Best IT Blog

Sample Email Encryption approach

Posted in eMail (66) by Guest on the March 31st, 2011
Comments Off on Sample Email Encryption approach

Sample Visio – Documentum drawing

Posted in Compliances (1300),Visio Samples - Stencils (457) by Guest on the March 31st, 2011

Free sample VMWare Visio Download 




Comments Off on Sample Visio – Documentum drawing

Visio Sample – NAS drawing

Posted in Networking (340),Visio Samples - Stencils (457) by Guest on the March 30th, 2011

Free sample document NAS – Network-attached storage Visio Download



Comments Off on Visio Sample – NAS drawing

Sample Network Documentation Policy

Posted in Networking (340),Policies - Standards (600) by Guest on the March 29th, 2011

This network documentation policy is an internal IT policy and defines the requirements for network documentation This policy defines the level of network documentation required such as documentation of which switch ports connect to what rooms and computers. It defines who will have access to read network documentation and who will have access to change it. It also defines who will be notified when changes are made to the network. 

This policy is designed to provide for network stability by ensuring that network documentation is complete and current. This policy should complement disaster management and recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This policy will help reduce troubleshooting time by ensuring that appropriate personnel are notified when changes are made to the network. 

The network structure and configuration shall be documented and provide the following information: 

IP addresses of all devices on the network with static IP addresses.

Server documentation on all servers as outlined in the “Server Documentation” document. 

Network drawings showing:

The locations and IP addresses of all hubs, switches, routers, and firewalls on the network.

The various security zones on the network and devices that control access between them. 

The locations of every network drop and the associated switch and port on the switch supplying that connection. 

The interrelationship between all network devices showing lines running between the network devices. 

All subnets on the network and their relationships including the range of IP addresses on all subnets and netmask information. 

All wide area network (WAN) or metropolitan area network (MAN) information including network devices connecting them and IP addresses of connecting devices. 

Configuration information on all network devices including:




Configuration shall include but not be limited to:

IP Address


Default gateway

DNS server IP addresses for primary and secondary DNS servers.

Any relevant WINS server information.


Network connection information including:

Type of connection to the internet or other WAN/MAN including T1,T3, frame relay.

Provider of internet/WAN/MAN connection and contact information for sales and support.

Configuration information including netmask, network ID, and gateway.

Physical location of where the cabling enters the building and circuit number.


DHCP server settings showing:

Range of IP addresses assigned by all DHCP servers on all subnets.

Subnet mask, default gateway, DNS server settings, WINS server settings assigned by all DHCP servers on all subnets.

Lease duration time.


The IT networking and some enterprise security staff shall have full access to all network documentation. The IT networking staff shall have the ability to read and modify network documentation. Designated enterprise security staff shall have access to read and change network documentation but those not designated with change access cannot change it. Help desk staff shall have read access to network documentation.

Change Notification
The help desk staff, server administration staff, application developer staff, and IT management shall be notified when network changes are made including.

 Reboot of a network device including switches, routers, and firewalls.

Changes of rules or configuration of a network device including switches, routers, and firewalls.

Upgrades to any software on any network device.


Additions of any software on any network device.

Changes to any servers which perform significant network functions whether configuration or upgrade changes are made. These servers include:



Domain controllers


Notification shall be through email to designated groups of people.

Documentation Review
The network or IT manager shall ensure that network documentation is kept current by performing a monthly review of documentation or designating a staff member to perform a review. The remedy or help desk requests within the last month should be reviewed to help determine whether any network changes were made. Also any current or completed projects affecting network settings should be reviewed to determine whether there were any network changes made to support the project. 

Storage Locations

Network documentation shall be kept either in written form or electronic form in a minimum of two places. It should be kept in two facilities at least two miles apart so that if one facility is destroyed, information from the other facility may be used to help construct the IT infrastructure. Information in both facilities should be updated monthly at the time of the documentation review.


Comments Off on Sample Network Documentation Policy

Encryption Considerations

Posted in Compliances (1300) by Guest on the March 29th, 2011

At a minimum, it should include management acceptance of the solution and approval to proceed to a production state (e.g., management accreditation).

