Presentation is loading. Please wait.

Presentation is loading. Please wait.

Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.

Published byProsper Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared."— Presentation transcript:

1 Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared Assessments Program. All Rights Reserved.

2 2 What is it? ©2011 The Shared Assessments Program. All Rights Reserved. Clean Rooms (aka, Highly Restricted Zones) are: Specially secured environments offered in offshore development centers (ODC) from which client projects are executed. Offshore staff work with applications, data, and resources on the client’s network from within this secure environment. The area is usually configured for a predetermined number of seats in order to keep access to such data at a minimum. Due to the additional controls required, additional costs are usually incurred.

3 3 Who…Where…Why…How? ©2011 The Shared Assessments Program. All Rights Reserved. Who is Using a CR/HRZ?  Companies who are looking to reduce IT support costs by allowing secure-proven vendors to have access to non-test/QA data via their offshore resources Where are CR/HRZ’s being Utilized?  Many are used at offshore vendor locations but some companies are utilizing such facilities nationally at “state-side development centers” (SDC). Why are Companies using it?  It assists companies in meeting their cost reduction objectives while implementing a safe and secure IT support environment. How are CR/HRZ’s being used?  Many companies are currently utilizing CR/HRZ’s for their production support unless prohibited due to client contracts or other legal obligations.

4 4 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Get an understanding as to scope (i.e., what data is to be accessed by your offshore vendor)  Talk to both the BU and the Vendor to understand what applications will be supported and what the client requirements are (i.e., what is to be accessed by your offshore vendor).  Insist you’re kept in the loop during the scoping process; that is, continue to converse with both the BU and the Vendor! Start an assessment of the Vendor with the SIG  Use the Shared Assessments SIG Questionnaire to vet the vendor with 100% test of controls Perform an onsite inspection of the facility  Do this for both the primary facility housing the CR/HRZ, and if possible, the B/U site.

5 5 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Identify additional enhancements that you, IT Security, Privacy, Compliance, etc., feel that need to be included to make this facility as close to your own centrally managed facility:  General Security  Physical Security  Network Security  IT Security  Incident Management  Business Continuity/Disaster Recovery  Data Privacy  Access Controls  Personnel

6 6 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Once you’ve identified the additional controls, establish this as your standard  Work with the proper management levels of IT, IT Security, Compliance, Privacy, etc., to obtain buy-in. Publish/promulgate these upon completion Use these new guidelines (standards) to certify the Room at least annually to ensure they continue to meet the requirements you’ve established.

7 7 Examples to Consider ©2011 The Shared Assessments Program. All Rights Reserved. Your Company and the Vendor ensure proper measures will be taken to erase all data on client systems prior to decommission or release of a person from project. All printing capabilities are disabled from the desktops. No internet access from the CR/HRZ desktops. No laptop/storage media is allowed inside the CR/HRZ. The secured area is restricted to dedicated personnel via electronic card key security with badge access required for both entry and exit. Auditable logs are to record all entry and exit events in CR/HRZ and are stored for a period agreed to between the Vendor and your company. Printers are not to be installed / allowed access from CR/HRZ. Removable media devices, PDA's, laptops, external storage devices, cameras or camera cell phones, and personal mobile phones are not to be allowed in the CR/HRZ. A security guard is to be stationed on the floor of the CR/HRZ with direct line-of-sight to the entrance/exit of the CR/HRZ. Closed-Circuit TV must be installed at the entry/exit of the CR/HRZ. LAN security may be established by creating a logically segregated network. Wireless access points are not allowed within the CR/HRZ network. There is to be no Internet access from the CR/HRZ. A dedicated Switch for the LAN connectivity for CR/HRZ desktops must be established. MAC Binding is to be enforced on all desktops located in the CVS Caremark CR/HRZ.

8 8 Examples to Consider ©2011 The Shared Assessments Program. All Rights Reserved. All systems are to be installed with standard client Firewall and Anti-Virus is deployed to prevent threats. The Vendor is to perform a Network Vulnerability analysis/scans (NVA) semi-annually on Internal Networks and Systems. The Vendor is to install Intrusion Detection and/or prevention systems (IDS/IPS) on all CVS Caremark CR/HRZ networks to monitor network intrusions. The Vendor is to review all logs pertaining to firewall, IDS/IPS are reviewed on a daily basis for any violations. The Vendor is to perform a review of network resources access list, audit logs on a quarterly basis. There are to be no local "Admin" rights assigned to users; that is, Windows' Group Policy Object (GPO) must be used to ensure all users have appropriate privileges. A monthly review of this list must be performed in conjunction by the Vendor and your Company. Your Company and the Vendor establishes a defined Incident Response Plan and a Service Level Agreement (SLA) for Incident Responses. The Vendor's recovery site implements identical controls as the production CR/HRZ. Copy/Paste and Drive mapping are disabled. Production data access is provided only through your Company’s Network Access environment (e.g., Citrix). The Vendor performs quarterly reviews of logical access rights and report exceptions to your Company’s CPO/CISO. Formalized training is performed annually for all CR/HRZ employees handling sensitive data. Stringent background checks are performed prior to working within the CR/HRZ such as Criminal, Academic, and Work History.

9 9 Questions/Answers ©2011 The Shared Assessments Program. All Rights Reserved..

Download ppt "Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.

Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Introduction to PCI DSS

Introduction to PCI DSS
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services

Similar presentations

Ads by Google