DDTC IT Modernization
|
|
- Tiffany Byrd
- 6 years ago
- Views:
Transcription
1 DDTC IT Modernization Anthony Dearth Directorate Defense Trade Controls Acting Managing Director
2 AGENDA DECCS Release 2 Features and Industry Batch Filing/Testing DECCS Cyber Security DTAG Recommendations for DECCS Release 3 DECCS Release 2 Timeline DECCS Release 2 Screenshots
3 DECCS INDUSTRY FEATURES RELEASE 2 Single user portal for approved DDTC data collections Interactive web-based interface Implementation of Pay.gov for registration fee payments via: Credit cards Paypal ACH (Automated Clearing House)g House Confirmation of application receipt with tracking number Status tracking of all applications & submission types Continued batch filing of license applications with minimal changes
4 LICENSING BATCH FILING TESTING PLAN Licensing batch filing will be available for industry testing this month. How to submit test batch filings? Review the batch specification document: f Send the principal information of your digital certificate to PM_DDTCProjectTeam@state.gov to be granted access to the test system. A Conditions of Use for Batch Filing must be signed and returned to PM_DDTCProjectTeam@state.gov. Further details on how to access the system will be provided once we receive your testing request and signed Conditions.
5 BATCH LICENSE FILING TECHNICAL DETAILS RELEASE 2 Submissions use SOAP with Attachments message format XML Signature used for signing Authenticate with IdenTrust ACES client certificates The schemas will be the same Current functionality will stay the same o Filing upload and Status download
6 LICENSING BATCH FILING KEY BUSINESS AND TECHNICAL DIFFERENCES RELEASE 2 DECCS will support multiple records (submissions) per batch The URL will be different and will likely require industry security firewall changes DECCS batch filing is implemented using SAAJ APIs included with Java8 JDK and uses no third party libraries. Submissions will require multipart/related content type
7 DECCS CYBER SECURITY Encryption FIPS Encryption Use of TLS (NIST SP r1) TLS 1.2, TLS 1.1, TLS 1.0* Multifactor authentication Access Certificates for Electronic Services (ACES) Currently evaluating DoD External Certification Authority (ECA) Report security inquiries/concerns/incidents to DDTC Service Desk at (202) , or at * Restricted to supporting external connections to non-government entities.
8 INDUSTRY TESTING - CYBERSECURITY Industry Test Environment Security Environment is completely segregated from DDTC production systems. Users required to submit digitally signed Usage Agreement. DDTC will provide test user accounts. Fake Registration Numbers Fake Usernames No IP Access Restrictions at this time. Do not submit any real data including personally identifiable information (PII), other sensitive proprietary information, or ITAR data in the testing environment. Use your standard ACES certificate for all operations that would require digital cryptography.
9 DTAG RECOMMENDATIONS FOR DECCS RELEASE 3 Suggests that Corporate Admin be assigned by letter request (not through the Form 2032 Registration filing). DDTC has decided to allow both options (through 2032 or by letter request) Concerned about use of digital certificates as the exclusive mechanism for authentication in DECCS. For Release 3, we will implement other appropriate DOS approved two-factor authentication methods DECCS user roles and responsibilities must match organizational structure, comply with OCI, SSA and other legal and organizational firewalls including protecting sensitive personal information in DS-2032 We will work with industry to implement firewalls and protection of sensitive data for Release 3. For Release 2 we will not implement ability to view applications by industry users. DDTC site needs modifications to support industry We are planning an external stakeholder session to further define industry requirements
10 DTAG RECOMMENDATIONS FOR DECCS RELEASE 3 (CONTINUED) Suggests that General Correspondence for freight forwarder name and address changes remain the responsibility of the freight forwarder. DDTC will continue to accept freight forwarder name and address changes by General Correspondence and will post notices to the web However, it will be the responsibility of the licensee to update its licensing records in DECCS either: Through the web interface or Through batch filing
11 DECCS HIGH LEVEL TIMELINE RELEASE #2 Development Government and Industry Testing Ends 5/31/2017 4/2017-8/2017 Authorization to Operate Approval Package submitted 5/31/2017 Training & Onboarding 5/2017 8/2017 Deployment 9/2017
