FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK

Similar documents
IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

CCISO Blueprint v1. EC-Council

Information Technology General Control Review

TRAINING NEEDS ANALYSIS AND RISK PROFILES

7.16 INFORMATION TECHNOLOGY SECURITY

IBM Security Intelligence on Cloud

Senior Manager Information Technology (India) Duration of job

ACM Retreat - Today s Topics:

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Request for Proposal Technology Services, Maintenance and Support

Introduction To IS Auditing

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

CYBERSECURITY RISK LOWERING CHECKLIST

K12 Cybersecurity Roadmap

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

UCLA AUDIT & ADVISORY SERVICES

Objectives of the Security Policy Project for the University of Cyprus

Subject: University Information Technology Resource Security Policy: OUTDATED

WHITE PAPER- Managed Services Security Practices

University of Pittsburgh Security Assessment Questionnaire (v1.7)

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

The Common Controls Framework BY ADOBE

Information Security Management Criteria for Our Business Partners

Network Security Policy

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

WORKSHARE SECURITY OVERVIEW

Network Performance, Security and Reliability Assessment

Apex Information Security Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Canada Life Cyber Security Statement 2018

CITY OF MONTEBELLO SYSTEMS MANAGER

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Table of Contents. Policy Patch Management Version Control

A company built on security

ISO27001 Preparing your business with Snare

1 Data Center Requirements

Marine Institute Job Description

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Education Network Security

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

PTS Customer Protection Agreement

Lakeshore Technical College Official Policy

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II

Windows Server Security Best Practices

Information Technology University Budget Hearing. April 5, 2018

Network Infrastructure, Desktop, and Server Support Service Level Agreement

Carbon Black PCI Compliance Mapping Checklist

NEN The Education Network

AUTHORITY FOR ELECTRICITY REGULATION

Managed Security Services - Endpoint Managed Security on Cloud

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Client Computing Security Standard (CCSS)

Trust Services Principles and Criteria

Network Detective. Prepared For: Your Customer / Prospect Prepared By: Your Company Name

Changing face of endpoint security

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

ADIENT VENDOR SECURITY STANDARD

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Disaster Recovery Self-Audit

ICT Security Policy. ~ 1 od 21 ~

EXHIBIT A. - HIPAA Security Assessment Template -

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Information Security Policy

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

TECHNOLOGY SUPPORT SERVICE LEVEL AGREEMENT

STRATEGIC PLAN

SECURITY & PRIVACY DOCUMENTATION

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Position Description IT Auditor

Altius IT Policy Collection

SENIOR SYSTEMS ANALYST

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

CS 356 Operating System Security. Fall 2013

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

ROLE DESCRIPTION IT SPECIALIST

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Security Policies and Procedures Principles and Practices

Cyber security tips and self-assessment for business

Data Security and Privacy Principles IBM Cloud Services

Certified Information Security Manager (CISM) Course Overview

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Virginia State University Policies Manual. Title: Change/Configuration Management Policy: 6810 A. Purpose

Introduction to Business continuity Planning

Security Architecture

IBM Case Manager on Cloud

Security Standards for Electric Market Participants

IT Service Level Agreement

GDPR Draft: Data Access Control and Password Policy

Security Audit What Why

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Security and Privacy Governance Program Guidelines

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Transcription:

2017 FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK MA. LUISA JASA-LOQUE IMAAN HIGHER COLLEGE OF TECHNOLOGY Educational Technology Center

DISTRIBUTION LIST ETC QA CORDINATOR Report Distribution List Ms. Rehana Al Ameer, ETC-HoC Ms. Zayana Al Sinawi, HoS-CSS Ms. Nawal Al Dhanki, HoS-ESS Ms. Najiya Al Omrani, HoS-LSS

of Contents DISTRIBUTION LIST... 1 ETC QA CORDINATOR... 1 Report Distribution List... 1 EXECUTIVE SUMMARY... 3 1. Background... 3 2. Objectives... 3 3. Audit Assurance... 3 RISK PRIORITIZATION... 4 Priority 1 : High Risks... 4 Priority 2 : Significant Risks... 4 Priority 3 : Moderate Risks... 4 Priority 4 : Low Risks... 4 ACTION PLAN... 0

EXECUTIVE SUMMARY 1. Background 1.1 This document follows up the development made towards implementing Risk Action Plan written and discussed from the ETC Risk Framework completed and submitted to HCT QAU on May 2016. 1.2 This documents made some recommendations as per team s risk assessment in order to improve controls. 2. Objectives The objectives of this follow up document are: To determine if the recommendations of the Risk Coordinator have been implemented. To evaluate the effect of any changes in the organization since the ETC Risk Framework established in the department. To formulate a view on the appropriateness and usefulness of the current risk management framework. To create a guide in embedding risk management framework within the organization 3. Audit Assurance The ETC Risk Framework is adequate in following developments that have been introduced last October 2015 and will benefit from further improvements to make sure it endures to improve in a constructive way.