Complete informal or formal management accreditation of the encryption solution (i.e., acceptance of the solution) and obtain approval to operate

o If appropriate, perform data re-alignment activities that were not possible prior to implementation 

o Turn on the actual encryption capabilities (e.g., activate background encryption on existing data) 

o If appropriate, complete final data re-alignment activities that were not possible prior to activation of encryption 

Review the information security risk assessment and identify those items and areas classified as requiring encryption.

Evaluate the appropriateness of the criteria used to select the type of encryption/cryptographic algorithms. 

Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.

Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space. 

Identify management’s understanding of cryptography and expectations of how it will be   used to protect data.
Determine whether cryptographic key controls are adequate. 

o Identify where cryptographic keys are stored. 

o Review security where keys are stored and when they are used (e.g., in a hardware module). 

o Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion.

o Verify that two persons are required for a cryptographic key to be used, when appropriate. 

Review audit and security reports that review the adequacy of cryptographic key controls. 

Determine whether adequate provision is made for different cryptographic keys for different uses and data. 

o Determine whether cryptographic keys expire and are replaced at appropriate time intervals. 

o Determine whether appropriate provisions are made for the recovery of data should a key  be unusable. 

o Determine whether cryptographic keys are destroyed in a secure manner when they are no longer required.

Comments Off on Encryption Considerations

Sample Visio – Disk Subsystem

Posted in O S (375),Visio Samples - Stencils (457) by Guest on the March 28th, 2011

Free Sample Disk Subsystem Visio Download  

Sample Vision Disk Subsystem


Comments Off on Sample Visio – Disk Subsystem

Network Scanning Considerations

Posted in Networking (340) by Guest on the March 27th, 2011

Network Scan Types and Scope
This network scanning recommendations defines network scan types, identifies reasons for scanning, identifies times when network scanning is allowed, who should approve network scanning, and specifies who should be notified when network scanning is done.

Network device location scan – This scan may use different means to determine IP addresses of active devices on the network. Methods:

ARP Scan – An ARP broadcast can be sent to network IP addresses asking what is are the responses

MAC address of the host with IP address x.x.x.x. If a response occurs, there is an active host at that address.

Internal full port scan – Checks to determine what services are running on each host. This may be done against selected hosts or all hosts including servers and workstations.


Socket connect scan – Tries to complete a socket connection to a port on a host computer.

This scan allows the host computer to log the connection.

SYN scan – Sends a SYN packet to the host indicating that it wants to open a socket. But when the host responds it does not finishing establishing the connection.

FIN scan – Sends a FIN packet to a host port. If a service is not running, the port responds with a reset signal. If the port has a service running on it, the signal is ignored.

External full port scan – Checks to determine what services are running on each host. This test is done from outside the firewall and is directed toward any IP addresses owned by the organization being tested. It may use the socket connect scan method, the SYN scan method, or the FIN scan method.

Internal vulnerability scan – Tests the server to see if it is vulnerable to known flaws in the operating system, services, and applications that are running. This test may be directed toward one or more hosts including servers and workstations. This test goes beyond performing a full port scan. It attempts to get information about the operating system and services running on the host. It will attempt to determine the version of the services running on the host. and may even do a penetration test.

External vulnerability scan – Same as the internal vulnerability scan except it is done from outside the organization network and is directed toward any IP addresses owned by the organization being tested.

Internal Denial of service scan – This is a scan using packets which are intentionally designed to make a system crash or tie up resources. The scan is directed against ports but the data sent is usually misconfigured in some unusual way.

External denial of service scan – Similar to the internal denial of service scan except it is directed against IP addresses owned by the organization being tested.

Password Cracking – This test may send default passwords and brute force password guessing against accounts on specified systems. This is really not like a network scan but is covered in this recommendation since it could potentially disrupt service depending on the password policies of the organization. 

Many scanning services will offer some combinations of these types of scans. This recommendation covers all types of network and host scanning.

Network Scanning Reasons

Network scanning may be performed for several reasons

To determine whether computer systems are vulnerable to attack and fix them.

To show companies you may interact with that our servers are reasonably secure.

To fulfill regulatory requirements.

Network scanning shall not be performed without written permission.

Network Scanning Disruptions
Network scanning can be very disruptive to both a network and hosts that are operating on a network. No network scanning shall be allowed without close adherence to this recommendation and the associated procedures. Network scanning can cause systems to crash and network devices to become unreliable which can become very disruptive to the business operations.


