Search results

==FFIEC Information Technology Examination Handbook Executive Summary== ...ve effort of the FFIEC’s five member agencies, has replaced the 1996 FFIEC Information Systems Examination Handbook (1996 Handbook). ...

...1)''' The term '''information security''' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification ...st improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; ...

...financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency, including the resources expended for—<br> :'''(B)''' acquiring, installing, and utilizing technology and systems; ...

...bility to identify, acquire, install, and maintain appropriate information technology systems.” The process includes the internal development of software applic ...o deliver products or services, maintain a competitive position, or manage information.<br> ...

=='''Vulnerability Management Standard'''== ...jectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.<br> ...

'''Federal Information Security Management Act (FISMA)''' ...the implementation of and compliance with the Federal Information Security Management Act including: ...

...hanges to business processes, technology and skills are assessed. Business management, supported by the IT function, should assess the feasibility and alternativ Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...igence Directives.''' Protecting Special Access Program Information Within Information Systems policy excerpt: [[Media:JAFAN_6_3.pdf]]<br> :'''Avoid Session Management Pitfalls:''' [[Media:session-management-security.pdf]]<br> ...

== Requirement 12: Maintain a policy that addresses information security. == ::[[Image:Key-control.jpg]][[PCI-12.3.1:|PCI-12.3.1 Explicit management approval.]]<br> ...

...virus control) across the organization to protect information systems and technology from malware (viruses, worms, spy-ware, spam, internally developed fraudule ...shed procedures across the organization to protect information systems and technology from computer viruses. ...

==Security requirements of information systems== ...egory is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.<br> ...

...mation technology (IT) systems and their performance management and [[risk management]]. The rising interest in IT governance is partly due to compliance initiat ...bility framework to encourage desirable behavior in the use of information technology."''<br> ...

...ding networks, systems, and applications that store, process, and transmit information assets.<br> ...tives established in the [[Sample Asset Management Policy:|'''Sample Asset Management Standard''']], and provides specific instructions and requirements for esta ...

...rization controls over the initiation of transactions, resulting financial information may not be reliable. :::a. [[SOX.2.7.10:|'''SOX.2.7.10''']] Management protects sensitive information— logically and physically, in storage and during transmission—against unaut ...

==Incident Management== ...| Service Level Management]] process area. The first goal of the incident management process is to restore a normal service operation as quickly as possible and ...

...odies, such as an IT strategy committee, to provide strategic direction to management relative to IT, ensuring that the strategy and objectives are cascaded down Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...ings are well known in hacker communities and easily determined via public information.<br> ...ngs, and disabling of SSID broadcasts. Enable Wi-Fi Protected Access (WPA) technology for encryption and authentication when WPA-capable.]]<br> ...

...bjective of this category is to ensure the correct and secure operation of information processing facilities.<br> ==Communications and Operations Management== ...

...nd followed for all significant changes in applications and infrastructure technology, which addresses unit, system, integration and user-acceptance-level testin Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...chnology - Security techniques - Code of practice for information security management''. ...ng or maintaining [[ISMS|Information Security Management Systems]] (ISMS). Information security is defined within the standard in the context of the [[CIA triad|C ...

...s granted to some users increases the risk of accidental damage or loss of information and systems.<br> Financial institutions should have a process to verify job application information on all new employees. The sensitivity of a particular job or access level m ...

[[PO1.1:| 1.1 IT Value Management]]<br> [[PO1.6:| 1.6 IT Portfolio Management]]<br> ...

...sider include impact analysis, cost/benefit justification and requirements management.<br> ...nd followed for all significant changes in applications and infrastructure technology, which addresses unit, system, integration and user-acceptance-level testin ...

...systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also Information assurance as a field has grown from the practice of [[information security]] which in turn grew out of practices and procedures of [[computer ...

'''EVALUATION OF CONTROLS IN INFORMATION SYSTEMS (IS) QUESTIONNAIRE'''<br> ...estion. This can generally be achieved if the company involves an internal information systems auditor in the question answering process. Specific “Guidance Point ...

...res that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.<br> ...ol oriented professionals who have experience in accounting, auditing, and information security. A SSAE 16 engagement allows a service organization to have its co ...

