Judiciary Judicial Information Systems
|
|
- Maud Marsh
- 5 years ago
- Views:
Transcription
1 Audit Report Judiciary Judicial Information Systems February 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY
2 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested by contacting the Office of Legislative Audits as indicated at the bottom of the next page or through the Maryland Relay Service at Please address specific inquiries regarding this report to the Audit Manager listed on the inside back cover by telephone at (410) Electronic copies of our audit reports can be viewed or downloaded from the Internet via The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at (410) or (301)
3 February 10, 2005 Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Judicial Information Systems of the Judiciary. Our audit included an internal control review of the Systems data center and the network administered by Systems that supports the Judiciary and Courts of Maryland. Our audit disclosed that proper internal control had not been established over several significant areas. For example, the Systems internal network was not adequately protected from untrusted networks. Furthermore, the Systems lacked assurance that critical production data files and security and operating systems were adequately protected. Security event reporting for certain critical systems was incomplete and not reviewed by appropriate personnel. In addition, the Systems did not have a comprehensive information security program to ensure that adequate computer security existed and did not have a current and complete disaster recovery plan designed to minimize disruption of computer processing and network services in the event of a disaster. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor
4 2
5 Table of Contents Executive Summary 5 Background Information 7 Agency Responsibilities and Description 7 Current Status of Findings From Preceding Audit Report 8 Findings and Recommendations 9 Network Security and Control Finding 1 The Internal Computer Network Was Not Sufficiently 9 Secured From Untrusted Networks Finding 2 Maintenance and Administration of the Firewall 10 Was Not Adequate * Finding 3 The Communication Server Was Not Configured 10 to Protect the Internal Network Finding 4 Security Measures to Protect Critical Network Servers 11 Were Insufficient Data Center Information System Security and Control Finding 5 Access and Recordation Controls Over Critical 11 Data and System Files Were Inadequate * Finding 6 Necessary Controls Did Not Exist Over Critical 12 Segments of the Operating System Software * Finding 7 Security Event Reviews and Related Reporting Were 13 Not Adequate * Finding 8 Necessary Access Controls Did Not Exist Over Critical 14 Transactions, Programs and Data Files Involving Court Case, Warrant and Traffic Citation Data * Finding 9 Password Controls for the Uniform Court System 14 Were Not Adequate * Denotes item repeated in full or part from preceding audit report. 3
6 Information Technology Operations * Finding 10 A Comprehensive Information Systems Security Program 15 and a Sufficient Disaster Recovery Plan Did Not Exist * Finding 11 Program Change Controls Were Not Adequate 16 Audit Scope, Objectives, and Methodology 17 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report. 4
7 Executive Summary Legislative Audit Report on Judicial Information Systems of the Judiciary February 2005 Proper security measures had not been established to protect the Systems internal network from untrusted third party networks including the Internet and the Systems did not adequately monitor the output of its intrusion detection system or update the system. The Systems should establish adequate controls over third party network connections and its intrusion detection system. The Systems communication server was vulnerable to unauthorized access and modification which could result in deletion of, or changes to, critical data files. Adequate password and account lockout provisions should be established for the communications server and authenticated users should be limited to tasks commensurate with their job responsibilities. Numerous employee user accounts could use four system-oriented accounts which allowed these users unnecessary and unrecorded modification access to data and system files. The Systems should discontinue use of these system-oriented accounts. Mainframe security controls could be bypassed because certain objects with special system privileges were not properly controlled and because supervisory personnel did not review and approve all modifications of key system files. Unnecessary object names with special privileges should be removed and modification access to critical privileged operating system files should be limited to individuals who require such access. Furthermore, Systems management should conduct and document reviews of all changes to critical operating system files. Access to key transactions, programs, and data files involving court cases, warrants, and traffic citations was not properly restricted; and related security reporting and reviews were not adequate. 5
8 Adequate access controls should be established over Systems transactions, programs, and data files and proper security event reporting and reviews should be performed. A comprehensive information security program and a current and complete disaster recovery plan did not exist. In addition, controls over changes to computer programs were not adequate. A comprehensive information security program and a current and complete disaster recovery plan should be developed. In addition, the Systems should establish procedures to ensure that only authorized and properly tested programs are placed into production. 6