Comments Off on Network Scanning Considerations

Understand Confidentiality Drivers

Posted in Compliances (1300) by Guest on the March 27th, 2011

Understanding the reasons for pursuing an encryption strategy is important from the outset. Failure to capture the full set of drivers can result in an inadequate and/or unusable solution.

· Identify all relevant regulatory obligations that impact data security and data privacy:

o Sarbanes-Oxley,


o Payment Card Industry Data Security,

o EU Data Privacy,

o CA SB 1836 / AB 1950, etc…

· Identify all relevant legal obligations that impact data security:

o Court orders,

o Contractual obligations,

o Trade secrets,

o Competitively sensitive information,

o Intellectual property, etc…

· Identify all relevant executive management concerns

Public image,

o Thwarting and detecting criminal activity,

o Protecting intellectual property,

o And trace them back to quantifiable obligations and requirements.

· Review organizational policies associated with data protection and data security:


o Destruction,

o Privacy / confidentiality, etc…

· Review organizational IS/IT strategic plans to identify desired future states with defined data protection and data security dependencies

· Review recent IS audit results/findings to identify data privacy/confidentiality deficiencies

· Determine whether compliance or data security requirements serve as the primary need for confidentiality measures

· Determine the role of monitoring and reporting (auditing)


Comments Off on Understand Confidentiality Drivers

Windows 200x Service – Configuration Information

Posted in O S (375) by Guest on the March 26th, 2011
Comments Off on Windows 200x Service – Configuration Information

Personnel Security Suggestions

Posted in Compliances (1300) by Guest on the March 26th, 2011

Organizations should develop, document, and implement policies and procedures for the selection, orientation, and supervision of employees and contractors who have access to IT resources. The objective is to ensure that a high level of integrity and satisfactory staff conduct is achieved and maintained, and to promote an awareness of security matters. The following are to be included:

  • Reference checks and background investigations where appropriate.
  • Security awareness training, at hire and annually.
  • IT Security support staff technical training.
  • Sanctions for security violations.
  • Processes for employees or contractors when separating from service.
  • Appropriate language in all vendor contracts regarding security requirements.
  • Physical Security Standards  

Organizations should be responsible for assuring that adequate physical security protections are implemented to maintain the availability, confidentiality and integrity of the agency’s computer systems.  Investments in physical security shall be commensurate with the risks, threats, and vulnerabilities unique to each individual site and location. 

Each site should develop, document, and implement policies and procedures for the following:

  • Location and layout of the facility.
  • Physical security attributes for computer or telecommunications rooms (if applicable).
  • Facility access control.
  • Physical data storage and telecommunications controls.
  • Off-site media storage.

Physical security controls for mobile/remote computing.

Laptops and Personal Digital Assistants (PDAs).

  • Portable data storage devices (e.g., tape drives, zip drives, removable hard drives, USB data storage devices).


Comments Off on Personnel Security Suggestions

Business Risk Impact

Posted in Business (600) by Guest on the March 26th, 2011

Risk is based on a systematic examination of assets, threats, and vulnerabilities that provides the foundation for the development of an appropriate IT Security Program.  Adequate risk analysis is the key to determining the level of protection required for all computing assets such as networks, applications, systems, facilities and other enterprise assets.  A risk analysis will:

  • Identify dependence on existing IT assets.
  • Identify vulnerabilities of existing IT assets.
  • Assess the probabilities of threats occurring to existing IT assets.
  • Determine the impact of losses if they do occur.
  • Identify the value of safeguards or countermeasures designed to reduce the threats and vulnerabilities to an acceptable level.

Identify dependence on existing IT assets.Identify vulnerabilities of existing IT assets.Assess the probabilities of threats occurring to existing IT assets.Determine the impact of losses if they do occur.Identify the value of safeguards or countermeasures designed to reduce the threats and vulnerabilities to an acceptable level.

The goal of the risk analysis process is to determine an acceptable level of risk that considers security, the security of shared resources business strategy and the overall cost of countermeasures.  Conducting an adequate risk analysis will aid efforts to better apply available resources to their security program.