...r abnormal activities that may need to be addressed. Access to the logging information is in line with business requirements in terms of access rights and retenti ...ngs, and disabling of SSID broadcasts. Enable Wi-Fi Protected Access (WPA) technology for [[Encryption | encryption]] and authentication when WPA-capable.<br> ...

::Information Security Staff ::Interested Executive and Business Unit Management. ...

...tablishing specific standards on appropriate business use of the Company's information and telecommunications systems and equipment. Company information and telecommunications systems and equipment, including Internet, electroni ...

...protection and management objectives, and define acceptable use of Company information assets.<br> ...iality, integrity, and availability of Company information assets. Company information assets are defined in the [[Sample Asset Identification and Classification ...

...ly dependent on IT and mediate between imperatives of the business and the technology, so agreed priorities can be established.<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...d sites supporting the Company, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated stan ...through systems owned or administered by or on the behalf of the Company. Information Assets include all personal, private, or financial data about employees, cl ...

::'''(A)''' providing information security protections commensurate with the risk and magnitude of the harm r :::'''(i)''' information collected or maintained by or on behalf of the agency; and<br> ...

::'''(A)''' providing information security protections commensurate with the risk and magnitude of the harm r :::'''(i)''' information collected or maintained by or on behalf of the agency; and<br> ...

== Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks. == ...lder data, encrypt the transmissions by using Wi-Fi Protected Access (WPA) technology if WPA capable, or VPN or SSL at 128-bit. Never rely exclusively on WEP to ...

Links to helpful or interesting information security documents.<br> ...ed of lawyers, government policy and management professionals, information technology and security professionals, notaries from various legal systems, trade faci ...

...pes of services offered and the complexity of the processes and supporting technology.<br> ...l of security controls based on their assessment of the sensitivity of the information to the customer and to the institution and on the institution’s established ...

...ding networks, systems, and applications that store, process, and transmit information assets.<br> ...tives established in the [[Sample Asset Management Policy:|'''Sample Asset Management Policy''']], and provides specific instructions and requirements for the de ...

::'''1. Risk: Information security and business requirements may be compromised. Inaccurate results a ...his systems development life cycle (SDLC) describes the stages involved in information system development projects, from an initial feasibility study through main ...

The board of directors and senior management are responsible for ensuring that the institution’s system of internal cont ...hould assign responsibility for the internal audit function to a member of management (hereafter referred to as the “internal audit manager”) who has sufficient ...

Set up formal change management procedures to handle in a standardized manner all requests (including maint ...ay provide invalid information, which could result in unreliable financial information and reports.<br> ...

...ed into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business ...tem and network failures should be reported immediately to the Information Technology Director or designated IT operations manager. ...

==Security Management== ...urity Management is based on the code of practice for information security management also known as ISO/IEC 17799. ...

#[[Getting it Right in Records Management | Getting it Right in Records Management]] ...rds management survey - call for sustainable ... | 2009 electronic records management survey - call for sustainable ...]] ...

...most comprehensive, most beneficial, most accessible, and freely available information security guidance framework on the planet.<br> ...zation no matter what the size, shape, or form they come in. By protecting information, you protect identities, profits, reputations, and the list goes on and on. ...

...ities, such as control and [[risk assessment]]s, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the ...mation can be evaluated at any given point of time, it also means that the information is able to be verified constantly for errors, fraud, and inefficiencies. It ...

'''Risk assessment''' is a step in the [[risk management]] process. Risk assessment is [[measurement|measuring]] two quantities of Risk assessment may be the most important step in the risk management process, and may also be the most difficult and prone to error. Once risks ...

...ding networks, systems, and applications that store, process, and transmit information assets.<br> ...tives established in the [[Sample Asset Management Policy:|'''Sample Asset Management Policy''']], and provides specific instructions and requirements for follow ...

==Information Security Audit== ...dit. However, information security encompasses much more than IT. Auditing information security covers topics from auditing the physical security of data centers ...

...structure (major machinery or computing/network resource). As such, [[risk management]] must be incorporated as part of BCP. ...for implementing, operating and improving a documented business continuity management system (BCMS). ...