IBM GTS Storage Security and Compliance overview.

Slides:



Advertisements
Similar presentations
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Advertisements

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau CSE , Fall Security Strategies.
Chapter 7 Database Auditing Models
Internal Auditing and Outsourcing
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
A Framework for Automated Web Application Security Evaluation
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 6 of the Executive Guide manual Technology.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Presenter’s Name June 17, Directions for this Template  Use the Slide Master to make universal changes to the presentation, including inserting.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
Programme Performance Criteria. Regulatory Authority Objectives To identify criteria against which the status of each element of the regulatory programme.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.
Introduction to Information Security
Scott Charney Cybercrime and Risk Management PwC.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Defining your requirements for a successful security (and compliance
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Secure Software Confidentiality Integrity Data Security Authentication
Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.
Capabilities Matrix Access and Authentication
Service Organization Control (SOC)
NRC Cyber Security Regulatory Overview
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Software Assurance Maturity Model
IS4680 Security Auditing for Compliance
IT Development Initiative: Status & Next Steps
DSC Contract Management Committee Meeting
Presentation transcript:

IBM GTS Storage Security and Compliance overview

Security Compliance Risk Management & Testing SUMMARY IBM has implemented a range of security control elements: identification; authentication; authorization; information protection and confidentiality; service integrity and availability; activity auditing; assurance; security incident reporting and management; and physical access controls Security A series of internal tests and metrics used to assess, validate and identify issues against agreed standards : ID Management Firmware management Inventory control Health Checking Compliance Underpinning security and compliance is risk based approach to address issues and series of indepth independent tests that all IBM accounts are periodically subjected to Internal Audits & Business Controls Reviews Process Testing Regulatory Reviews – if applicable Risk Management & Testing S C RM Security and Compliance – protect, test and validate

Security and Compliance – protect, test and validate IBM IT SECURITY POLICY STANDARDS SUMMARY Technical measures to address propagation or execution of unapproved code (e.g., viruses and other malware) on a prescribed, prioritized schedule Regular vulnerability scans and penetration testing Security advisory actions and issues to be remediate on a timely basis, based on a classification of severity Technical controls designed to prevent denial of service attacks Specific security measures for remote access to IBM internal systems from outside the logical firewall, including a mandatory VPN client Specifications for devices to be registered in a database used for control and audit purposes Requirement to undergo security health checks prior to initial service activation and as per a mandated check schedule NOTE: There are some additional controls that are not relevant to storage Security and Compliance – protect, test and validate

Security and Compliance – protect, test and validate IBM GTS STORAGE MANAGEMENT PROCESS Required to deliver a secure and efficient storage services Consists of 3 main task based areas: Handle updates of storage environment Delivering a secure and efficient storage service in Business as usual Handling of Storage vendor alerts or other global directions Supporting standards and guidance areas acting as primary controls - Firmware Management Microcode strategy/Code Currency Security Vulnerability services Technical Specifications Inventory Management Issue Management Health Checking Identity and Access Management Security and Compliance – protect, test and validate

Security and Compliance – protect, test and validate IBM GTS STORAGE COMPLIANCE PROGRAM SUMMARY Series of secondary controls tests performed periodically on all IBM GTS Storage account to: Validate conformity to process, standards and client requirements Examine non compliance issues and drive remediation Identify opportunities for continous improvement Support the evaluation of business risks Testing is conducted in the following areas: User Id revalidation Health Checks Inventory validation Firmware currency Security vulnerability enrollment Build & Decommission Additionally, there is custom testing commissioned based on client request Security and Compliance – protect, test and validate

IBM GTS IT RISK MANAGEMENT SUMMARY IBM IT Risk Management provides the oversight and framework for managing information security risks and noncompliance issues where IBM GTS provides services to customers Core areas are: Means to identify, analyze and evaluate the risks Determine the appropriate treatment Deliverables from this area are: Root Cause Analysis (RCA) guidance Framework for Customer Threat Management (CTM) Method that GTS uses for Risk Assessment and Response (RAaR) Security and Compliance – protect, test and validate

Questions Steve Biles: Steve Biles/Sweden/IBM BILES@se.ibm.com

69013769USEN-01