To conduct a risk analysis, Organizations shall complete the following steps: 

A.   Information Asset Review

An information asset review shall be performed to identify, at a minimum, those information assets that are critical to ongoing operations or which contain confidential or critical data.  The criteria for this inventory assessment shall be documented. 

B.   Business Impact Analysis

A business impact analysis shall be performed for all information assets identified in the Information Asset Review.  The purpose of the business impact analysis is to document the potential impact of loss of the assets.  Consideration shall be given to operational, financial, and legal impacts.

C.   Vulnerability Analysis

A vulnerability analysis is used to identify vulnerabilities associated with information assets.  The vulnerability analysis shall identify specific vulnerabilities related to information assets identified in the information asset review, as well as where those vulnerabilities exist.

D.   Threat Analysis

A threat analysis shall be conducted to identify threats that could result in the intentional or accidental destruction, modification or release of data, computer, or telecommunication resources.

E.   Risk Analysis

A risk analysis is a collective review of the vulnerabilities and threats to all identified assets to determine the likelihood and impact.  This analysis forms the foundation for security program planning.

While no specific format is required for the risk analysis, instructions and suggested formats, as well as links to risk analysis resources, can be found in the Information Technology Security Guidelines.  Organizations may also consider leveraging disaster recovery reviews, specifically relating to critical assets and business impact, when completing IT security risk assessments.

Comments Off on Business Risk Impact

Sample Product Evaluation criteria

Posted in Application (380) by Guest on the March 26th, 2011

Task:  Identify criteria used to evaluate and recommend security products.


Refer the students to the email after the IS Security Program Review module.

Allow the students to work on the exercise for approximately 10 minutes.

Call on several students and ask them what criteria they use to evaluate countermeasures.

Respond according to the students’ responses ensuring that the following information is discussed:


The following criteria is often used to evaluate countermeasures:



Impact on system performance

Impact on user

Whether cost, effectiveness, system performance impact, or user impact, the underlying criteria for assessing a countermeasure is:

Risk or How much risk can be accepted

Using the concept of acceptable risk, look at the four areas of criteria separately:


Is the cost justified based on the risk

Is there a more cost effective alternative

The smaller the acceptable risk, the cost is typically greater

The higher the acceptable risk, the cost is typically less  


Does the countermeasure work

Does the countermeasure reduce risk

Is there derived value, and if so

Is the cost commensurate with the derived value or reduction in risk?

Is the affect on system performance justified compared with amount of risk reduction?

How easy are the countermeasures to circumvent?

Impact on system performance

Does countermeasure cause degradation in system performance?

Can you accept the increase system overhead….greater the security, greater the system overhead as a rule

Impact on users/program objectives

How do the countermeasures impact the users ability to accomplish the mission?

Is countermeasure worth the impact on employee performance if the countermeasure causes work slowdowns or stoppages

How willing are the users to comply with the countermeasures

How easy are the countermeasures for to use

Discussion Issues:  ?


Comments Off on Sample Product Evaluation criteria

Sample Visio – Network DMZ drawing

Posted in Visio Samples - Stencils (457) by Guest on the March 25th, 2011

Free Sample Network DMZ drawing Visio Download   

Sample DMZ Visio


Comments Off on Sample Visio – Network DMZ drawing

Basic Policies and Standards

Posted in Policies - Standards (600),Security (1500) by Guest on the March 25th, 2011

How do you pursue an agenda for the service offering while growing a security team and building a security infrastructure for a rapidly growing company, all at the same time? The answer is to start with the basics.

When a company is very small, it has the luxury of hiring people with highly specialized skills and similar mindsets. However, once a startup has progressed beyond its initial growth period, it has to hire employees with a broad range of skills and experiences. When thinking about security, the glue that brings these varying groups and skill sets together is basic security policies and practices.

Devise a Security policy that breaks down into 10 key areas:

1. Corporate Policy Statement

2. Allocation of Security Responsibilities

3. Security Awareness: Education and Training

4. Control of Security Incidents: Re-porting and Tracking

5. Virus Controls

6. Business Continuity Planning (BCP)

7. Control of Proprietary Software

8. Protection of Corporate Data

9. Overall Information and Data Pro-tection

10. Compliance to the Security Policy

Corporate Policy Statement

A CPS is an essential document for initiating any security program. It protects an organization from basic high-level risks, documents the organization’s commitment to security and provides management and staff with information on security concepts. The statement should define the scope of coverage and the responsibilities of all employees in protecting corporate information and resources.

