Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.

Slides:

Advertisements

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Advertisements

CIP Cyber Security – Security Management Controls

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

1 April 12, 2010 Information Security Officer Meeting.

SL21 Information Security Board Mission, Goals and Guiding Principles.

PESO Meeting | June 11, TAC 213 Electronic and Information Resources Rule Review Jeff Kline Statewide Accessibility Coordinator Lon Berquist Technology.

Shared Technical Architecture’s Role within the ECIO Organization “Arkansas Shared Technical Architecture”

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Computer Security Fundamentals

CORE Team / Data Governance / IT Standards Marcia A. Daniel, Ellucian Roderick B. Brower, Fayetteville Tech CC.

Payment Card Industry (PCI) Data Security Standard

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Network security policy: best practices

How To Prepare For A Procurement Audit Shabrel Hoyt-Davis Texas Comptroller of Public Accounts Procurement Review October 3, 2007.

Website Hardening HUIT IT Security | Sep

Peer Information Security Policies: A Sampling Summer 2015.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

General Awareness Training

1 Updates to Texas Administrative Code 1TAC 206 Jeff Kline, Statewide Accessibility Coordinator Texas Department of Information Resources February 8, 2012.

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.

North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

General Awareness Training Security Awareness Module 3 Take Action! Where To Go for Help.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Developing Plans and Procedures

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Incident Security & Confidentiality Integrity Availability.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Chapter 2 Securing Network Server and User Workstations.

Incident Security & Confidentiality Integrity Availability.

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.

Information Security Manual Briefing Prepared by the IIPS Security Standards Committee.

Chapter 8 Auditing in an E-commerce Environment

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.

Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.

Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair.

Performing Risk Analysis and Testing: Outsource or In-house

PCI Compliance Service

Start Why ISO In WWM CRC?.

Data Security Policies

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Information Security Board

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

CIS 349 Competitive Success/snaptutorial.com

CIS 349 Education for Service/snaptutorial.com

CIS 349 Teaching Effectively-- snaptutorial.com

IT Development Initiative: Status and Next Steps

Security Awareness Training: System Owners

Red Flags Rule An Introduction County College of Morris

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Securing Your Web Application and Database

County HIPAA Review All Rights Reserved 2002.

Updates to Expedited Review Procedures

Purchasing & IT Security Originally Presented at Fall ACCBO

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

George Mason University

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

Introduction to the PACS Security

Presentation transcript:

Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair

IT Standards Committee Officers Roderick B. Brower Chair (Ch. 1-Classifying Data & Legal Requirements) Deborah Joyner (Ch. 2-Securing the End User) Jeff Drake (Ch. 3-Securing the Network) Chuck Hauser (Ch. 4-Securing Systems) Karen Sasser (Ch. 5-Physical Security) Bambi Edwards (Ch. 6-Cyber Security Incident Response) Jodi Dyson (Ch. 7-Business Continuity & Risk Management)

How Did We Get Here? New document released from SCIO (January 2015) Extensive review by IT Standards Team started in July Will submit to SCIO (Post IIPS Conference) Seek approval from SCIO Yearly review of the IIPS Standards by IIPS Committee and based on releases from the SCIO

Highlights Manual has been reduced from 15 to 7 chapters Consolidation Reduction of redundancy Document getting better

CIOs Local College CIO is defined (Introduction Section) To manage and implement at local level First point of contact on issues of concern (conduit to State CIO) Work closely with Business & Finance area on PCI Compliance

Data Owners and Custodians Classifying Information Responsible for data Responsible for data procedures (software development requests, testing, patch approvals) These individuals should be clearly defined and documented by title in college manuals

User Re-Certification Managing Access Control Standards User rights shall be reviewed and approved by data owners at six (6)-month intervals. Yearly?????

030107Time-Out Facility For some higher risk information systems, such as systems that process student or employee data, tax data, or credit card information, the requirement for a session idle timeout shall be 15 minutes or less, as determined by law or industry standards. The local college CIO should make the determination as to which system(s) should meet this timeout requirement.

System Configuration Manual Systems Documentation Colleges should develop and maintain additional documentation that details hardware and software placement and configuration, provide flowcharts, etc. Documentation should include: Vendor name, address, and contact information License number and version Update information Configuration reports and listing for operating system and server software. Bios rev information Port listing

Passwords Managing User Access (020102) User credentials that are inactive for a maximum of ninety (90) days must be disabled, except as specifically exempted by the security administrator. Passwords defined (020106) At least eight characters in length Strong passwords for High Security Systems

Highlights Using Laptop/Portable Computers Must adhere to College Acceptable Use Policy Training to raise user awareness of the additional risks that accompany mobile computing and the controls with which users must comply If not protected by encryption software, the BIOS password on such devices must be enabled if technically possible. Training to raise user awareness of the additional risks that accompany mobile computing and the controls that should be implemented.

Highlights Chapter 7 – Business Continuity and Risk Management Initiation Development Implementation Assessment Constant visitation of the plan, Constant improvement.

Incidents Reporting Information Security Incidents Incident Response Reporting Local CIO is first point of contact and handles reporting of incidents ITS is notified by local CIO

Local Implementation You do NOT have to re-write these standards at your local institution This manual should be referenced in your local Administrative Procedures Manual  Statement should reflect that all standards included in the NCCC Information Security manual are followed locally Any deviation from the manual needs to be documented locally and college needs to be prepared to justify the deviation

Looking Forward Living document (This document is not perfect) Manual will be updated as Statewide Manual is updated Edits will be sent out, reviewed, and adopted at the “upcoming” IIPS Conference (as needed)

Q&A Once approved by SCIO Official Document will be placed on IIPS website: (About IIPS Tab)