...Card Security Policy 17 2.1 Introduction 17 2.2 Scope of Compliance 17 2.3 Requirement 1: Build and Maintain a Secure Network 17 2.4 Requirement 2: Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters 18 2.5 Requirement 3: Protect Stored Cardholder Data 19 2.6 Requirement 4: Encrypt Transmission of Cardholder Data across Open and/or Public Networks 20 2.7 Requirement 5: use and Regularly Update Anti-Virus Software or Programs 20 2.8 Requirement 6: Develop and Maintain Secure Systems and Applications 21 2.9 Requirement 7: Restrict Access to Cardholder Data by Business Need to Know 21 2.10 Requirement 8: Assign a Unique ID to Each Person with Computer Access 22 2.11 Requirement 9: Restrict Physical Access to Cardholder Data 22 2.12 Requirement 10: Regularly Monitor and Test Networks 23 2.13 Requirement 11: Regularly Test Security Systems and Processes 25 2.14 Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors 26 2.15 Revision History 29 3 Acceptable Use Policy 30 3.1 Overview 30 3.2 Purpose 30 3.3 Scope 30 3.4 Policy 31 3.5 Policy Compliance 35 3.6 Related Standards, Policies and Processes 35 3.7 Definitions and Terms 35 3.8 Revision History 36 4 Ethics Policy 37 4.1 Overview 37 4.2 Purpose 37 4.3 Scope 37 4.4 Policy 38 4.5 Policy Compliance 39 4.6 Exceptions 40 4.7 Related Standards, Policies and...
Words: 26545 - Pages: 107
...Prepared October 4, 2013 Proprietary and confidential REQUEST FOR PROPOSAL Table of Contents USING THIS TEMPLATE 3 TEMPLATE CONTENTS 3 INTRODUCTION AND BACKGROUND 5 PURPOSE OF THE REQUEST FOR PROPOSAL 5 ADMINISTRATIVE 6 TECHNICAL CONTACT 6 CONTRACTUAL CONTACT 6 DUE DATES 6 SCHEDULE OF EVENTS 7 GUIDELINES FOR PROPOSAL PREPARATION 8 PROPOSAL SUBMISSION 8 DETAILED RESPONSE REQUIREMENTS 10 EXECUTIVE SUMMARY 10 SCOPE, APPROACH, AND METHODOLOGY 10 DELIVERABLES 11 PROJECT MANAGEMENT APPROACH 11 DETAILED AND ITEMIZED PRICING 11 APPENDIX: REFERENCES 11 APPENDIX: PROJECT TEAM STAFFING AND BIOGRAPHIES 11 APPENDIX: COMPANY OVERVIEW 12 EVALUATION FACTORS FOR AWARD 13 CRITERIA 13 SCOPE OF WORK 14 REQUIREMENTS 14 DELIVERABLES 14 USING THIS TEMPLATE Savid Technologies has developed this Request For Proposal (“RFP”) template to help organizations identify and select a quality security vendor to perform professional services work. This template is absed off templates provided by Foundstone, Verisign, and other security institutions including countless RFP responses Savid has provided. It also lists questions organizations should consider asking potential vendors to ensure that a thorough and comprehensive approach to the project will be taken. This template should apply for a variety of information security projects including: External Network Vulnerability Assessment...
Words: 2629 - Pages: 11
...Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS – Summary...
Words: 57566 - Pages: 231
...Assessment Worksheet Applying OWASP to a Web Security Assessment Web Security Management COM-545 Course Name and Number: _____________________________________________________ Plinio Alves Student Name: ________________________________________________________________ Manh Nguyen Instructor Name: ______________________________________________________________ 10/30/15 Lab Due Date: ________________________________________________________________ Overview In this lab, you explored the Open Web Application Security Project (OWASP) Web site and reviewed its Web application test methodology. You studied the standards and guides published by this project and summarized your findings. Finally, you drafted a Web Application Test Plan based on the information you gained in your OWASP research. Lab Assessment Questions & Answers 1. Identify the four recognized business functions and each security practice of OpenSAMM. The four business function are governance, construction, verification and deployment. 2. Identify and describe the four maturity levels for security practices in SAMM. Phase I: Awareness & Planning Phase II: Education & Testing Phase III: Architecture & Infrastructure Phase IV: Governance & Operational Security 3. What are some activities an organization could perform for the security practice of Threat Assessment? Starting with simple threat models and building to more detailed methods of threat analysis and weighting, an organization improves...
Words: 586 - Pages: 3
...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................