12 NOTE: All speaker comments are off-therecord and not for public release DECCS: LOGIN
13 NOTE: All speaker comments are off-therecord and not for public release DECCS: REGISTRATION DS-2032
14 NOTE: All speaker comments are off-therecord and not for public release DECCS: REGISTRATION DS-2032 BLOCK 2
15 NOTE: All speaker comments are off-therecord and not for public release DECCS: REGISTRATION BLOCK 4 VALIDATION
16 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING HOME PAGE
17 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING DSP-5
18 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING DSP-5 BLOCK 5
19 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING TRACK STATUS
20 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING APPLICATION DETAIL
21 Questions?
22 Developments in Cloud Computing, Intrusion Software and Network Surveillance Controls Aaron Amundson Director, Information Technology Controls Division Bureau of Industry & Security May 2, 2017
23 BIS GUIDANCE ON CLOUD COMPUTING Three directly relevant, published, Advisory Opinions, Definitional changes published in June 3 FR notice, in effect as of September 1, including the encryption carve-out. Encryption carve-out provisions were not included in ITAR bookend of definitional changes to be published separately. 23
24 ADVISORY OPINIONS ON CLOUD COMPUTING Jan a cloud provider that provides access to computational capacity is not the exporter of data derived from the computations because they are not the principal party in interest. Jan if the cloud provider is not the exporter, the cloud provider is not making a deemed export if their foreign national network administrators access the data. Nov remotely using controlled software is not an export itself, unless there is a transfer of 24 controlled software or technology.
25 JUNE 3 FR NOTICE ON DEFINITIONS Opportunity to address the issue; relevant changes in multiple locations in the proposed language. The term cloud not used in regulatory text changes affect cross-national data transmission and release to non-u.s. nationals. Primary citation in EAR is in a new section, , Activities that are not exports, reexports, or transfers. Three basic requirements for the carve-out: end-toend encryption, applicability of FIPS standards, and 25 prohibition on storage in D:5/Russia
26 END-TO-END ENCRYPTION Defined as uninterrupted cryptographic protection between and originator (or the originator s incountry security boundary) and an intended recipient (or the recipient s in-country security boundary). Definition is intended to be flexible enough to accommodate different technical approaches (e.g. IPSEC VPN, SSL VPN, etc.) Definition is not intended to preclude service provider involvement (i.e., security can be delegated to a third party). 26
27 BOUNDARY TO BOUNDARY In the June 3 FR notice, definition of end-to-end was changed from system to system encryption (e.g., PGP) to security boundary to security boundary. Reflects common industry practice and provides more flexibility. Allows necessary services to be performed within the security boundaries while meeting the objectives of the rule. Caveat: boundary must be in-country data cannot cross a national border in the clear. 27
28 STORAGE RESTRICTIONS Intentional storage prohibited in D:5 and Russia. Temporary storage on Internet servers while in transit not considered intentional storage. Storage on PC s while in D:5 is considered intentional ; in such circumstances, another authorization (e.g., TMP) is required. As a practical matter, cloud providers serving western customers (including those owned by the PRC) have not located their resources in these countries. 28
29 KEYS AND OTHER ACCESS DATA Release of keys, passwords or other data (access information) with knowledge that such release or transfer will result in release of underlying technical data is a controlled event. An unauthorized release of access information would be a violation to the same extent as unauthorized release of underlying data. Keys and other access data are not considered technical data, and can thus be managed independently. 29
30 ISSUES RELATED TO EXECUTION Decryption outside the U.S. does not, of itself, constitute an export or release. Storage in the clear (after decryption) outside the U.S. does not, of itself, constitute an export or release. When transmission is decrypted and re-encrypted, end-to-end no longer applies. Subsequent transmission is a separate, new transmission. A user may delegate security to a third party provider, but must ensure that such provider meets carve out criteria (e.g. encrypts between cloud resources). 30
31 CONCLUSION ON CLOUD COMPUTING Changes are intended to provide maximum flexibility to providers and users. BIS will provide additional guidance as more fact patterns emerge and technology evolves. 31
32 SUMMARY OF 2013 WASSENAAR CYBER CONTROLS Controls on network communications and surveillance equipment for carrier class IP networks (5.A.1.j). Drafters contemplated that controls would apply to a narrow range of specific products. Controls on network intrusion (4.A.5, 4.D.4, and 5.E.1) focused on command and delivery platforms for network intrusion software (e.g., exploits/payloads). Included hardware/software command and control platforms and associated technology. While defining intrusion software, controls did not apply to such software itself. Controls did apply to technology for such software (5.E.1.c). 32