The Plan

Devising a plan of action that reflected our business objectives, provided adequate protection for the current activities of various operational units and kept business units engaged in the Security process.

To be effective, the plan would have to look something like this: 

1. Separate the attention given to the immediate security needs from the long-term security goals. In simple terms: Give the operations and business departments the security they need today while working in parallel to construct an overarching security structure. 

2. Pay individual attention to each of the company’s divisions while coordinating their operations and projects with corporate-wide security efforts.

3. Concentrate the limited security resources on the immediate- and high-priority issues first, and take on remaining goals as security resources grow.

Divide and Conquer

To lessen the impact of interruptions caused by attacks and make progress on the plan, structuring of the security group became the next critical task. The structure devised divided the security team into three groups:

1. “Corporate” security, which focuses on the security foundations with policies, awareness and assessment activities.

2. Security engineering, which has individuals assigned to the various business and engineering departments, working with them on the development of new products and initiatives and ensuring security is incorporated throughout the organization’s activities. 

3. Security services, a unit charged with performing the routine security tasks, such as running the firewalls, collecting logs and conducting physical security checks. 

Implementing the Plan

In the middle of the night, functional and security issues impact the operations staff greater than any other group. So, it made complete sense to pursue a security agenda in “reverse.” That is, start security activities with the operations organization and processes, focus on their interface with engineering / development, and then move on to the engineering / development groups and processes.

The security services team would have to support the tactical activities, such as managing the firewalls and operating security assessment tools. The security engineers would have to pursue the majority of the work toward business goals:

1. Be part of the system and application design;

2. Be involved in the development and operational service processes;

3. Reinforce the security culture;

4. Find creative solutions for overcoming the lack of physical control over remote sites; and

5. Pursue best practices as the base for all of our efforts.

Get involved. The fact that my security team rolled up their sleeves and climbed into the trenches with the engineering and operations departments gave the security initiative credibility and earned it respect. Never before had the other functional business groups had Security people working side-by-side with them to find applicable solutions to technical risk issues. The cooperative effort led to the more expeditious resolution to many security issues.

Stay on target. Cooperation is one thing, but working with other departments shouldn’t derail you from long-term objectives. There are certain business issues that require individual attention, as well as problems that demand the immediate reallocation of resources. But nothing should distract a Security team from working toward its goal of building a comprehensive security infrastructure. Security awareness, a positive security culture and core Security policies will win in the long run.


Comments Off on Basic Policies and Standards

Quality of Service (QOS) Considerations

Posted in Application (380),Networking (340) by Guest on the March 25th, 2011

Performance – ability to deliver results (throughput or bandwidth) within the least response time (latency).

Scalability – ability to cater to greater demands imposed upon the system (e.g.: support increased number of users, products) without affecting any of the other QoS parameters.

Reliability – ability to function with the least occurrence of failure.

Availability – ability to maximize the time when the system is available for use.

Securability – ability to authenticate and authorize users to provide secure access to the system in a traceable (auditable) manner.

Manageability – ability to monitor and configure systems easily and detect operational characteristics related to performance and failures (remotely).

Maintainability – ability to modify the system easily, with the minimum amount of work or rework over the life cycle of the application.

Extensibility – ability to make significant enhancements or changes easily.
Usability – ability to allow users to use and navigate the system easily.

Serviceability – ability to be repaired or updated easily and rapidly without affecting reliability or availability of the system.

Reusability – ability  to use individual components or services in the building of unrelated modules or services.

Interoperability – ability of components to work with each other regardless of their underlying platform.


Comments Off on Quality of Service (QOS) Considerations

Best Practices – Servers (Windows, Unix, AIX, etc…)

Posted in O S (375) by Guest on the March 25th, 2011

Physical Security

Secure location or Server room.
Server room locked.
Server room with adequate, conditioned power.
Server room with air conditioning.
Server room with adequate ventilation.


Unused default services removed.
Known OS vulnerabilities are current and protected.
Current patches and upgrades loaded and tested.
Audit logs enabled.