9 Background Information Agency Responsibilities and Description The Judiciary operates the Judicial Information Systems on behalf of the State court systems. The Systems staff develops and maintains State court system applications, operates a statewide computer network, and is responsible for data center disaster recovery capabilities. Traffic case dispositions and court case data processed by the Systems are supplied to computer systems maintained by the Motor Vehicle Administration and the Department of Public Safety and Correctional Services, respectively. The Systems fiscal year 2004 operating budget totaled approximately $19.6 million. The Systems operates a mainframe computer for court applications (such as, district court case management) and two minicomputers that support the Maryland Automated Traffic System (Traffic Citations) and disbursement processing. In addition, there are nine minicomputers which support the Uniform Court System (UCS). The Systems serves three groups of users: public customers, Judicial Data Center personnel, and remote Court users. The Systems also operates a Wide Area Network (WAN) which connects users to the various component units of the Judiciary including the Administrative Office of the Courts, the District Courts, the Circuit Courts, and the Court Commissioners Offices. The WAN is used to connect the remote court locations to the UCS which provides court case management to 20 Circuit Courts and one District Court. The UCS supports case initiation, scheduling, disposition, expungement, and other record keeping. Systems staff connect across the WAN and maintain the regional UCS minicomputers and update the application software. Additionally, the WAN transmits communications from remote court offices to the Systems mainframe applications. Furthermore, 77 local area networks, across all remote court locations, can access the UCS and access external agencies through the Internet. Internet transmissions are controlled by the Systems central Internet firewall. Separately, the Systems also operates a server inside its network which supports public user dialup inquiries to court information from approximately 5,000 paying customers. 7
10 See below for a graphic depiction of the Systems and its components. Overview of the Systems Networking Environment The Systems operates a network that includes numerous servers, minicomputers, a mainframe computer, and connectivity to the Administrative Office of the Courts, the District Courts, the Circuit Courts, the Court Commissioners Offices, and the Internet Current Status of Findings From Preceding Audit Report We reviewed the current status of the ten findings included in our preceding audit report dated April 20, We determined that the Systems satisfactorily addressed two of these findings. The remaining eight findings are repeated in this report, two of which have been combined into one finding. In its response to our preceding audit report, the Systems generally agreed to implement the recommendations from that report. 8
11 Findings and Recommendations Network Security and Control Background Accepted security principles require organizations to ensure that the information they maintain is accessed by the appropriate persons and for authorized use only. To accomplish this, the Systems computer systems contain security software which is capable of restricting access to system, security and data files, online transactions, and programs. The related software can also provide a record of all file, transaction, and program modification accesses, and all unauthorized attempted accesses to the computer system. For example, individuals are allowed by the security systems to sign onto various computer processing applications to update critical data files. Unauthorized requests are denied access by the security software. Furthermore, the Systems computer network devices can be configured to provide network security for network users. Finding 1 The internal computer network was not sufficiently secured from untrusted networks and monitoring of network traffic was not adequate. Analysis Adequate security measures had not been established to protect the Systems internal network from untrusted third party contractor networks, State and local governmental networks, and the Internet. The connections from the Systems internal network to nine untrusted networks were not adequately secured, thereby exposing the internal network to security risks from these other networks. Furthermore, the Systems network firewall allowed various insecure Internet connections to portions of the Systems network, thereby potentially placing various network devices at risk. In addition, the firewall allowed internal network users complete and unfiltered outbound access to the Internet, which increased the risks of certain types of network attacks associated with returning data traffic. Additionally, the Systems did not effectively update or monitor the output of the intrusion detection system installed on its network. Intrusion detection systems gather and analyze network traffic to identify potential network security breaches and attacks and alert network administrators to these situations. 9
12 Recommendation 1 We recommend that adequate controls be established over third party network connections and intrusion detection systems. We made detailed recommendations to the Systems which, if implemented, should provide for adequate security over the third party connections and intrusion detection systems. Finding 2 Maintenance and administration of the Systems firewall was not adequate. Analysis The Systems firewall software was outdated, and therefore did not contain the most up-to-date security features. Accordingly, the firewall was vulnerable to security exploits that were addressed in the newer software releases. Also, remote connections, for administration of the firewall, could be attempted using insecure connection protocols from any workstation. As a result, administration of the firewall could be compromised resulting in unauthorized access into the Systems network. Recommendation 2 We recommend that the Systems, on an on-going basis, update the firewall operating system to the most current version available from the firewall vendor. We also recommend that the Systems limit connections to the firewall to network administrators using only secure connection protocols. Finding 3 The Systems communications server was not adequately configured to protect the internal network from unauthorized modification. Analysis The Systems communication server was not adequately configured to protect the internal network. Specifically, the Systems communication server had weak or non-existent password and account lockout provisions for server users. In addition, authenticated users to the server were not limited to performing only designated tasks as specified by Systems management. As a result, users on this server could attempt to exploit these weaknesses for the purposes of obtaining unauthorized access to internal network data. The communications server was used by over 1,200 internal personnel to connect to the Systems internal network including the Systems mainframe computer. Similar conditions were commented upon in our prior audit report. 10