33 U.S. IMPLEMENTATION EFFORTS The U.S. published a rule implementing these controls in the Export Administration Regulations in proposed form in May, We originally anticipated that the reach of the new controls would be quite narrow, as the discussions in Wassenaar focused on products of a few companies such as FinFisher/Gamma, Hacking Team and Vupen. As a result, the proposed rule required individual licenses for exports to all countries except Canada and for release to all non-u.s. and non-canadian nationals. Public comment was extensive, focused primarily on network intrusion, and was overwhelmingly negative. 33
34 CURRENT STATUS OF U.S. IMPLEMENTATION Due to comments received and subsequent extensive outreach to cybersecurity stakeholders, including Government cybersecurity organizations, we decided to delay implementation. Nature of the commentary revealed differences between the original intent of the controls and the actual impact of the language. These issues must be clarified in order to create a level playing field within Wassenaar and to limit potential negative impact on Member States critical cybersecurity activities. The U.S. returned to Wassenaar in 2016 with proposals to address some of the more important issues, and met with only limited success; we are continuing this discussion in this year s session. 34
35 UNIQUE FEATURES OF THE CYBERSECURITY ENVIRONMENT Cybersecurity activities are highly globalized. Cybersecurity employs a fundamental Red Team/Blue Team approach. Participants vary widely and fluctuate as needs demand Cyber activities are now only lightly touched by export control or other regulations. Cybersecurity activity can be extremely time sensitive 35
36 QUESTIONS FOR WASSENAAR DISCUSSION High level issue: how to control target products without impeding defensive work Problem: in order to effectively prevent a small subset of transactions, all transactions involving network intrusion command and control platforms (including technology) must be touched in some way: Classification deciding what is caught and what is not IT solutions (firewalls, access controls) Procedures Training While U.S. corporations with pre-existing compliance programs are equipped to execute such controls, non-u.s. enterprises, small companies, academic entities, and individuals are not; the latter are big players in cyber defense. 36
37 Questions?
Export Controls and Cloud Computing
Export Controls and Cloud Computing Bureau of Industry and Security U.S. Department of Commerce Presented by: Tracy L. Patts Foreign Policy Division BIS Guidance on Cloud Computing Three directly relevant,
More informationSession 6A: Export Controls and Cloud Computing. Key Regulatory Issues
Export Controls and Cloud Computing Bureau of Industry and Security U.S. Department of Commerce Key Regulatory Issues Control system was devised before the development of highbandwidth telecommunications,
More informationInstructions for Form DS-7787: Disclosure of Violations of the Arms Export Control Act
Instructions for Form DS-7787: Disclosure of Violations of the Arms Export Control Act General Instructions: 1 The size of the text field will correspond to the type of information required, with more
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationDocument Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 5, 2018. Replaces all prior versions. These Additional Terms govern your use of Document Cloud (including Adobe Sign) and
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationPRODUCT DESCRIPTIONS AND METRICS
PRODUCT DESCRIPTIONS AND METRICS Adobe PDM - Adobe LiveCycle Managed Services (2013v3) The Services described in this PDM are Managed Services and are governed by the terms of the General Terms, the Exhibit
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationIBM Sterling B2B Services File Transfer Service
Service Description IBM Sterling B2B Services File Transfer Service This Service Description describes the Cloud Service IBM provides to Client. Client means the company and its authorized users and recipients
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More information1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 16, 2016. Replaces the prior version in its entirety. Capitalized terms used in these Document Cloud Additional Terms ( Additional
More informationSDBOR Technology Control Plan (TCP) Project Title:
SDBOR Technology Control Plan (TCP) Project Title: Principal Investigator: Phone: Department: Email: Description of Controls (EAR/ITAR Category): Location(s) Covered by TCP: Is sponsored research involved?
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationGateHouse Logistics. GateHouse Logistics A/S Security Statement. Document Data. Release date: 7 August Number of pages: Version: 3.
Document Data Release date: Number of pages: Version: 7 August 2018 11 3.1 Version: 3.1 I Page 1/11 Table of Contents 1 Policies and Procedures... 4 1.1 Information Security Management... 4 1.2 Human Resources
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationTechnical Guidance and Examples
Technical Guidance and Examples DRAFT CIP-0- Cyber Security - Supply Chain Risk Management January, 0 NERC Report Title Report Date I Table of ContentsIntroduction... iii Background... iii CIP-0- Framework...