Access Privileges

Only privileges necessary to the job have been granted.
Administrator logon used only for administrative activities.
Restrict access to guest accounts.
Minimal privileges granted to “everyone, public or world”.
Examine audit logs for abnormalities.

Malicious Code

Anti-virus software installed and current.
Anti-virus policy in place.


Configuration management solution in place.
Business continuity plan in place.


Comments Off on Best Practices – Servers (Windows, Unix, AIX, etc…)

Best Practices – LAN Infrastructure Equipment

Posted in Networking (340) by Guest on the March 25th, 2011

MDF and IDF considerations

Secure location or room

Room locked.
Room with adequate, conditioned power.
Room with air conditioning.
Room with adequate ventilation.
Room with enough conduits for expansion.
Room with proper shielding from environmental interference.
Room with proper grounding.
Room with anti-static flooring.


Unused default services removed.
Known OS vulnerabilities are current and protected.
Current patches and upgrades loaded and tested.

Audit logs enabled

Security policy addresses SNMP strings.
Only necessary ports are enabled.
VLAN vulnerabilities considered.
Authentication process enabled.


Comments Off on Best Practices – LAN Infrastructure Equipment

Client Security Best Practices

Posted in O S (375) by Guest on the March 24th, 2011

Unattended workstations

Security policy requires logoff when unattended.
Automatically disconnect user after period of inactivity.
Require users to power off after hours.

Locally stored data

Security policy defines data that can be stored locally.
Security policy addresses back up of locally stored data.
Anti-virus software installed and current.
Anti-virus policy in place.
Sensitive data encrypted.
Data shredder used.
Remove “server” capability.

Local shares

Security policy prohibits local shares.

Workstation applications

Security policy addresses remote access/administration software.

Workstation operating systems

Known OS vulnerabilities are current and protected.
Current patches and upgrades loaded and tested.

Comments Off on Client Security Best Practices

Rainbow Books Series

Posted in Security (1500) by Guest on the March 23rd, 2011
Comments Off on Rainbow Books Series


 Issues and suggested remediation:



6.5.1: Cross Site Scripting (XSS)
Testing of parameters before inclusion.
6.5.2: Injection Flaws
Testing of input to verify user data cannot modify meaning of commands and queries.
6.5.3: Malicious File Execution
Validate input to verify application does not accept filenames or files from users.
6.5.4: Insecure Direct Object Reference
Do not expose internal object references to users.
6.5.5: Cross Site Request Forgery (CSRF)
Do not reply on authorization credentials and tokens automatically submitted by browsers.
6.5.6: Information Leakage and Improper Error Handling
Do not leak information via error messages or other means.
6.5.7: Broken Authentication and Session Management
Properly authenticate users and protect account credentials and session tokens.
6.5.8: Insecure Cryptographic Storage
Prevent cryptographic flaws.
6.5.9: Insecure Communications
Properly encrypt all authenticated and sensitive communications.
6.5.10: Failure to Restrict URL Access
Consistently enforce access control in presentation layer and business logic for all URLs.


Comments Off on OWASP TOP 10

Sample Visio – Web / Server Architecture Visio drawings

Posted in Application (380),Visio Samples - Stencils (457),Web Services (250) by Guest on the March 22nd, 2011
Comments Off on Sample Visio – Web / Server Architecture Visio drawings

Overview of NHS Guidance

Posted in Compliances (1300) by Guest on the March 21st, 2011

Confidentiality: NHS Code of Practice

This code of practice provides detailed guidance for NHS bodies concerning confidentiality and patient’s consent to use their health information. It also details the required practice the NHS must follow concerning security, identifying the main legal responsibilities for an organisation and also details employee’s responsibilities  

Employee Code of Practice

Guidance produced by the Information Commissioner detailing the data protection requirements that relate to staff / employee and other individual’s information  


Caldicott Guardians & Implementing the Caldicott Standard into Social Care

Provides guidelines relating to sharing of patient identifiable information and promotes the appointment of a senior health professional to oversee the implementation of the guidance. The Trust Caldicott Guardian is the Medical Director  

Records Management: NHS Code of Practice 2006

Provides guidance to improve the management of NHS records, explains the requirements to select records for permanent preservation, lists suggested minimum requirements for records retention and applies to all information, regardless of the media, applicable to all personnel within the NHS such as patients, employees, volunteers etc. Aids compliance with the Data Protection and Freedom of Information Acts  

ISO/IEC 27001 / 17799 Information Security Standards

These are the accepted industry standard for Information Management and Security and have been adopted by all NHS organisations. It is also a recommended legal requirement under principle 7 of the Data Protection Act.