13 Recommendation 3 We again recommend that the Systems establish adequate password and account lockout provisions for its communication server and limit authenticated users to tasks commensurate with their job requirements. Finding 4 Security measures to protect critical network servers were insufficient. Analysis Adequate security measures did not exist for two important network servers to protect those servers applications from external and internal exposures, such as from the Internet. We performed vulnerability scans of these two servers, and detected 19 instances of the top 10 most exploited computer network vulnerabilities as reported by a nationally recognized cooperative research and educational organization. For example, we noted that on both servers, the Systems was using an outdated version of the software that directs traffic to websites, which is vulnerable to attack. As a result of these network vulnerabilities, these servers were not adequately secured from exposures that could result in the loss of data integrity, the interruption of key services, and the improper use of these servers. Recommendation 4 We recommend that the Systems independently assess the reported risks to its critical computer network servers and implement appropriate security measures. In this regard, we made detailed recommendations to the Systems which, if implemented, should help provide adequate security over these servers. Data Center Information System Security and Control Finding 5 Access and recordation controls over critical data and system files were inadequate. Analysis Inadequate access and recordation controls existed for 4 system-oriented accounts that 36 Systems employee user accounts could use. The Systems used a feature of the security software which allows an individual user account to operate under the identity of another account (hereafter called an assumed account) to gain greater access privileges for system operations purposes. However, activity performed 11
14 under the four assumed accounts was not logged, leaving no accountability of processing performed by any individuals using the assumed accounts. Even with logging enabled, activities reported would only be identifiable to the level of the assumed account used and not to an individual employee account. Also, use of three of the assumed accounts bypassed the security software s controls which led to pervasive access control weaknesses involving the security system, the operating system, and the telecommunications and database software operated on the mainframe computer. Recommendation 5 We recommend that the Systems discontinue use of the assumed accounts on its system. Finding 6 Mainframe system security could be bypassed because necessary controls did not exist over critical segments of the operating system software. Analysis Controls over certain critical segments of the mainframe operating system software were inadequate, allowing normal security controls to be bypassed: All changes to critical operating system files made by system programmers were not subject to review and approval by supervisory personnel. Systems personnel advised us they reviewed changes to critical operating system files on a periodic basis. Such periodic reviews would not include all changes made to critical system files by system programmers. This condition could ultimately result in unauthorized or erroneous changes to mainframe data files (for example, court case records). A similar condition has been commented upon in several preceding audit reports. Access rules over numerous operating system files with special operating system privileges were inadequate. For example, improper modifications could be made to many of these files by numerous system users without detection by management. Various library names, system commands, and program names were defined to the system with special privileges capable of bypassing security controls, but the associated libraries, commands, and programs did not exist. As a result, libraries, commands or programs using these names could be created that would not be subject to normal security system controls. A similar condition was commented upon in our prior audit report. 12
15 Recommendation 6 We again recommend that the Systems management conduct and document reviews of all changes to critical operating system files. We also recommend that the Systems restrict modification access to critical, privileged operating system files to individuals who require such modification access, and that such modification accesses be recorded, reviewed, investigated, and documented as necessary. Finally, we again recommend that the Systems eliminate unnecessary library, command and program names that could be used to bypass normal security system controls. Finding 7 Security event reviews and related reporting were not adequate. Analysis Security event reporting on the mainframe computer system and a critical minicomputer system processing traffic citation information was incomplete and not reviewed by appropriate personnel: Security event activities for both the mainframe and minicomputer system were not reported for all 24 hours of each day. For example, security reports for the minicomputer system only included events for 8 hours of each day. As a result, security activity occurring during other hours, such as access violations and logged modification access, remained unreported. Furthermore, critical