ECKLER FS TECHNOLOGY APPLICATIONS SECURITY CONTROLS. General Security Controls for Products & Services (Updated )
|
|
- Douglas Morgan
- 6 years ago
- Views:
Transcription
1 ECKLER FS TECHNOLOGY APPLICATIONS SECURITY CONTROLS General Security Controls for Products & Services (Updated )
2
3 TABLE OF CONTENTS 1. EXECUTIVE SUMMARY FS TECHNOLOGY APPLICATIONS espace ingenius foreward renaissance 2 3. SECURITY CONTROLS Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Servers and Virtual Machines Continuous Vulnerability Assessment and Remediation Malware Defences Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Devices (Firewalls, Routers, and Switches) Limitation and Control of Network Ports, Protocols, and Services Controlled User of Administrative Privileges Boundary Defence Maintenance, Monitoring, and Analysis of Security Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response Capability Secure Network Engineering Penetration Testing QUESTIONS TOC (i) [ Table of Contents ]
4
5 1. EXECUTIVE SUMMARY Eckler Ltd. utilizes a variety of advanced technologies and best practices to ensure our client s data is safe. Our security best practices are always a work in progress and continuously evolve to counter new threats and vulnerabilities. This report identifies the security controls currently employed by Eckler Ltd. s Financial Services Group for their internally developed and hosted applications. The environment outlined by this report is the production environment for the applications which are hosted in two datacenter at Eckler Ltd. The production environment is isolated from the rest of Eckler Ltd. and has separate internet connections with separate network infrastructure and hardware. 2. FS TECHNOLOGY APPLICATIONS The FS Technology Applications currently offered by Eckler and to which the present security controls are enforced are limited in number and fully documented espace espace is a "Collaborative Data and Content Management Platform" delivered as a web-based application. It is a fully integrated business toolbox, cross-platform, multi-purpose, web-based application. It equally serves as a very flexible Content Management System (CMS), Files Management system and sftp, Client Relationship Management (CRM) (Panorama) and secure communication system / private server (Conversation). espace is very user-friendly and surprisingly powerful. It can replace other cloud services which are limited in their application and security, or cumbersome to install/maintain. Transferring files and communicating securely has never been so easy by using espace ingenius ingenius is an innovative state-of-the-art life insurance and annuity illustration portal. ingenius is a modern platform, web-based by design, which utilizes the latest and most efficient suite of software, resulting in a very pleasant user experience that achieves business objectives. ingenius includes an underwriting workflow together with a powerful document management system, utilizing its sister web-based tool, espace, to take full advantage of its Cloud capabilities foreward foreward is a web-based application offered as a service platform that allows an insurance carrier to distribute instant issue insurance products through multiple vendors. The platform is developed with the latest web technologies available to provide a user-friendly experience to the customers purchasing the insurance as well as the vendors, and the carrier. The platform supports custom branding for the insurance carrier and / or vendors so the customer is always dealing with a familiar experience. The insurance products can be quoted on a stand-alone basis for simple products such as Term, or can be directly linked to our robust insurance illustration system, ingenius, for products like Universal Life, Whole Life with cash value, and other more complex products. Page 1 [ FS Technology Applications Security Controls]
6 2.4. renaissance Eckler is creating a reinsurance pool, called renaissance, which provides automatic on-call capacity for international offshore insurance carriers offering life insurance products for face amount of USD$2 million to over USD$100 million. The reinsurance rates are fully guaranteed for renaissance and, subject to underwriting approval, the risk must be accepted by each participating Reinsurer. The Reinsurers administrative burden is reduced because, (a) a trust vehicle ( renaissance in Trust ) handles the funds transfer, and (b) renaissance serves as a third party administrator for the reinsurance pool. All of these services are performed through our web-based application. Page 2 [ FS Technology Applications Security Controls]
7 3. SECURITY CONTROLS As part of the Eckler Ltd. s IT security strategy, we have identified 20 key IT Security Controls to further enhance our security posture. The 20 key security controls were originally developed by the US National Security Agency (NSA) in 2008 and is widely used by the US and other government agencies, financial institutions and corporations as a centrepiece for effective IT security programs. By adopting these controls into the daily IT operations with Eckler we are establishing a clearly defined roadmap and agreed upon process for ensuring the safe handling and processing of data. The controls at a glance: Page 3 [ FS Technology Applications Security Controls]