RISK PRIORITIZATION The recommendations are prioritized according to the level of priority as follows: Priority 1 : High Risks High risks requires detailed research and management planning required at senior levels Priority 2 : Significant Risks Significant risks requires senior management attention Priority 3 : Moderate Risks Moderate risks requires management responsibility Priority 4 : Low Risks Low or minor risks, not critical and requires routine procedures

ACTION PLAN Ref. Original Recommendation Priority Agreed Action Follow Up Finding Further Recommendations and 10 11 12 13 To ensure that the HCTv is up and running, a follow up on the submitted proposal of equipment upgrade must be done to the department level down to the Finance department To avoid network failure across the college, the spare parts for network devices and peripherals must always be available Maintain contracts for network devices/equipment maintenance The network team should coordinate to data center team as to determine the availability of the Disaster Recovery. All request and/or discussion should be through email to ensure an audit trail. Coordinate with the Maintenance department to maintain the air ventilation basic standard requirement in communication room Regular follow up with the ETC Coordinator and Finance Department for the approval of the equipment upgrade The ETC presented and discussed the importance and benefits of purchasing the network devices to the Deanship The network team and data center team collaboratively working to provide smooth access on HCT e-services The network team will constantly monitor the air Not The ETC and Finance Department prioritized important projects Based on the output of the presentation and discussion with the Deanship, was to revised the proposal and quotation to suit the available budget The Data Center Team provided access to the network team and provide logs in order to provide smooth access of the HCT e- Services. In 4 communication rooms, the ACs were alternately used but Further Recommendations Distribute and implement HCTv via LAN : Agreed The ETC review the revised proposal to ensure to treat the risk. : ETC management allowed overtime work to the staff in charge to provide stable access of HCT e-services :

14 15 16 Review and implement the security controls (i.e. firewall, antivirus and network monitoring tools) and upgrade in a timely manner. Ensure all policies and procedures are properly maintained and followed by HCT students and staff. Maintain all network components at appropriate levels and closely monitor the network signals. ventilation in the communication room Constant monitoring of logs Training and awareness is required annually to all network team Conduct monthly and annual reviews on the usage of wireless in 2 other communication rooms, its constantly monitored Network security administrator ensure that the switches, wireless controller and Fortinet are secured and protected from any virus attack. Network team to upgrade the policies and procedures Network technician to monitor the network components and network signals. Network team must conduct annual review of the policies and Allowing network security administrator to work during weekend to ensure the security of switches, wireless and controllers Annual review of policies and procedures Annual training to all network staff Annual review of policies and procedures

17 Monitor the access of the communication room in new bldg. and the server rooms in other location within HCT to secure areas of network equipment Ensure that policy and procedures related to physical access are properly implemented. Review the access granted to the staff in a timely manner to make sure that there is no unauthorized access on the communication room and server room in other location across the college procedures on the wireless usage. Network team must conduct annual review of the policies and procedures on the of communication room and server room in other location across the college. Annual review of policies and procedures related to physical security of communication room and server room in other location across the college. 18 19, 48 Implement the training need analysis Coordinate the training and development required in each staff to the Staff Development Coordinator to enhance the knowledge and skills of the staff. As a server owner, you have to do the best practices in securing your server such as: o Server Hygiene o Server Patching o Access Control Have a clear policies and procedures on what are the Do s and Don ts of a server owner and it must be coordinated with the Data Center 1 Agreed There must be clear segregation of duties between the Web Administrator and System Administrator under Data Center Team must Delegation of responsibility in assigning server ownership must be clear Team Leader to coordinate the performance of the staff to the HoS. Team Leader to review the policies and procedures, job responsibilities and segregation of duties Conducted TNA the cross training program

20 21 Ensure that the policies and procedure on hosting a server must be clearly discussed and agreed both by the Web Administrator and the Data Center Team. Technical control of your server is your responsibility as a server owner. A self-diagnostic tool must be established to assess the capabilities your server and to identify any opportunities for improvement Perform Database Auditing and Intrusion Detection Review and implement the security controls and upgrade in a timely manner. to determine who is in charge in overseeing a specific server 1 Agreed Periodically audit your database. Protect access to database Ensure that Data Security Risk and Compliance Life Cycle is being followed and implemented. 1 Agreed Constant monitoring of logs Check regularly the server maintenance. Ensure all standard, procedures and policies are maintained and followed Application developer and E- Learning Administrator to provide auditing and monitoring report Web administrator to send notification to the data center regarding any virus threat/attack and coordinate on the treatment.

