Team 4 – Mack, Josh, Felicia, Kevin and Walter

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

Checking & Corrective Action

[Organisation’s Title] Environmental Management System

The World of Access Controls

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Security Controls – What Works

Information Security Policies and Standards

The ISO 9002 Quality Assurance Management System

Information Systems Security Officer

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Stephen S. Yau CSE , Fall Security Strategies.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Introduction to Network Defense

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Computer and Network Security Issues –the Security Officer’s Perspective Jeff Savoy, Information Security Officer.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.

Pro-active Security Measures

Enterprise Cybersecurity Strategy

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.

SY0-401 CompTIA Security+ Certification Pass CompTIA Security+ Certification Exam By The Help Of Exams4Sure Get Complete File From

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Pipeline Safety Management Systems

Michael Wright • Chief Security Officer • Tech Lock

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Performing Risk Analysis and Testing: Outsource or In-house

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Cybersecurity - What’s Next? June 2017

Case Study - Target.

Team 1 – Incident Response

Team 2 – understand vulnerabilities

Current ‘Hot Topics’ in Information Security Governance Auditing

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.

Joe, Larry, Josh, Susan, Mary, & Ken

Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.

CMGT 431 Competitive Success/snaptutorial.com

CMGT 431 Education for Service-- snaptutorial.com.

CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.

CMGT 431 Teaching Effectively-- snaptutorial.com.

CMGT 431 STUDY Education for Service- -cmgt431study.com.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

IT Development Initiative: Status and Next Steps

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

County HIPAA Review All Rights Reserved 2002.

Moving from “Bolt-on” to “Build-in” Security Controls

Internal controls 01-Nov-2017.

How to build your Integrated

The value of the metrics standards within our compliance frameworks

DSC Contract Management Committee Meeting

Presentation transcript:

Team 4 – Mack, Josh, Felicia, Kevin and Walter Case Study – Target Team 4 – Mack, Josh, Felicia, Kevin and Walter Senior Testing and Internal Audit team

Team 4 – testing and auditing How would you describe your current testing and auditing to your Senior Leadership? Our current testing and auditing process is comprehensive. We use Payment Card Industry Data Security Standard PCI-DSS We competed baseline testing based on PCI-DSS Passed PCI compliance audits on the POS systems

Team 4 – testing and auditing What would you like to change for testing going forward? A comprehensive approach to testing/auditing will include all assets, not just those that fall under compliance regulations. We need to test ALL the subsystems going forward, not just the credit card systems.

Team 4 – testing and auditing How would you test your interactions with vendors and suppliers? Require vendors to use commercial virus checking software and other security precautions on their interfacing systems. Require commercial virus scanning software that would have prevented malware used in the attack on the vendor machines. Security Skills Assessment and Appropriate Training: Require vendors to go through basic security training or agree to train staff. Can be accomplished by auditing vendor’s security training records. Malware in phishing attack would have failed. Hackers would not have obtained access to vendor portal credentials. Begin testing for two-factor authentication from vendor.

Team 4 – testing and auditing What assurances can your testing provide to your leadership? From lessons learned and using approved comprehensive testing and audit procedures, when the next attack happens, we can assure that the detection and identification of the threat will happen quickly enough, so that we can react and recover in a timely manner.

Team 5 – interfaces and trust Team 5: Senior Corporate Operations Group What is the best way to manage the risk of others interfacing with our network and systems? Focus on being proactive Understand ALL asset vulnerabilities Timely Incident response Implement comprehensive testing and audit procedures How should you control others on your network for access and authorization? Compartmentalize/segregate users based on roles/needs Use 2-factor Authentication Periodic review of authorized users

Team 5 – interfaces and trust Team 5: Senior Corporate Operations Group What should be required of vendors and sub-contractors to work with your systems? Service Level Agreement (SLA) They should meet the PCI compliance requirements How do you ensure proper training and certification of sub-contractors and vendors? Require certification documentation be sent to IA office when updated/annually -or- require their IA office to submit training reports