8 3.1. Inventory of Authorized and Unauthorized Devices Reduce the ability of attackers to find and exploit unauthorized systems Use active monitoring and configuration management to maintain up-to-date inventory of devices connected to the production network. Nessus Vulnerability scanner is used to actively scan our networks and discover all machines on the network. The scans are done bi-weekly and reviewed to make sure their are no vulnerabilities due to the configuration of machines or if there are machines that are not part of the authorized list of systems. List of authorized systems is documented in the production environment documentation stored in the configuration project on gitlab. Changes to the document must be approved by the Head of Eckler Ltd. s Financial Services Group s Technology Services (FS Head of Technology), currently Sylvain Goulet Inventory of Authorized and Unauthorized Software Identify vulnerable or malicious software to mitigate or root out attacks Maintain a list of authorized software for each system, utilize tools to track software installed and monitor for unauthorized or unnecessary software. We use a software-audit utility that was internally developed to provide a list of unauthorized software for a system. The utility has a list of approved software for each machine and is ran quarterly. Any changes to the list of approved software is committed to the utility s project on gitlab to track who made the change. Changes to the list of software for a system must have an approval from the FS Head of Technology Secure Configurations for Hardware and Software on Servers and Virtual Machines Prevent attackers from exploiting services and settings that allow easy access through networks and browsers Attackers exploit weak default configurations of systems that are more geared to ease of user than security. Strict configuration management should be followed to prevent attacks by malware looking for systems that were configured with vulnerable software installed. A systematic approach must be adhered to ensure all newly deployed systems are installed with pre-approved software and all patches applied. Additionally, all newly deployed systems must be hardened. This hardening must include removal of unnecessary accounts. Documentation is used to outline the deployment process of a Windows Hypervisor, Windows Virtual Machine, or a Linux Virtual Machine. Upon deploying a new machine a vulnerability scan must be performed and the list of software for that machine must be approved and added to the software-audit utility project. The ip addresses used by the machine and its purpose must also be documented in our Production Environment document. Solutions like Active Directory Group Policies are used to maintain strict configuration of machines in the Production Environment. Regular vulnerability scanning also identifies and vulnerabilities with the configuration of the machines. Page 4 [ FS Technology Applications Security Controls]
9 3.4. Continuous Vulnerability Assessment and Remediation Proactively identify and repair software vulnerabilities reported by security researchers or vendors Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with priority given to fixing critical and high vulnerabilities. Nessus Vulnerability Scanner runs a scan of all the machines weekly. The report from the scan is then ed to the Head of Eckler IT (currently Amar Sookram), the FS Head of Technology (currently Sylvain Goulet), and FS principal IT staff (currently Iván Vacacela and Phillip Couto). Changes to the list of vulnerabilities reported are documented in the Vulnerability Scans project on gitlab. Remediations are documented in the issues opened on gitlab to have a paper trail of work done Malware Defences Block malicious code from tampering with system settings or content, capturing sensitive data, or spreading Use automated anti-virus and anti-spyware software to continuously monitor and protect servers. Remediate and vulnerabilities that allow for attackers to control or inject code into the Production environment. Reduce permissions to content uploaded by external users of the applications. Run software in isolated environments to prevent infections from spreading. We currently run ESET anti-virus software that is automatically updated on the entry points to the production environment for the System Administrators. This prevents malicious code on an administrators machine from infecting the production environment. We continuously scan our network for vulnerabilities to remediate any critical or high vulnerabilities in a high priority fashion. Files uploaded by application users are stored in locations that have restrictive permissions to prevent the data accidentally being executed by a System Administrator or process Application Software Security Neutralize vulnerabilities in web-based and other application software Carefully test internally developed and third-party software for security flaws, including coding errors and malware. Acunetix Web Vulnerability Scanner is utilized to run internal scans against the applications on a quarterly basis or before a major update to an application is released into production. All scan results are stored in the Vulnerability Scans project on gitlab. Page 5 [ FS Technology Applications Security Controls]