Comments Off on Overview of NHS Guidance

List of Applicable Policies, Laws, and Standards

Posted in Compliances (1300),Policies - Standards (600) by Guest on the March 20th, 2011

The law, regulations, polices, and guidelines that affect the system include:

  • U.S. Congress – Public Law (PL) and United States Code (U.S.C)
  • PL 107-347 Section III, Federal Information Security Management Act (FISMA) of 2002, 2002
  • PL 107-305, Cyber Security Research and Development Act of 2002
  • PL 96-456, Classified Information Procedures Act of 1980
  • 5 U.S.C. 552, Freedom of Information Act; Public Information; Agency Rules, Opinions, Orders, Records, and Proceedings, 1967
  • 5 U.S.C. 552a, Privacy Act; Records Maintained on Individuals, 1974
  • 18 U.S.C. 1029, Fraud and Related Activity in Connection with Access Devices
  • 18 U.S.C. 1030, Fraud and Related Activity in Connection with Computers
  • 40 U.S.C. 1401 et seq., P.L. 104-106, Clinger Cohen Act of 1996 (Information Technology and Management Reform Act of 1996)
  • 44 U.S.C. 3534, Federal Agency Responsibilities
  • 44 U.S.C. 3535, Annual Independent Evaluation
  • 44 U.S.C. 3537, Authorization of Appropriations
  • 44 U.S.C. 3541, P.L. 107-296, Federal Information Security Management Act of 2002 (FISMA)
  • 44 U.S.C. 3546, Federal Information Security Incident Center  

National Institute of Standards and Technology (NIST) – Special Publications (SP) and Federal Information Processing Standards Publications (FIPS PUBS)

  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, 2003
  • 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, 2004
  • 800-34, Contingency Planning Guide for Information Technology Systems, 2002
  • 800-30, Risk Management Guide for Information Technology Systems, 2002
  • 800-26, Revised NIST SP 800-26 System Questionnaire with NIST SP 800-53 References and Associated Security Control Mappings, 2005
  • 800-18, Guide for Developing Security Plans for Information Technology Systems, 1998


Others to consider: 

AR 335–15, Management Information Control System 

DA Pam 25–1–1, Information Technology Support and Services 

DODD 5015.2, Department of Defense Records Management Program


Comments Off on List of Applicable Policies, Laws, and Standards

Common Security reference NIST Guidelines

Posted in Compliances (1300) by Guest on the March 19th, 2011
  • 800-70, The NIST Security Configuration Checklists Program

  • 800-68, Draft NIST Special Publication 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist, 2004

  • 800-65, Integrating Security into the Capital Planning and Investment Control Process, 2005

  • 800-64, Security Considerations in the Information System Development Life Cycle, 2004

  • 800-61, Computer Security Incident Handling Guide, 2004

  • 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, 2004

  • 800-59, Guideline for Identifying an Information System as a National Security System, 2003

  • 800-55, Security Metrics Guide for Information Technology Systems, 2003

  • 800-53, Recommended Security Controls for Federal Information Systems, 2005

  • 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, 2002

  • 800-50, Building an Information Technology Security Awareness and Training Program, 2003

  • 800-47, Security Guide for Interconnecting Information Technology Systems, 2002

  • 800-45, Guidelines on Electronic Mail Security, 2002

  • 800-42, Guideline on Network Security Testing, 2003

  • 800-41, Guidelines on Firewalls and Firewall Policy, 2002

  • 800-40, Procedures for Handling Security Patches, 2002

  • 800-36, Guide to Selecting Information Security Products, 2003

  • 800-35, Guide to Information Technology Security Services, 2003

  • 800-31, Intrusion Detection Systems (IDS), 2001

  • 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A, 2004

  • 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, 2000


Comments Off on Common Security reference NIST Guidelines

Sample Excel – Windows XP Default Security Services Configuration

Posted in O S (375),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the March 18th, 2011
Comments Off on Sample Excel – Windows XP Default Security Services Configuration
Next Page »