22, 37 Coordinate with the Maintenance department to meet the required standard of high availability power system in HCT. Determine the power outage of each servers and the duration of each outage Each member of data center team to report and coordinate with Maintenance department any power fluctuation 23 24 25 Coordinate with the Maintenance department to meet the required standard cooling system require in a data center environment. The system admin must: o Ensure that backup is complete. Have a good copy of the environment Ensure all standard, procedures and policies are maintained and followed. Regular monitoring of the temperature of the cooling system in the data center Backups should be validated that all are working properly Check regularly the server maintenance. Ensure that the Anti- Virus/Anti Spyware software definitions are up to date Each member of data center team to report and coordinate with Maintenance department regarding the monitoring the cooling system in data center System administrator to do periodic back up to avoid any mishaps. System administrator to send notification to the technical team to run the antivirus software in each assigned IT labs NA

26 27 28 Ensure that the account management policy is properly implemented Conduct a storage capacity planning to ensure that ETC keeps up with growth of the users in the college. With the help storage capacity planning, ETC helps predict future storage growth. To ensure adequate performance and efficiency of the server, the Team Leader in coordination with the HoS and HoC must make decision to change or upgrade hardware (servers) which are 4 years older. Use Virtualization and server hardware improvements to extend server life Delete user account (student and staff) who are no longer working and connected with HCT. Conduct a storage assessment to help the data center to understand how to reduce the time and effort required in managing storage capacity Cost-Benefit Analysis must be planned in order to determine System administrator to: Regularly review the active directory user accounts Adds, moves, changes and account removals System administrator to provide storage capacity planning and storage assessment to the Team Leader and HoS. Cost-Benefit Analysis Report must be presented to HoS/HoC

29, 30 Operational policies, procedures and standard must be properly implemented. Coordinate with the operational policies, procedures and standard Team member under the data center to check the server connection, logs and server configuration. Incident report must be submitted to Team Leader/HoS 31 32 33 34 Create operational policies and procedures and conduct an awareness on the implementation of those policies and procedures To avoid any conflict of interest ETC must establish an organizational control framework which handles the following: Organizational Structure Job Description Segregation of Duties Work Restructuring to ensure greater job satisfaction from the employee Awareness about malware threats Each member of data center must be responsible for the strict implementation of the procedures and internal controls of the data center Avoid giving critical task to the staff who are involved in different committees outside ETC Use the result of staff performance in work restructuring to determine what tasks to be assigned to a specific staff Coordinate with the Network Team to enable the firewall protection. Team member to notify the team leader if any violations are done in the internal control procedures in the data center. Team leader to review and update the job responsibilities of each team member. Team leader do the work restructuring in coordination with the HoS. The assigned system administrator to Audit trail and incident report must be submitted to HoS Annual review of job responsibilities and evaluation of staff performance Annual review of job responsibilities and evaluation of staff performance

35 36 38 Implementation of operational policies and procedures to avoid malware threats Ensure that project requirements and other details are clearly discussed with the vendor If in case there are any delays, the data center must know how to communicate, negotiate and decide in order to complete the project Ensure that TNA and Job Rotation is strictly followed and implemented Conduct Cost-Benefit Analysis on license software. Consistent follow ups with the vendor must be done Work shadowing among the Data Center Team Coordinate with the vendor if possible to provide free license for academic purposes. work closely with the technical team in running the antivirus software in IT Labs Project timetable and sign off be submitted to HoS/HoC Cross Training is being implemented Coordinate with Academic Department on the software to be used on the IT Labs. Established physical resources team Reviewed the TNA Established physical resources team 39 40 Coordinate with ELC on the proposal to upgrade the computers in ELC-IT Labs Coordinate with the ESS any issues concerning lamp problems in projector 1 Agreed Coordinate with the ELC on the computer which are having incompatible issue with the OS Monitoring the projector in all IT Labs regularly Monitoring the PCs in the IT Labs in ELC Area The assigned technical staff has to provide incident report to the ERAM

41 42 43 44 45 Constant coordination with the Data Center Constant coordination with the staffin-charge in Zero-Client Free Access Lab and the assigned technical staff. Coordinate with the Network Team any intermittent connection in the labs. Coordinate with the Maintenance department. Coordinate with the Data Center on any virus alert received in the IT Labs Regular monitoring of the logs and provide incident report Monitoring the zero-client free access lab regularly Regular monitoring of all the IT Labs in the Engineering Area and provide incident report with audit trail for any intermittent connection in the labs Submit request letter for the replacement of all broken chairs in all IT Labs Regularly updates the logs and ensure that the checklist is updated Team for any lamp problems in projector Checking the IT Labs regularly Monitoring and checking the zeroclient free access lab Monitoring of the network connection regularly Reported all the broken chair and handed it over to the maintenance department Scan all the PC in all the IT Labs Assigned Ensure that the task were accomplished by reviewing the task plan of the technical staff

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback