices and standards Whatever security policies are implemented, they should always ensure compliance with the relevant laws, best practices and standards. User habits (Password behaviors, Data handling, Clean desk policies, Prevent tailgating, Personally owned devices) User habits play an important role in security. Things like Password behaviors, Data handling, Clean desk policies, Prevent tailgating, and Personally owned devices must be properly addressed. Tailgating is the act of an unauthorized individual who follows someone to a restricted area without consent. Physical security measures can stop this. Also note that good password behavior is always related to training, awareness, monitoring, and motivation. New threats and new security trends/alerts (New viruses, Phishing attacks, Zero day exploits) New viruses, Phishing attacks, Zero day exploits, etc., are considered new threats that come alongside new security trends and alerts. Phishing applies primarily to appearing to come from a legitimate business requesting "verification" of information. Zero day exploit is exploiting a previously unknown vulnerability when the developer hasn t had time to address it.
10 Use of social networking and P2P The use of social networking and P2P platforms has given rise to risks particularly related to social engineering attacks. These manipulate people into performing actions or divulging confidential information. Training must be done to address this. Follow up and gather training metrics to validate compliance and security posture For a training effort to succeed, one must follow up by gathering training metrics to validate the resulting compliance and security posture. The training efforts must be evaluated and reviewed so improvements to the level of compliance and security posture can be validated. 2.7 GIVEN A SCENARIO, IMPLEMENT APPROPRIATE RISK MITIGATION STRATEGIES. Environmental controls Environmental controls should be in place to ensure equipments are protected from natural disasters. There are different types of environmental controls available. They include HVAC, Fire suppression, EMI shielding, Hot and cold aisles, Environmental monitoring, Temperature and humidity controls. Physical security Effective physical security measures aim to protect against unauthorized access, damage, or interference. The requirements and placement of each physical security measures should be determined based upon the value of the information assets being protected. Possible measures include Hardware locks, Mantraps, Video Surveillance, Fencing, Proximity readers, Access list, Proper lighting, Signs, Guards, Barricades, Biometrics, Protected distribution of cabling, Alarms, and Motion detection. Control types As previously mentioned, there are many different types of control, such as Deterrent, Preventive, Detective, Compensating, Technical, and Administrative. From an IS point of view, controls may be generally classified as physical, technical, or administrative in nature. Some suggest that they be further classified as either preventive or detective.
11 2.8 SUMMARIZE RISK MANAGEMENT BEST PRACTICES. Business continuity concepts In the context of business continuity, there are many different terms, including Business impact analysis, Identification of critical systems and components, Removing single points of failure, Business continuity planning and testing, Risk assessment, Continuity of operations, Disaster recovery, IT contingency planning, Succession planning, High availability, Redundancy, and Tabletop exercises. Business Continuity comprises all plans and procedures that ensure the continuity of business operations at the company's site and its satellite locations in the event of an incident leading to closure of facilities. A business continuity plan should permit an organization to resume operations as soon as possible given the scope and severity of disruption. Fault tolerance Hardware based solutions such as RAID, Clustering, and Load balancing are all measures for fault tolerance. Fault tolerance is used to maximize possible up time and resource availability for a network. RAID involves multiple drives. Clustering involves multiple servers. Load balancing can also allow the workload to be shared. Disaster recovery concepts In the field of disaster recovery, there are many concepts available, including Backup plans/policies, Backup execution/frequency, Cold site, Hot site, and Warm site. Backups may be made locally or remotely. Backup copies of the OS, the application software and all the critical data must be made on a regular basis. The frequency depends largely on the frequency of changes made as well as the criticality of the information. Generally, applications with high transaction volumes should have data backups made more frequently. A cold site is simply a spare location without hardware and software. A hot site is a duplicate of the original site. A warm site is a cheaper, in between solution. 2.9 GIVEN A SCENARIO, SELECT THE APPROPRIATE CONTROL TO MEET THE GOALS OF SECURITY. Confidentiality (Encryption, Access controls, Steganography) The CIA triad stands for Confidentiality, Integrity and Availability, which are the key principles that should be guaranteed. In terms of C, the valid measures are Encryption, Access controls, and Steganography.
12 Integrity (Hashing, Digital signatures, Certificates, Non repudiation) The CIA triad stands for Confidentiality, Integrity and Availability, which are the key principles that should be guaranteed. In terms of I, the appropriate measures are Hashing, Digital signatures, Certificates, and Non repudiation. Availability (Redundancy, Fault tolerance, Patching) The CIA triad stands for Confidentiality, Integrity and Availability, which are the key principles that should be guaranteed. In terms of A, the appropriate measures include Redundancy, Fault tolerance, and Patching. Safety (Fencing, Lighting, Locks, CCTV, Escape plans, Drills, Escape routes, Testing controls) The CIA triad does not have a Safety element. In terms of safety, the measures are primarily physical, such as Fencing, Lighting, Locks, CCTV, etc. Escape plans, Drills, Escape routes, and Testing controls are important items that should be covered in a safety plan.
L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N
L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N Revision Date: 7/31/2014 Time: 1 hour OBJECTIVES The following objectives are covered in this Lecture Note. These objectives
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationWhat is a Breach? 8/28/2017
Michael E. Reheuser US Department of Defense 1 What is a Breach? The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationFinancial CISM. Certified Information Security Manager (CISM) Download Full Version :
Financial CISM Certified Information Security Manager (CISM) Download Full Version : http://killexams.com/pass4sure/exam-detail/cism required based on preliminary forensic investigation, but doing so as
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationCyber Criminal Methods & Prevention Techniques. By
Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCompleting your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT
Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT Introduction Amazon Web Services (AWS) provides Infrastructure as a Service (IaaS) cloud offerings for organizations. Using AWS,
More informationInformation Security in Corporation
Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationNMHC HIPAA Security Training Version
NMHC HIPAA Security Training 2017 Version HIPAA Data Security HIPAA Data Security is intended to provide the technical controls to ensure electronic Protected Health Information (PHI) is kept secure and
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationContingency Planning
Contingency Planning Introduction Planning for the unexpected event, when the use of technology is disrupted and business operations come close to a standstill Procedures are required that will permit
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationDEFINITIONS AND REFERENCES
DEFINITIONS AND REFERENCES Definitions: Insider. Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks,
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationAfter the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning
After the Attack Business Continuity Week 6 Part 2 Staying in Business Disaster Recovery Planning and Testing Steps Business continuity is a organization s ability to maintain operations after a disruptive
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationCredit Card Data Compromise: Incident Response Plan
Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations,
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationCyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)
Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Contingency Planning Jan 22, 2008 Introduction Planning for the unexpected event, when the use of technology is disrupted and business operations come close to a standstill
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationHIPAA RISK ADVISOR SAMPLE REPORT
HIPAA RISK ADVISOR SAMPLE REPORT HIPAA Security Analysis Report The most tangible part of any annual security risk assessment is the final report of findings and recommendations. It s important to have
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationGetting Started with Cybersecurity
2 Incidents per week: Since 2016, U.S. K-12 school districts have experienced more than two cyber incidents per week on average. Fastest growing cyber incidents in K12 schools Most common cyber incidents
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationImplementing an Audit Program for HIPAA Compliance
Implementing an Audit Program for HIPAA Compliance Mike Lynch Fifth National HIPAA Summit November 1, 2002 Seven Guiding Principles of HIPAA Rules Quality and Availability of Care Nothing in the proposed
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationManagement Information Systems. B15. Managing Information Resources and IT Security
Management Information Systems Management Information Systems B15. Managing Information Resources and IT Security Code: 166137-01+02 Course: Management Information Systems Period: Spring 2013 Professor:
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationSecurity of Information Technology Resources IT-12
Security of Information Technology Resources About This Policy Effective Dates: 11-28-2007 Last Updated: 10-23-2017 Responsible University Administrator: Office of the Vice President for Information Technology
More informationThe City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.
Policy Number: 10-09-02 Section: Roads and Traffic Subsection: Traffic Operations Effective Date: April 25, 2012 Last Review Date: Approved by: Council Owner Division/Contact: For information on the CCTV
More informationComptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam
Comptia.Certkey.SY0-401.v2014-09-23.by.SANFORD.362q Number: SY0-401 Passing Score: 800 Time Limit: 120 min File Version: 18.5 Exam Code: SY0-401 Exam Name: CompTIA Security+ Certification Exam Exam A QUESTION
More informationComputer Security Incident Response Plan. Date of Approval: 23-FEB-2014
Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents
More informationAUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE
AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE Table of Contents Dedicated Geo-Redundant Data Center Infrastructure 02 SSAE 16 / SAS 70 and SOC2 Audits 03 Logical Access Security 03 Dedicated
More informationIntroduction to Business continuity Planning
Week - 06 Introduction to Business continuity Planning 1 Introduction The purpose of this lecture is to give an overview of what is Business Continuity Planning and provide some guidance and resources
More informationCompTIA Security+ (Exam SY0-401)
CompTIA Security+ (Exam SY0-401) Course Overview This course will prepare students to pass the current CompTIA Security+ SY0-401 certification exam. After taking this course, students will understand the
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo
ISC2 Exam Questions CISSP Certified Information Systems Security Professional (CISSP) Version:Demo 1. How can a forensic specialist exclude from examination a large percentage of operating system files
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More informationSelect Agents and Toxins Security Plan Template
Select Agents and Toxins Security Plan Template 7 CFR Part 331.11, 9 CFR Part 121.11, 42 CFR Part 73.11 Prepared by U.S. Department of Health and Human Services (HHS) Centers for Disease Control and Prevention
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationIntegrated Cloud Environment Security White Paper
Integrated Cloud Environment Security White Paper 2012-2016 Ricoh Americas Corporation R i c o h A m e r i c a s C o r p o r a t i o n R i c o h A m e r i c a s C o r p o r a t i o n It is the reader's
More informationSERVICE DESCRIPTION MANAGED BACKUP & RECOVERY
Contents Service Overview.... 3 Key Features... 3 Implementation... 4 Validation... 4 Implementation Process.... 4 Internal Kick-Off... 4 Customer Kick-Off... 5 Provisioning & Testing.... 5 Billing....
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More information