security system changes (for example involving userids and security data rules) were either not reported or they were reported and not reviewed. Accordingly, there was no assurance that the changes made to the security system were accurate and proper. Although the mainframe system security officer reviewed security reports, potential problems were not referred to knowledgeable personnel for investigation. Specifically, we were advised that supervisory personnel responsible for the Systems applications and operations did not review or investigate recorded security violations or logged accesses to critical files, utilities, libraries, and screens. A similar condition was noted in our three preceding audit reports. Recommendation 7 We recommend that security event reporting be configured to cover all time periods and that reports of critical changes to security system settings be generated and reviewed by security personnel independent of the security officers. We also again recommend that security event reports be reviewed 13
16 and investigated by supervisory personnel responsible for applications and operations. Finally, we again recommend that all security report reviews be documented and retained. Finding 8 Controls were not established to properly restrict access to critical transactions, programs, and data files involving court case, warrant, and traffic citation data. Analysis The Systems did not adequately control access to critical transactions, programs, and data files for separate applications involving court case, warrant, and traffic citation data. For example, 31 user accounts had been granted unnecessary and unlogged modification access to the District Court Warrant System. In addition, 40 user accounts had unnecessary access to the Uniform Court System s security files which allowed these users to change their security profiles and obtain modification access to production data. Furthermore, 131 user accounts had unnecessary modification access to critical Uniform Court System database records through a database utility program. The inadequate access controls over transactions, programs, and data files could allow court case, warrant, and traffic citation data to be improperly modified or deleted. A similar condition was commented upon in our prior audit report. Recommendation 8 We again recommend that adequate access controls be established over Systems transactions, programs, and data files. We made detailed recommendations to the Systems, which if implemented, should provide for adequate access controls over transactions, programs, and data files. Finding 9 Password controls for the Systems Uniform Court System computer system were inadequate. Analysis Password rules concerning length, usable periods, reuse, and allowed characters need to be strengthened on the Uniform Court System server. For example, minimum password length and password reuse limits were not adequate to 14
17 provide for effective security and control. Passwords serve to authenticate system users who are then connected under a user account and granted access according to security software settings. A similar condition was noted in our prior audit report. Recommendation 9 We again recommend that password controls be strengthened by increasing the minimum password length, restricting the reuse of prior passwords, establishing password lifetimes and requiring the use of multiple types of characters in each password. Information Technology Operations Finding 10 A comprehensive information systems security program and a current and complete disaster recovery plan did not exist. Analysis The Systems programs and plans did not adequately address critical issues involving information systems security and computer operations disaster recovery: The Systems did not have a comprehensive information security program to ensure that proper computer security existed. The Systems did not have a current and complete disaster recovery plan relating to the Systems headquarters or remote locations that operate the Uniform Court System. For example, the plan did not provide an alternate site and there were no provisions for restoration of network connectivity in the event of a significant disaster. In addition, the plan did not include a schedule of prioritized critical applications for recovery. A similar situation was noted in our prior audit report. Recommendation 10 We recommend that the Systems prepare an information systems security program to address all critical security issues involved with its information systems. We also again recommend that a complete disaster recovery plan be developed to support the current information systems environment, including designation of an alternate site, procedures for fully restoring network operations, and prioritization of applications in the event of a disaster. 15
18 Finding 11 Program change controls were not adequate. Analysis Adequate control procedures did not exist to ensure that only management authorized and properly tested computer programs have been placed into production. Specifically, computer programmers could modify programs and bypass the supervisory review process. In addition, there was no documentation supporting reviews of program changes by quality assurance personnel. Similar conditions were commented upon in our prior audit report. Finally, a comparison of programs actually moved to production to approved program changes was not performed. As a result, there was a lack of assurance that only management authorized and properly tested computer programs have been placed into production. Recommendation 11 We again recommend that the Systems establish procedures to ensure that only management authorized and properly tested computer programs are placed into production. 16