10 3.7. Wireless Device Control Protect the security perimeter against unauthorized wireless access Wireless devices are prohibited in the production environment. Use tools to identify unauthorized devices within the network that may be a wireless device. Nessus Vulnerability Scanner identifies all network reachable devices within the networks. As the results are reviewed devices discovered by Nessus are compared to the production environment documentation to identify any unauthorized devices. If the unauthorized device is identified as a wireless device it will be removed or blocked immediately Data Recovery Capability Minimize the damage from an attack - effective data recovery is dependent on an effective backup system Use tools to backup application data, operating system images, and application configurations to ensure a rapid and consistent recovery of the system. Regularly test the consistency of the backups to confirm that the data and state of the system can be restored. Utilize physical security and encryption to properly secure the backup data from unauthorized access. All virtual machines not part of distributed clusters are replicated to a replica hypervisor. This ensures a warm backup of the entire virtual machine is on standby in a datacenter. Application data is replicated regularly between the datacenter on different physical machines to ensure there are warm and hot copies of the data in multiple data centres at any given moment. This allows near instantaneous recovery of the system if a datacenter experiences an outage. Application databases are backed up at least every hour to have point in time recovery in the event there is an attack that damages the application data or data loss is caused by a glitch in the system. These backups are stored in the object storage service for up to a year. Application source code is stored on gitlab. Gitlab tracks all the revisions of the source code allowing for rollback to any given point in time for the entire life of the project. Gitlab is backed up daily, backup files are stored in the object storage service for up to a year. Application data backups are tested quarterly to confirm the backups are valid and consistently stored. Virtual machine failures are executed quarterly to test the replica setup and replication is functioning correctly. Page 6 [ FS Technology Applications Security Controls]
11 3.9. Security Skills Assessment and Appropriate Training to Fill Gaps Find knowledge gaps, and fill them with exercises and training Develop security awareness training and communication for all IT staff. IT staff continuously reviews external news sources like blogs, newsletters, message boards, and social media for any new vulnerabilities or methods to improve security of the production environment. Information that is considered valuable or applicable is shared with other staff members to keep everyone informed Secure Configurations for Network Devices (Firewalls, Routers, and Switches) Preclude electronic holes from forming at connection points with the internet, other organizations, and internal network segments Firewall, router, and switch configurations should be compared against standard secure configurations on a regular basis. This security configuration of such devices should be documented and reviewed. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved. The production environment documentation outlines all the accessible ports that should be allowed through the firewalls. The firewall configuration is reviewed on a quarterly basis to confirm that the documentation is in sync with the configuration currently active on the firewalls. Any changes to the documentation are tracked in the configuration project of gitlab. Changes to the documentation must be approved by the FS Head of Technology Limitation and Control of Network Ports, Protocols, and Services Allow remote access only to legitimate users and services Apply machine based firewalls to block traffic that is not necessary to the function of the machine. Only allow remote access to a machine from approved accounts. Limit remote access to connections originating from approved locations. External firewalls are configured to only allow remote access to the production environment from connections originating from Eckler s Offices. All machines have firewalls active with only the necessary ports opened for the function of that machine. Only approved administrator accounts can remotely access a machine in the production environment. Firewall configurations for each machine are documented in the configuration project on gitlab and reviewed quarterly. Page 7 [ FS Technology Applications Security Controls]
12 3.12. Controlled User of Administrative Privileges Protect and validate administrative accounts on servers to prevent common types of attacks A common type of attack is attempting to crack and administrative password which then grants administrative access to the machine or the production environment. Use robust passwords that are of high complexity. Only select individuals have access to the production environment. The list of user accounts with administrative privileges and where are documented in the Administrators document. Any changes to the document must be approved by the FS Head of Technology. The document is stored in the configuration project on gitlab and reviewed quarterly with auditing tools. User account passwords must meet the NERC standard. Most user account passwords used by applications or services are randomly generated and stored in a password tracker for each account. All passwords in the production environment are changed yearly to prevent the likely hood of an attacker guessing a password correctly Boundary Defence Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines Establish multilayered boundary defences by relying on firewalls, proxies, demilitarized zone perimeter networks, and other network-based tools. The firewalls are the first layer of filtering for inbound application traffic. Only certain ports are open for traffic to enter into the production environment. Most application traffic is then routed to a reverse proxy which then performs application level filtering to route the traffic to the correct application. The reverse proxies live in the DMZ and pass valid traffic off to the trusted network. All machines have firewalls enabled to only allow expected network communication. Outbound ports are limited to protect data leaving the network in the event the production environment is compromised. Splunk is used to monitor logging from all the machines and applications for irregular behaviours in the production environment. Page 8 [ FS Technology Applications Security Controls]
13 3.14. Maintenance, Monitoring, and Analysis of Security Audit Logs Use detailed logs to identify and uncover the details of attack, including the location, malicious software deployed, and activity on victim machines Generate standardized logs for each hardware device and the software installed on it, including date, timestamp, source addresses, destination addresses, and other information about each request and/or transaction. Store logs on dedicated servers, and run bi-weekly reports to identify and document anomalies. Splunk is used to pull log data from all machines and hardware to be processed in a single location. Alerts, reports, and dashboards are continuously built or tuned to turn the log data to useful information to be used for identifying potential attacks, malicious attempts, and system stability on a continuous basis. The data is continuously analyzed to identify useful data patterns that will allow for more insight into the operations in the production environment. Spunk will send alerts to IT staff when event data triggers a defined alert Controlled Access Based on the Need to Know Prevent attackers from gaining access to highly sensitive data Maintain clear separation of sensitive client data from public data. Use methods like separate user accounts, access control lists, and physical separation of data. Prevent unauthorized access to data with the application whether it is an authenticated user or an anonymous user. Each application has data stored in separate databases or accounts with different credentials to prevent cross application access to client data. Each application has unique identifiers for each client that is used to keep client data separate when the application is used by users. Penetration testing is performed annually to validate that the application will not leak one client s data to a user without access to the client Account Monitoring and Control Keep attackers from impersonating legitimate users Use strong passwords for both user accounts and system accounts. Implement tools or logic to lock or disable an account after a number of unsuccessful attempts. Prevent attackers from attempting to guess legitimate account names. Implement monitoring to detect brute force attempts to guess passwords or account names. Splunk is used to build reports and alerts around the authentication attempts both at the system level and application level. After a number of unsuccessful attempts the user s account is disabled to prevent further attempts and must be unlocked by another administrator. Applications block attempts for attackers to guess account names by using tactics like returning the same generic message whether the account is disabled, username invalid, or password is invalid. Applications will also disable a user s account after a number of unsuccessful attempts to prevent brute force guessing of a user s password. Applications also force a password complexity minimum varying by clients requirements. No user can have access to a client s data unless the password meets the client s minimum requirements. Page 9 [ FS Technology Applications Security Controls]
14 3.17. Data Loss Prevention Stop unauthorized transfer of sensitive data through network attacks and physical theft Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Implement tools and processes that control access to the data and monitor any unauthorized or irregular access to data. All hardware is located in key card locked rooms where only IT staff has access to the rooms. The servers have monitoring to send alerts in the event any piece of hardware is removed or tampered with in any way. Logging from servers and applications allows for tracking of what data was accessed when and from where. All sensitive data is protected by access controls that require authentication which can be used to identify the user that accessed and potentially leaked the data. Firewalls limit outbound ports to minimize the methods data can leave the production environment Incident Response Capability Protect the organization s reputation, as well as its information Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker s presence, and restoring the integrity of the network and systems. An Incident Response plan is used in the event a potential security event like an attack, or malicious software may potentially be present on or in the production environment. The plan is reviewed on an annual basis to keep it up to date and effective Secure Network Engineering Keep poor network design from enabling attackers Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with firewall separation between each level. Only allow necessary traffic between each level to provide the required functionality. The firewalls sit on the frontier of the production environment. The reverse proxies filter the application traffic to the specific machine for the application sitting in the trusted network. All software needed to service the client applications sit on the trusted network and are not reachable from external connections. VPN Tunnels link the datacenter networks of the same level together. A network in one datacenter of one level can not talk to a network in the other datacenter of a different level. Network topology is regularly reviewed to make sure all machines reside in the correct network. Page 10 [ FS Technology Applications Security Controls]
15 3.20. Penetration Testing Use simulated attacks to improve organizational readiness Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises - all-out attempts to gain access to critical data and system to test existing defences and response capabilities. Applications are internally scanned using Acunetix Vulnerability Scanner software to regular test in production applications. External penetration testing is performed annually against applications to identify vulnerabilities not discovered by Acunetix or Nessus. IT Staff attempt to attack the systems or applications internally using their professional knowledge and internal knowledge of the environment to identify any unresolved exploits in code or exposed vulnerabilities. Page 11 [ FS Technology Applications Security Controls]
16 4. QUESTIONS Any questions about the Security Controls used for FS Technology Applications should be addressed to any of the following individuals: Sylvain Goulet, FS Head of Technology, Phillip Couto, Web Developer and IT Security, Iván Vacacela, PMP, Technical Business Analyst, Page 12 [ FS Technology Applications Security Controls]
17
WHO AM I? Been working in IT Security since 1992
(C) MARCHANY 2011 1 WHO AM I? Been working in IT Security since 1992 CISO at VA Tech 35+K node network. dual stack IPV4, IPV6 network since 2006 Multi-national Main campus (Blacksburg, VA), Remote campuses
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationA Measurement Companion to the CIS Critical Security Controls (Version 6) October
A Measurement Companion to the CIS Critical Security Controls (Version 6) October 2015 1 A Measurement Companion to the CIS Critical Security Controls (Version 6) Introduction... 3 Description... 4 CIS
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationAligning with the Critical Security Controls to Achieve Quick Security Wins
Aligning with the Critical Security Controls to Achieve Quick Security Wins Background The Council on CyberSecurity s Critical Security Controls for Effective Cyber Defense provide guidance on easy wins
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationSANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Critical Security Control Solution Brief Version 6 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable,
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationIndustrial Defender ASM. for Automation Systems Management
Industrial Defender ASM for Automation Systems Management INDUSTRIAL DEFENDER ASM FOR AUTOMATION SYSTEMS MANAGEMENT Industrial Defender ASM is a management platform designed to address the overlapping
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationCTS performs nightly backups of the Church360 production databases and retains these backups for one month.
Church360 is a cloud-based application software suite from Concordia Technology Solutions (CTS) that is used by churches of all sizes to manage their membership data, website, and financial information.
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More information# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS
As SharePoint has proliferated across the landscape there has been a phase shift in how organizational information is kept secure. In one aspect, business assets are more secure employing a formally built
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationHikCentral V.1.1.x for Windows Hardening Guide
HikCentral V.1.1.x for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1 Strict Password Policy... 2 1.2 Turn Off Windows Remote
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationCourse Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture
About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would
More informationBest Practices for PCI DSS Version 3.2 Network Security Compliance
Best Practices for PCI DSS Version 3.2 Network Security Compliance www.tufin.com Executive Summary Payment data fraud by cyber criminals is a growing threat not only to financial institutions and retail
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCrises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.
Crises Control Cloud Security Principles Transputec provides ICT Services and Solutions to leading organisations around the globe. As a provider of these services for over 30 years, we have the credibility
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationTHE RISE OF GLOBAL THREAT INTELLIGENCE
THE RISE OF GLOBAL THREAT INTELLIGENCE 1 THE RISE OF GLOBAL THREAT INTELLIGENCE IN THE DIGITAL BUSINESS WORLD In developing the Global Threat Intelligence Report (GTIR), the NTT Group security team used
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationSecurity by Default: Enabling Transformation Through Cyber Resilience
Security by Default: Enabling Transformation Through Cyber Resilience FIVE Steps TO Better Security Hygiene Solution Guide Introduction Government is undergoing a transformation. The global economic condition,
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationLOGmanager and PCI Data Security Standard v3.2 compliance
LOGmanager and PCI Data Security Standard v3.2 compliance Whitepaper how deploying LOGmanager helps to maintain PCI DSS regulation requirements Many organizations struggle to understand what and where
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationPresenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.
Presenter Jakob Drescher Industry Cyber Security 1 Cyber Security? Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks. Malware or network traffic
More informationSneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks
More informationHow-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018
How-to Guide: Tenable.io for Microsoft Azure Last Updated: November 16, 2018 Table of Contents How-to Guide: Tenable.io for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationCyber Essentials. Requirements for IT Infrastructure. QG Adaption Publication 25 th July 17
Cyber Essentials Requirements for IT Infrastructure NCSC Publication 6 th February 17 QG Adaption Publication 25 th July 17 Document No. BIS 14/696/1.2 Requirements for IT Infrastructure Specifying the
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationBest Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationBraindumpsVCE. Best vce braindumps-exam vce pdf free download
BraindumpsVCE http://www.braindumpsvce.com Best vce braindumps-exam vce pdf free download Exam : SY0-501 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : DEMO Get Latest & Valid
More informationHow-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018
How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationRequirements for IT Infrastructure
Requirements for IT Infrastructure This information contained in this document is taken from the NCSC Website directly via: https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationMigrationWiz Security Overview
MigrationWiz Security Overview Table of Contents Introduction... 2 Overview... 2 Shared Security Approach... 2 Customer Best Practices... 2 Application Security... 4 Data Security and Handling... 4 Database
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationPotential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group
Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group Submitted on behalf of the U.S. Department of Energy National
More informationMicrosoft SharePoint Server 2013 Plan, Configure & Manage
Microsoft SharePoint Server 2013 Plan, Configure & Manage Course 20331-20332B 5 Days Instructor-led, Hands on Course Information This five day instructor-led course omits the overlap and redundancy that
More informationANATOMY OF AN ATTACK!
ANATOMY OF AN ATTACK! Are Your Crown Jewels Safe? Dom Kapac, Security Evangelist WHAT DO WE MEAN BY CROWN JEWELS? Crown jewels for most organizations are critical infrastructure and data Data is a valuable
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationCloud Security Whitepaper
Cloud Security Whitepaper Sep, 2018 1. Product Overview 3 2. Personally identifiable information (PII) 3 Using Lookback without saving any PII 3 3. Security and privacy policy 4 4. Personnel security 4
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationWHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?
WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationProtect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com
Protect Your Endpoint, Keep Your Business Safe. White Paper Exosphere, Inc. getexosphere.com White Paper Today s Threat Landscape Cyber attacks today are increasingly sophisticated and widespread, rendering
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationWeb Cash Fraud Prevention Best Practices
Web Cash Fraud Prevention Best Practices Tips on what you can do to prevent Online fraud. This document provides best practices to avoid or reduce exposure to fraud. You can use it to educate your Web
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationVANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER
VANGUARD INSURANCE INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationTHE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION
BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive
More information