Words: 6057 - Pages: 25
...INTRODUCTION (Task 1) First World Bank Savings and Loan (also referred to as “us”, “we”, “the company”, etc) has been investigating the use of a Linux-based infrastructure architecture. The task team has already made recommendations to evaluate and prototype this kind of set up. Key factors are cost of ownership, scalability, and reliability. Other factors that remain are maintaining confidentiality, integrity, and availability (the CIA triad), and ensuring stable, secure support of the over $100,000,000 in transactions completed annually. As a financial institution, we must also bear in mind compliance with the Gramm-Leach-Bliley Act (GLBA), as well as the Payment Card Industry Data Security Standard (PCI-DSS) since we process credit card transactions, and the Sarbanes-Oxely Act (SOX) as we are publically traded. Regardless of all these factors, rough estimates indicate we can save close to $4,000,000 in licensing fees alone by moving to a Linux-based infrastructure. Despite the open source nature of Linux, we should be able to meet all of the technical, legal, and security needs for this transition. TECHNICAL INFRASTRUCTURE NEEDS (Task 2) Thanks to the task team assigned to this project, an outline of what the network and routing needs has already been completed. The following services will be required to support: • A database server o Recommended solution: DBMS MySQL • A Web server o Recommended solution: Apache • A file server o Recommended solution: Red...
Words: 1376 - Pages: 6
...than 20% of enterprises will rely only on firewalls or intrusion prevention systems to protect their Web applications — down from 40% today. By year-end 2020, more than 50% of public Web applications protected by a WAF will use WAFs delivered as a cloud service or Internet-hosted virtual appliance — up from less than 10% today. Market Definition/Description The Web application firewall (WAF) market is defined by a customer's need to protect internal and public Web applications when they are deployed locally (on-premises) or remotely (hosted, "cloud" or "as a service"). WAFs are deployed in front of Web servers to protect Web applications against hackers' attacks, to monitor access to Web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically it was the only way to perform some in-depth inspections. Other deployment modes exist, such as transparent proxy, bridge mode, or the WAF being positioned out of band (OOB) and, therefore, working on a copy of the network traffic. The primary WAF benefit is providing protection for custom Web applications that would otherwise go unprotected by other technologies that guard only against known exploits and prevent vulnerabilities in off-the-shelf Web application software...
Words: 10448 - Pages: 42
...The Necessity of Information Assurance Adam Smith Student ID: Western Governors University The Necessity of Information Assurance 2 Table of Contents Abstract ........................................................................................................................................... 5 Introduction ..................................................................................................................................... 6 Project Scope .............................................................................................................................. 6 Defense of the Solution ............................................................................................................... 6 Methodology Justification .......................................................................................................... 6 Explanation of the Organization of the Capstone Report ........................................................... 7 Security Defined ............................................................................................................................. 8 Systems and Process Audit ............................................................................................................. 9 Company Background ................................................................................................................ 9 Audit Details .......................................................................
Words: 12729 - Pages: 51
...distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of WATERWORLD WATERPARKS Executive Management. Revision History Changes | Approved By | Date | Initial Publication | John Smothson | 3-23-2011 | | | | | | | | | | | | | | | | | | | | | | | | | | | | Table of Contents 1 Introduction and Scope 8 1.1 Introduction 8 1.2 Payment Card Industry (PCI) Compliance 8 1.3 Scope of Compliance 8 2 Policy Roles and Responsibilities 10 2.1 Policy Applicability 10 2.2 Information Technology Manager 10 2.3 Information Technology Department 11 2.4 System Administrators 12 2.5 Users – Employees, Contractors, and Vendors 12 2.6 Human Resource Responsibilities 12 2.6.1 Information Security Policy Distribution 13 2.6.2 Information Security Awareness Training 13 2.6.3 Background Checks 13 3 IT Change Control Policy 15 3.1 Policy Applicability and Overview 15 3.2 Change Request Submittal 15 3.2.1 Requests 15 3.2.2 Request Approval 15 3.2.3 Request Management 17 3.2.4 Projects 17 3.3 Change Request Approval 18 3.4 Project Approval 18 3.5 Change Testing 19 3.6 Change Implementation 19 3.6.1 Release 19 3.6.2 Release Approval 19 4 Data Classification and Control Policy 20 4.1 Policy Applicability 20 4.2 Data Classification 20 4.2.1 Introduction 20 4.2.2 Information Categories...
Words: 28277 - Pages: 114
...Final Project Report for Media Tracking System Version 2.0 approved [pic] Table of Contents Table of Contents i Revision History iii Group Members iii 1. Final Project Summary i 1.1. Content Summary i 1.2. Lessons Learned ii 1.3. Learning Outcomes Summary ii 1.3.1 Communications iii 1.3.2 Critical Thinking v 1.3.3 Network Design v 1.3.4 Management Information Systems v 1.3.5 Systems Administration and Scripting vi 1.3.6 Security vi 1.3.7 Employability vi 2. Future directions vii 3. Annotated Bibliography viii 4. Appendix A: Vision and Scope viii 5. Appendix B: Status Report 1 15 6. Appendix D: Presentation Slides 27 7. Appendix E: Other Deliverables/Artifacts 27 Revision History |Name |Date |Reason For Changes |Version | |Kenneth Wright |07/01/2010 |Initial Draft |1.0 | |Kenneth Wright, et al |07/15/2010 |With contributions and edits from all team members, we |1.5 | | | |refined the document | | |Kenneth Wright, et al |07/23/2010 |Style, editing, additional information from all team |1.6 ...