19 Audit Scope, Objectives, and Methodology We have audited the Judicial Information Systems operated by the Judiciary. Fieldwork associated with our review of the Systems was conducted during the period from October 2003 to April Additionally, fieldwork associated with our review of the network was conducted during the period from July 2004 to September The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine the Systems internal control over its data center and network and to evaluate its compliance with applicable State laws, rules, and regulations for the computer systems that support the State courts and related agencies of the Judiciary. The Systems fiscal operations are audited separately. The latest report which covered the Systems fiscal operations was issued on April 4, We also determined the current status of the findings contained in our preceding audit report on the Systems. In planning and conducting our audit, we focused on the major areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of the Systems operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. The Systems management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. 17
20 Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect the Systems ability to maintain reliable financial records, operate effectively and efficiently and/or comply with applicable laws, rules, and regulations. Our audit did not disclose any significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to the Systems that did not warrant inclusion in this report. The Judiciary s response, on behalf of the Systems, to our findings and recommendations, is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise the Judiciary regarding the results of our review of its response. 18
21
22 In addition, JIS recently implemented an access control list on outbound Internet traffic from the Judiciary network that prevents the establishment of TCP and UDP connections to port numbers beyond the well-known range. Finding 2: We concur with this recommendation. JIS is presently configuring and testing the most current version of a higher end firewall from our current vendor to replace the current firewall. In addition to controlling access to and from the Internet the new Firewall will be used to control Virtual Private Network (VPN) access from the Internet to the Judiciary s network. It is estimated that this effort will take from three to six months to complete. In the interim, remote access to the firewall from the internal network will be further restricted as recommended. The nine external network connections in question will be consolidated into two, each of which will be controlled by a Cisco PIX Firewall with appropriate access control lists and logging enabled. One connection will be located in Room 405 of the Mitchell Courthouse. The other will be to the Statewide Government Intranet (SwGI), currently planned for Pod A of the DNR building in Annapolis. Both connections will likely take a minimum of from six months to a year to complete. The SwGI connection is in the early phases of being established and will require the Office of the Public Defender, and the Departments of Public Safety, Human Resources, Juvenile Justice, and Transportation to make similar changes on their ends of these connections. An additional benefit of the SwGI connection will be the elimination of four leased Frame Relay connections. Finding 3: We concur with this recommendation and have identified the 1,200 users noted in the analysis. To date we have eliminated all but sixty (60) user acids that are still under review for justified access. A final determination on these sixty individuals will be completed by February Finding 4: We concur with this recommendation. The primary points in this recommendation were: 1) that we replace our current Web Server software with something newer and therefore presumably more secure, and 2) that some access ports currently open to the web and elicense servers be eliminated. Replacing the Web Server software will occur in conjunction with the Application Server work that is currently underway. The unused access ports will be eliminated as part of the firewall upgrade. Page 2
23 Data Center Information System Security and Control Finding 5: We concur with this recommendation and have put procedures in place for oversight, review, approval and retention of all system access. Specifically, the analysis addresses the issue of jobs being submitted through the use of an assumed account and the system not recording who took the action. JIS has developed and implemented an audit feature for use of the assumed account to identify individual acids for job submissions by requiring individuals to log into the assumed account by their acid logon. Individuals logged onto our job scheduling software are already tracked by their respective acid if a job re-run needs to be submitted a second time. Additionally, we are currently testing program-pathing. Program-pathing will restrict those employees granted access to the acid assumed account to only be able to submit jobs on its behalf through the job scheduling software product. If successful in our testing, this will eliminate the auditors fear of job submissions performed outside of job scheduling software. This testing will be completed by the end of February. Finding 6: We concur in part with this recommendation and have initiated the following actions: All system changes will be recorded using our logging program for review, validation, approval, and retained for future audits. Access to all systems files has been restricted to Tech Support personnel only. JIS is currently in the process of deleting rules for products and data sets not currently in use. After the deletion of these rules, JIS will proceed with a review of the update access rules to all datasets defined with security privileges. Our third step will be to address the transactions and their access privileges making whatever changes are necessary. These steps will be completed by end of March. Overall, we will be addressing the rules definitions within a system product review. This review will begin as a template for software products as they are installed or as vendor software release upgrades are provided. It will also include a review process during the first software maintenance update for completeness. The templates will specifically address the security points of concern and corrective actions will be taken to resolve any discrepancies. Regarding the recommendation to remove unnecessary system files, it is JIS s technical viewpoint that removing vendor system files without the knowledge and consent of the Vendor Operating System software manufacturers is a greater risk to the Judiciary. Doing so might well jeopardize our Vendor support for the Operating system itself. Page 3