More informationAir Transport & Travel Industry. Principles, Functional and Business Requirements PNRGOV
Air Transport & Travel Industry Principles, Functional and Business Requirements Version 15.1 Endorsed by WCO Council in July 2016 Table of Contents 1 INTRODUCTION... 3 1.1 PURPOSE... 3 1.2 SCOPE... 3
More informationPayment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios
Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios Overview Citrix XenApp, XenDesktop and NetScaler are commonly used in the creation of Payment Card Industry (PCI), Data Security
More informationAuthorized Training Provider Application Process
Authorized Training Provider Application QuEST Forum Training Sub-Team 10 August 2015 This document describes the process and provides guidance to organizations that wish to become Authorized Training
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationMile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com
Mile Privacy Policy Ticket payment platform with Blockchain Version 1.1 Feb 2018 [ Mile ] www.mileico.com Airline mileage system utilizing Ethereum platform Chapter 1 General Provisions Article_1 (Basic
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationCyber Security Requirements for Electronic Safety and Security
This document is to provide suggested language to address cyber security elements as they may apply to physical and electronic security projects. Security consultants and specifiers should consider this
More informationSUMMARY: The Bureau of Industry and Security (BIS) proposes to implement the
This document is scheduled to be published in the Federal Register on 05/20/2015 and available online at http://federalregister.gov/a/2015-11642, and on FDsys.gov Billing Code: 3510 33 P DEPARTMENT OF
More informationIBM Algo Risk Content on Cloud
Service Description IBM Algo Risk Content on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means the contracting party and its authorized users and recipients
More informationDTrade Frequently Asked Questions (FAQs)
DTrade Frequently Asked Questions (FAQs) BASIC USE Q: I m new to DTrade. Where can I find information on how to start using DTrade? A: The DTrade Information Center web page is accessible via the DDTC
More informationFLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM
FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM END USER SECURITY POLICY MANUAL 1 INTRODUCTION... 3 2 INFORMATION USAGE AND PROTECTION... 3 2.2 PROTECTED HEALTH INFORMATION...
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationWebinar will start soon
OME Webinar: Migrant Student Information Exchange (MSIX) ISA / MOU 2017 Update Webinar will start soon Audio for this webinar will be provided through WebEx. Please test your computer audio speakers. The
More informationRevised (10/17) Overview Transmission Toolkit
Revised (10/17) Overview Transmission Toolkit Copyright 2017 by KeyBank, N.A. Overview Transmission Toolkit All rights reserved. Reproduction of any part of this work beyond that permitted by Section 107
More informationContract on the use of the myaxa client portal by a company
Contract on the use of the myaxa client portal by a company Please fill in this contract completely and electronically. Afterwards, please send it with your signature to one of the following addresses:
More informationIBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights
IBM Secure Proxy Advanced edge security for your multienterprise data exchanges Highlights Enables trusted businessto-business transactions and data exchange Protects your brand reputation by reducing
More informationData Processing Amendment to Google Apps Enterprise Agreement
Data Processing Amendment to Google Apps Enterprise Agreement The Customer agreeing to these terms ( Customer ) and Google Inc., Google Ireland, or Google Asia Pacific Pte. Ltd. (as applicable, Google
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationApple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.18 Effective Date: August 16, 2017 Table of Contents 1. Introduction... 5 1.1. Trademarks...
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationENCRYPTION STANDARDS FOR PUBLIC CLOUD ENVIRONMENTS
Allscripts Enterprise INFORMATION PRIVACY & SECURITY POLICIES: ENCRYPTION STANDARDS FOR PUBLIC CLOUD ENVIRONMENTS Revision: 1.0 FINAL Approval Date: December 01, 2015 Security Policy: S-10-01 Approval
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationSimple and Powerful Security for PCI DSS
Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationUsing ZENworks with Novell Service Desk
www.novell.com/documentation Using ZENworks with Novell Service Desk Novell Service Desk 7.1 April 2015 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or
More informationBCDC 2E, 2012 (On-line Bidding Document for Stipulated Price Bidding)
BCDC 2E, 2012 (On-line Bidding Document for Stipulated Price Bidding) CLAUSE 13 ON-LINE BIDDING 13.1 ON-LINE BIDDING.1 Definitions: Owner means the party and/or their agent designated to receive on-line
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationEvaluating Encryption Products
Evaluating Email Encryption Products A Comparison of Virtru and Zix Importance of Email Encryption Most modern email providers, such as Google and Microsoft, offer excellent default security options, but
More informationJune 2012 First Data PCI RAPID COMPLY SM Solution
June 2012 First Data PCI RAPID COMPLY SM Solution You don t have to be a security expert to be compliant. Developer: 06 Rev: 05/03/2012 V: 1.0 Agenda Research Background Product Overview Steps to becoming
More informationProtecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)
https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security
More informationCHAPTER 13 ELECTRONIC COMMERCE
CHAPTER 13 ELECTRONIC COMMERCE Article 13.1: Definitions For the purposes of this Chapter: computing facilities means computer servers and storage devices for processing or storing information for commercial
More informationFUJITSU Cloud Service S5. Introduction Guide. Ver. 1.3 FUJITSU AMERICA, INC.