Words: 3643 - Pages: 15
...Risk Assessment in Information Technology Risk Assessment in Information Technology This paper will address risk assessment in Information Technology and discuss factors used to identify all kinds of risks in company network diagram. It will also assess the risk factors that are inclusive for the Company and give the assumptions related to the security data as well as regulatory issues surrounding risk assessment. In addressing the global implications, the paper will propose network security vulnerabilities and recommend the mitigation measures for the vulnerabilities. Cryptography recommendations based on data driven decision-making will be assessed, and develop risk assessment methodologies. Risk assessment in Information Technology Risk assessment is one of the mitigation methods for the Networks design. The scanners or vulnerability tools are used to identify the risks or vulnerabilities within the network design. The risks can be identified by these tools as they extend beyond software detects to incorporate other easily vulnerabilities including mis-configurations (Rouse, 2010). The shareware assessment tools are accessible online and can be used to supplement commercial scanners. Framework of risk assessment * Step 1 – categorizing information and information systems. Here unique department traits are highlighted and assigned impact levels (high, medium or low) in line with the security FISMA’s security objectives (confidentiality, integrity and availability)...
Words: 3240 - Pages: 13
...A N N U A L REPORT 2015 Financial Highlights As of or for the year ended December 31, (in millions, except per share, ratio data and headcount) Reported basis1 Total net revenue Total noninterest expense Pre-provision profit Provision for credit losses Net income Per common share data Net income per share: Basic Diluted Cash dividends declared Book value Tangible book value2 2015 $ $ $ Selected ratios Return on common equity Return on tangible common equity2 Common equity Tier 1 (“CET1”) capital ratio3 Tier 1 capital ratio3 Total capital ratio3 Selected balance sheet data (period-end) Loans Total assets Deposits Total stockholders’ equity Headcount 93,543 59,014 34,529 3,827 24,442 6.05 6.00 1.72 60.46 48.13 2014 $ $ $ 95,112 61,274 33,838 3,139 21,745 5.33 5.29 1.58 56.98 44.60 11% 13 11.6 13.3 14.7 $ 837,299 2,351,698 1,279,715 247,573 234,598 10% 13 10.2 11.4 12.7 $ 757,336 2,572,274 1,363,427 231,727 241,359 Note: 2014 has been revised to reflect the adoption of new accounting guidance related to debt issuance costs and investments in affordable housing projects. For additional information, see Accounting and Reporting Developments and Note 1 on pages 170 and 183, respectively. 1 Results are presented in accordance with accounting principles generally accepted in the United States of America (U.S. GAAP), except where otherwise noted. 2 Non-GAAP financial measure. For further discussion, see “Explanation and Reconciliation of the Firm’s Use Of Non-GAAP ...
Words: 207037 - Pages: 829
...Lab Five Executive Summary A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution (Open Web Application Security Project [OWASP], 2014a). Vulnerability is a flaw or weakness in a system's design, implementation, operation or management that could be exploited to compromise the system's security objectives. A threat is anything such as a malicious external attacker, an internal user, or a system instability that can harm the owner’s assets by an application or resource of value, such as data in a database or in the file system by exploiting vulnerabilities. A test is an action to demonstrate that an application meets the security requirements of its stakeholders (OWASP, 2014a). Test to Be Performed The first phase in security assessment is focused on collecting as much information as possible about a target application. Information Gathering is the most critical step of an application security test. The security test should endeavor to test as much of the code base as possible...
Words: 5541 - Pages: 23
...several sources showing progression from initial conception to present day use. With today’s rapidly changing environment, one must question how outsourcing will adapt, allowing for continued success. Introduction In recent years, consumers have felt the impact of outsourcing on a personal level as they contact technical support for computers, satellite, and other services. While the ideas have been utilized for decades, outsourcing has become more common today as companies attempt to downsize without compromising success. The following will examine the concepts driving companies to use outsourcing as a worthwhile business strategy, utilizing several sources showing progression from initial conception to present day use. Outsourcing Overview Outsourcing involves transferring work or tasks to an external party, allowing for partnerships with other organizations (Power, Desouza, & Bonifazi, 2006). Early attempts of outsourcing allowed leadership to delegate noncore activities in attempt to find faster, less expensive options freeing up opportunity for managers to focus on more daunting tasks requiring immediate resources. Encouraging efficiency, outsourcing also creates effectiveness allowing managers to outsource work requiring specific knowledge and expertise...
Words: 5064 - Pages: 21
...2454 Federal Register / Vol. 76, No. 9 / Thursday, January 13, 2011 / Proposed Rules 1. Electronically. You may submit electronic comments on this regulation to http://www.regulations.gov. Follow the ‘‘Submit a comment’’ instructions. 2. By regular mail. You may mail written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS–3239– P, P.O. Box 8010, Baltimore, MD 21244– 8010. Please allow sufficient time for mailed comments to be received before the close of the comment period. 3. By express or overnight mail. You may send written comments to the following address only: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS–3239–P, Mail Stop C4–26–05, 7500 Security Boulevard, Baltimore, MD 21244–1850. 4. By hand or courier. If you prefer, you may deliver (by hand or courier) your written comments before the close of the comment period to either of the following addresses: a. For delivery in Washington, DC— Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445–G, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201. (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp-in...
Words: 34753 - Pages: 140