24 Finding 7: We concur with both points noted in the analysis and have taken the following corrective actions: All security events logging is done on a 24-hour basis each day with all changes recorded on the respective system s log. These logs and security violation reports will be reviewed, approved and retained for future audits by the Data Center Senior Manager on a regular schedule. Finding 8: We concur with this recommendation and JIS has initiated the following: A procedure has been implemented to allow JIS to review user acids with update access by identifying their logon prefix. In addition, programs are being rewritten to look at the users logon versus their terminal id to determine their level of access. Those not meeting the established criteria for update access will be denied access to make changes. This last change will be in place by March 31, Finding 9: JIS has responded with improvements to password controls as a result of the prior audit but the UCS platform s logon process is relatively complex and limiting. JIS has been investigating the possibility of having the operating system logon pass-through to the UCS application logon using the parameters noted in the recommendation. The amount of program changes, however, on both the operating system and UCS side, still need to be determined before we can comply fully with the recommendation. In addition to the changes noted here, JIS will be required to setup a training curriculum for the end users for this logon change if it is accepted. A decision on the feasibility of complying with the recommendation will be completed by the end of February. Finding 10: We concur with both points of the recommendation and the following project plans have been put into place to address these issues. 1) A system security program, based on the State s Security Standards and Procedures and COBIT, will be documented and completed by February ) The Judiciary is actively seeking a Hot Site and is in the process of updating its disaster recovery plan. Page 4
25
26 AUDIT TEAM Stephen P. Jersey, CPA, CISA Information Systems Audit Manager Richard L. Carter, CISA R. Brendan Coffey, CPA Albert E. Schmidt, CPA Information Systems Senior Auditors Amanda L. Trythall Staff Auditor
Judiciary Judicial Information Systems
Audit Report Judiciary Judicial Information Systems August 2016 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY For further information concerning this report
More informationDepartment of Public Safety and Correctional Services Information Technology and Communications Division
Audit Report Department of Public Safety and Correctional Services Information Technology and Communications Division January 2016 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationUniversity System of Maryland Frostburg State University
Audit Report University System of Maryland Frostburg State University August 2013 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up
More informationMaryland Health Care Commission
Special Review Maryland Health Care Commission Security Monitoring of Patient Information Maintained by the State-Designated Health Information Exchange September 2017 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationI. PURPOSE III. PROCEDURE
A.R. Number: 2.11 Effective Date: 2/1/2009 Page: 1 of 5 I. PURPOSE This policy outlines the procedures that third party organizations must follow when connecting to the City of Richmond (COR) networks
More informationFerrous Metal Transfer Privacy Policy
Updated: March 13, 2018 Ferrous Metal Transfer Privacy Policy Ferrous Metal Transfer s Commitment to Privacy Ferrous Metal Transfer Co. ( FMT, we, our, and us ) respects your concerns about privacy, and
More informationTexas A&M University: Learning Management System General & Application Controls Review
Overall Conclusion Overall, the controls established over the primary learning management system at Texas A&M University, Blackboard Learn (ecampus), are effective in providing reasonable assurance that
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationREPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division
Secretary of State Report No. 2003-20 June 3, 2003 AUDIT Department of Administrative Services Information Resources Management Division Follow Up REPORT Bill Bradbury, Secretary of State Cathy Pollino,
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationREPORT 2015/010 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationSTATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY
STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY INFORMATION TECHNOLOGY GENERAL CONTROLS INFORMATION SYSTEMS AUDIT JANUARY 2016 EXECUTIVE SUMMARY PURPOSE
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationINTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT
INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT AUDIT OF INFORMATION TECHNOLOGY ACF2 MAINFRAME SECURITY SOFTWARE Ken Burke, CPA* Ex Officio County
More informationUNIVERSITY OF NORTH CAROLINA CHARLOTTE
STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA UNIVERSITY OF NORTH CAROLINA CHARLOTTE INFORMATION TECHNOLOGY GENERAL CONTROLS INFORMATION SYSTEMS AUDIT JULY 2017 EXECUTIVE SUMMARY
More informationFOLLOW-UP REPORT Industrial Control Systems Audit
FOLLOW-UP REPORT Industrial Control Systems Audit February 2017 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver
More informationInformation Technology Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Minnesota State Retirement System Information Technology Audit June 23, 2009 Report 09-23 FINANCIAL AUDIT DIVISION
More informationPostal Inspection Service Mail Covers Program
Postal Inspection Service Mail Covers Program May 28, 2014 AUDIT REPORT Report Number HIGHLIGHTS BACKGROUND: In fiscal year 2013, the U.S. Postal Inspection Service processed about 49,000 mail covers.