FUJITSU Cloud Service S5 Introduction Guide Ver. 1.3 FUJITSU AMERICA, INC. 1 FUJITSU Cloud Service S5 Introduction Guide Ver. 1.3 Date of publish: September, 2011 All Rights Reserved, Copyright FUJITSU
More informationAbout Office 365 [PLACEHOLDER]
Office 365 [PLACEHOLDER] Service Description Applies to: Office 365 [PLACEHOLDER] Topic Last Modified: 22-Apr-2016 In response to the unique and evolving requirements of the United States federal government
More informationRetain, search, review and produce government mobile text messages
Retain, search, review and produce government mobile text messages Employees are now using mobile phones for business communications just as much, if not more than, their desk phones. At the same time,
More informationApproved 10/15/2015. IDEF Baseline Functional Requirements v1.0
Approved 10/15/2015 IDEF Baseline Functional Requirements v1.0 IDESG.org IDENTITY ECOSYSTEM STEERING GROUP IDEF Baseline Functional Requirements v1.0 NOTES: (A) The Requirements language is presented in
More informationIBM Managed Security Services for X-Force Hosted Threat Analysis Service
IBM Managed Security Services for X-Force Hosted Threat Analysis Service Z125-8483-00 05-2010 Page 1 of 5 Table of Contents 1. Scope of Services... 3 1.1 Licensing... 3 1.1.1 Individual... 3 1.1.2 Distribution...
More informationTERMS AND CONDITIONS OF PROVIDING ELECTRONIC SERVICES. 1. General provisions
TERMS AND CONDITIONS OF PROVIDING ELECTRONIC SERVICES 1. General provisions 1. Under Article 8.1.1 of the Polish Law of 18 July 2002 on the Provision of Electronic Services (Journal of Laws of 2016, item
More informationVendor Name: <Enter Vendor Name Here>
Name: 1 ALL Technical Architecture The system shall apply data validations, to ensure data integrity and minimize data entry errors. 2 ALL Technical Architecture The system shall provide
More informationIBM Hosted Application Security Services - Pre-Production Application Scanning
IBM Hosted Application Security Services - Pre-Production Application Scanning FR_INTC-8839-02 2-2012 Page 1 of 21 Table of Contents IBM Hosted Application Security Services -...1 Pre-Production Application
More informationOracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service
http://docs.oracle.com Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service Configuration Guide 2018 Oracle Corporation. All rights reserved 07-Jun-2018 Contents 1 HIPAA 3 1.0.1 What is HIPAA?
More informationComments on Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items (RIN 0694-AG49)
July 20, 2015 - Kevin Wolf Assistant Secretary of Commerce for Export Administration U.S. Department of Commerce Hillary Hess Director, Regulatory Policy Division U.S. Department of Commerce Catherine
More informationAXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure
AXIAD IDS CLOUD SOLUTION Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure Logical Access Use Cases ONE BADGE FOR CONVERGED PHYSICAL AND IT ACCESS Corporate ID badge for physical
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationExport Management System. Information Needed for an Export Controls License Assessment. June 2009
Office of Sponsored Programs Services Export Management System Information Needed for an Export Controls License Assessment June 2009 1 Introduction The purpose of this document is to provide a template
More informationHow to Interact with the Natural and Non-prescription Health Products Directorate Electronically. Guidance Document
How to Interact with the Natural and Non-prescription Health Products Directorate Electronically Guidance Document Table of Contents 1. INTRODUCTION... 3 1.1 System Requirements... 3 2. EPOST CONNECT...