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationHISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security
HISPOL 003.0 The United States House of Representatives Internet/ Intranet Security Policy CATEGORY: Telecommunications Security ISSUE DATE: February 4, 1998 REVISION DATE: August 23, 2000 The United States
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationInformation Security for Mail Processing/Mail Handling Equipment
Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the
More informationOffice of MN.IT Services Data Centers
Office of MN.IT Services Data Centers Information Technology Controls and Compliance Audit As of November 2016 March 2, 2017 REPORT 17-06 Financial Audit Division Office of the Legislative Auditor State
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationThe University of British Columbia Board of Governors
The University of British Columbia Board of Governors Policy No.: 118 Approval Date: February 15, 2016 Responsible Executive: University Counsel Title: Safety and Security Cameras Background and Purposes:
More informationDATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012
DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS Audit Report 12-31 June 15, 2012 Henry Mendoza, Chair William Hauck Steven M. Glazer Glen O. Toney Members, Committee on Audit University
More informationGeneral Information System Controls Review
General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County
More informationINFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010
INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK Presented by Ronald E. Franke, CISA, CIA, CFE, CICA April 30, 2010 1 Agenda General Accountability Office (GAO) and IT Auditing Federal
More informationAUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03
AUDIT REPORT Network Assessment Audit Audit Opinion: Needs Improvement Date: December 15, 2014 Report Number: 2014-IT-03 Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationREPORT 2015/186 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/186 Audit of information and communications technology operations in the Secretariat of the United Nations Joint Staff Pension Fund Overall results relating to the effective
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationPrivacy Policy Effective May 25 th 2018
Privacy Policy Effective May 25 th 2018 1. General Information 1.1 This policy ( Privacy Policy ) explains what information Safety Management Systems, 2. Scope Inc. and its subsidiaries ( SMS ), it s brand
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationUNIVERSITY OF NORTH CAROLINA CHAPEL HILL
abd STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA UNIVERSITY OF NORTH CAROLINA CHAPEL HILL INFORMATION TECHNOLOGY GENERAL CONTROLS INFORMATION SYSTEMS AUDIT NOVEMBER 2017 EXECUTIVE
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationThe City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.
Policy Number: 10-09-02 Section: Roads and Traffic Subsection: Traffic Operations Effective Date: April 25, 2012 Last Review Date: Approved by: Council Owner Division/Contact: For information on the CCTV
More informationSPRING-FORD AREA SCHOOL DISTRICT
No. 801.1 SPRING-FORD AREA SCHOOL DISTRICT SECTION: TITLE: OPERATIONS ELECTRONIC RECORDS RETENTION ADOPTED: January 25, 2010 REVISED: October 24, 2011 801.1. ELECTRONIC RECORDS RETENTION 1. Purpose In
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA AUDIT OF THE INFORMATION SYSTEMS GENERAL CONTROLS ELIZABETH CITY STATE UNIVERSITY JULY 2006 OFFICE OF THE STATE AUDITOR LESLIE MERRITT, JR., CPA, CFP STATE AUDITOR AUDIT OF THE
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationRMU-IT-SEC-01 Acceptable Use Policy
1.0 Purpose 2.0 Scope 2.1 Your Rights and Responsibilities 3.0 Policy 3.1 Acceptable Use 3.2 Fair Share of Resources 3.3 Adherence with Federal, State, and Local Laws 3.4 Other Inappropriate Activities
More informationNASCIO Recognition Award Nomination. Title: Central Issuance of State Drivers Licenses. Category: Digital Government Government to Citizen
NASCIO Recognition Award Nomination Title: Central Issuance of State Drivers Licenses Category: Digital Government Government to Citizen State: North Carolina Executive Summary The NCDMV wanted to reduce
More informationInformation Security Incident Response and Reporting
Information Security Incident Response and Reporting Original Implementation: July 24, 2018 Last Revision: None This policy governs the actions required for reporting or responding to information security
More informationTimber Products Inspection, Inc.
Timber Products Inspection, Inc. Product Certification Public Document Timber Products Inspection, Inc. P.O. Box 919 Conyers, GA 30012 Phone: (770) 922-8000 Fax: (770) 922-1290 TP Product Certification
More informationFirewall Configuration and Management Policy
Firewall Configuration and Management Policy Version Date Change/s Author/s Approver/s 1.0 01/01/2013 Initial written policy. Kyle Johnson Dean of Information Services Executive Director for Compliance
More informationXO SITE SECURITY SERVICES
XO SITE SECURITY SERVICES 1.0 Product and Services 1.1 Product Description. XO Site Security (the "Service") is a managed security service which uses Premises-based, multi-threat sensing Customer Premises
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Better Administration of Automated Targeting System Controls Can Further Protect Personally Identifiable Information (Redacted) NOTICE: The Department
More informationCriminal Case Information System for Public Defenders [Section 18B.10 of S. L , as amended by Section 18A.2 of S.L.
Criminal Case Information System for Public Defenders [Section 18B.10 of S. L. 2013-360, as amended by Section 18A.2 of S.L. 2014-100] Technology Services Division July 1, 2015 Introduction Section 18B.10
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA AUDIT OF APPLICATION CONTROLS EMPLOYMENT SECURITY COMMISSION DECEMBER 2008 OFFICE OF THE STATE AUDITOR LESLIE W. MERRITT, JR., CPA, CFP STATE AUDITOR AUDIT OF APPLICATION CONTROLS
More informationINTERNAL AUDIT DIVISION REPORT 2017/037
INTERNAL AUDIT DIVISION REPORT 2017/037 Audit of business continuity and disaster recovery in the secretariat of the United Nations Joint Staff Pension Fund There was need to align the business continuity
More informationMASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY
Effective Date: 12 September 2017 MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY Mastercard respects your privacy. This Privacy Policy describes how we process personal data, the types of personal
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationReviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationStatewide Information Technology Contingency Planning
New Jersey State Legislature Office of Legislative Services Office of the State Auditor Statewide Information Technology Contingency Planning March 9, 2015 to June 10, 2016 Stephen M. Eells State Auditor
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationNORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives
NORTH CAROLINA MANAGING RISK IN THE INFORMATION TECHNOLOGY ENTERPRISE NC MRITE Nominating Category: Nominator: Ann V. Garrett Chief Security and Risk Officer State of North Carolina Office of Information
More informationMOBILE.NET PRIVACY POLICY
MOBILE.NET PRIVACY POLICY As the operator of the Mobile.net website (https://mobile.net.ltd/) (Website), ADX Labs, LLC. (Company, we or us) is committed to protecting and respecting your privacy. The data
More informationCustomer Proprietary Network Information
Customer proprietary network information (CPNI) means information that relates to the quantity, technical configuration, type, destination, location, and amount of use of our service by you and information
More informationAUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014
UNITED NATIONS DEVELOPMENT PROGRAMME AUDIT OF UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY Report No. 1173 Issue Date: 8 January 2014 Table of Contents Executive Summary
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationDepartment Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011
REPORT # 2012-12 AUDIT Of the Department Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations.
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018
Publications ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018 Price: $399 Member Price: $199 (Publication #500-18) A new approach to payments advising
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationPROCEDURE COMPREHENSIVE HEALTH SERVICES, INC
PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC APPROVAL AUTHORITY: President, CHSi GARY G. PALMER /s/ OPR: Director, Information Security NUMBER: ISSUED: VERSION: APRIL 2015 2 THOMAS P. DELAINE JR. /s/ 1.0
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA AUDIT OF THE INFORMATION SYSTEMS GENERAL CONTROLS CARTERET COMMUNITY COLLEGE OCTOBER 2007 OFFICE OF THE STATE AUDITOR LESLIE MERRITT, JR., CPA, CFP STATE AUDITOR AUDIT OF THE INFORMATION
More informationInformation Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan
Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology
More informationAdvisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100
U.S. Department of Transportation Federal Aviation Administration Advisory Circular Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: 00-62 AVIATION WEATHER AND NOTAMS Initiated by: ARS-100 1.
More information