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationFUJITSU Cloud Service K5 - API Management Service Description
FUJITSU Cloud Service K5 - API Management Service Description August 8, 2018 1. API Management Service Overview API Management Service is built on Apigee Edge, an integrated API platform product provided
More informationCERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement
CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement Welcome to Certified Mail Envelopes and Certified Mail Labels web sites (the Site ) a website, trademark and business name owned and operated
More informationTrend Micro Professional Services Partner Program
Trend Micro Professional Services Partner Program PROGRAM OVERVIEW The Trend Micro Partner Program provides professional services companies with the certification, training, technical support and access
More informationCIP Cyber Security Configuration Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCloud Computing: Technologies and Enterprise IT Strategies
Cloud Computing: Technologies and Enterprise IT Strategies Stephen Obioma Luis D. Morales 1 Instructor: Prof. Paul Lin January 05, 2013 Possible Transition Items IPFW IT web page enables students and staff
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationUDRP Pilot Project. 1. Simplified way of sending signed hardcopies of Complaints and/or Responses to the Provider (Par. 3(b), Par. 5(b) of the Rules)
UDRP Pilot Project The Czech Arbitration Court (CAC) proposes that it runs two pilot projects (Pilot) related to its implementation of UDRP. During the Pilot, the following proposed new UDRP-related services
More informationAcceptable Use Policy
IT and Operations Section 100 Policy # Organizational Functional Area: Policy For: Date Originated: Date Revised: Date Board Approved: Department/Individual Responsible for Maintaining Policy: IT and Operations
More informationAdd/Manage Business Users
Primary and Secondary Administrators are created by First Interstate Bank and have full access to functionality; these Administrators set up other employees as Business Banking users via the Entitlements
More informationApple Inc. Certification Authority Certification Practice Statement
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Apple Application Integration - G3 Sub-CA Version 6.2 Effective
More informationCertification Report
Certification Report Curtiss-Wright Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationCOMPANY (MU1) FORM FILING - EXTENDED
COMPANY (MU1) FORM FILING - EXTENDED Updated: 3/31/2014 Copyright 2008 State Regulatory Registry LLC Table of Contents General Overview 3 How to Submit the Company (MU1) Filing 4 Initial Account Login
More informationPA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite
for Sage MAS 90 and 200 ERP Versions 4.30.0.18 and 4.40.0.1 and Sage MAS 90 and 200 Extended Enterprise Suite Versions 1.3 with Sage MAS 90 and 200 ERP 4.30.0.18 and 1.4 with Sage MAS 90 and 200 ERP 4.40.0.1
More informationMotor Oil Matters (MOM) Installer Online System User Guide
Motor Oil Matters (MOM) Installer Online System User Guide Potential MOM Installers can register at. To ensure a successful application process, you should have the following prepared for each location
More informationReady Theatre Systems RTS POS
Ready Theatre Systems RTS POS PCI PA-DSS Implementation Guide Revision: 2.0 September, 2010 Ready Theatre Systems, LLC - www.rts-solutions.com Table of Contents: Introduction to PCI PA DSS Compliance 2
More informationIBM Hosted Application Security Services - Website Scanning Platform
IBM Hosted Application Security Services - Website Scanning Platform Z126-5886-US-1 09-2012 Page 1 of 13 Table of Contents IBM Hosted Application Security Services -... 1 Website Scanning Platform... 1
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More information2017 NACHA Third-Party Sender Initiatives
2017 NACHA Third-Party Sender Initiatives Jordan Bennett Senior Director, Network Risk NACHA 2 MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing.
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationExport Control Reform Presentation
Export Control Reform Presentation Todd E. Willis Division Chief, Dual-Use Licensing Defense Technology Security Administration U.S. Department of Defense Agenda Overview of Defense Technology Security
More informationIBM UrbanCode Cloud Services Security Version 3.0 Revised 12/16/2016. IBM UrbanCode Cloud Services Security
IBM UrbanCode Cloud Services Security 1 Before you use this information and the product it supports, read the information in "Notices" on page 10. Copyright International Business Machines Corporation
More informationOracle Communications Services Gatekeeper
Oracle Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 June 2013 Oracle Communications Services Gatekeeper Security Guide, Release 5.1 E36134-01 Copyright 2011, 2013, Oracle and/or
More informationHow To Complete Your Own GSA Schedule GovernmentContractingTips.com
How To Complete Your Own GSA Schedule GovernmentContractingTips.com GSA Schedule Quick List Become Registered in System for Award Management (SAM). Choose a GSA Schedule. Receive a Digital Certificate
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More information