Best IT Documents.com Blog


Logrythm Architecture and Design 7.x Notes

ü  Dashboard

ü  Searching

ü  Review of alarms

 

ü  Qualify – to investigate (establish root cause)

ü  Then mitigate

 

ü  Html5 coded

 

ü  Risk based alarms

ü  Case workflow

 

ü  Realtime data 

ü  DoubleClick drill down

ü  Underlying log data.

 

Logviewer to analyst grid – access

Low footprint on the browser (Client)

 

Activities represented

Pivot sort of data / datasets

 

Widgets to customize dashboard 

Edit widgets, more advanced filters

 

Threat activity map

Drill down create a task on another task to free up resources

 

Flow data – Network monitor

Deep packet analytics (rule protocol mismatch) 

Packet captures – Session based

 

Case management

Tagging for cases (searchable and filter with dashboards)

Create new tags

 

Log contains

Search contextualized content for

Finance

SSN

 

Search contains:   (filter on classified actions (750 devices application and systems)

Pre-created processing rules 

Structure and unstructured searches

 

End point monitoring

File integrity monitoring

Watchlist users 

o   Account takeovers

·         Precision searches

·         Alarms page (tab)

·         Fired alarms and risk based fired

·         Entity logical segmentation of the network

·         Other filtering and sorting by risk by date

o   Smart responses based on activity (actions – multiple responses)

·         Disable accounts or quarantine devices

·         Corroborated alarms (supporting activities that are, 3 or more behavioral anomalies from the user)

·         Associate logs and alarms into cases

·          

o   Drill down into data sets associated with the activities

·         Watchlist or searches (criteria, source with host) 

Single host or distributed host for performance.

 

AI Engine

Desktop console

 

System (Windows, Unix, remotely (no agent directly installed) Local and remote log collections

Non Server log server performance file integrity

Comments Off on Logrythm Architecture and Design 7.x Notes

PCI, SOX, GLBA and Security Resources

Posted in Application (380),Compliances (1300),Data Center - SOC - NOC,Security (1500) by Guest on the December 3rd, 2018

IT Security / Technology Risk / Control Frameworks

SCF: Simplified Control Framework

http://www.controlframework.com/

 

COBIT 5

http://www.isaca.org/COBIT/Pages/default.aspx

 

COSO:

http://www.coso.org/

 

Risk and Control Frameworks:

http://www.solutionary.com/index/compliance/security-frameworks.php

 

Assessment Areas – PCI, SOX, NIST

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • SOX: SSAE 16 SOC 1 / ISAE 3402, SOC 2, SOC 3 , (Type 2),  (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level
  • PCI DSS / PA-DSS– PCI: CDE, Access, Vendors, Net. Segmentation, ROC/AOC, submission, Management recommendations and Roadmap to compliance.  QSA / PA – QSA, ASV background.

 

Preparatory Research

  • Mapping Application Security to Controls: SDLC Assessments (very good)

https://www.isaca.org/Education/Online-Learning/Documents/Security-Innovation-11Jan12.pdf

  • A Compliance Primer for IT Professionals (Great overview – little dated but very good overview across controls)

http://www.sans.org/reading_room/whitepapers/compliance/compliance-primer-professionals_33538

http://www.corporatecomplianceinsights.com/wp-content/uploads/gravity_forms/14-f3c6012ed7b64af70e209c6db8553b08/2012/02/Aligning+Application+Security+and+Compliance1.pdf

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)

http://www.sans.org/reading_room/whitepapers/compliance/meeting-compliance-efforts-mother-control-lists-moacl_33299

 

Technology Risk / IT Controls Integration Terminology

Technology Risk

Likelihood, Impact, and SDLC Project Mapping, System Characterization, Controls Benchmark, gap analysis, Risk Remediation & Prioritization, Corrective Action Plan (CAP), IT Risk / IT Controls Remediation Roadmap, Risk Register, Risk Framework, Risk Scorecard, KRI, Loss Events. System Characterization, Threat Identification, Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Controls Recommendations, Results Documentation.

 

IT Controls

Security, Documentation, Changes to Documentation, Implementation, Life Expectancy of a Version and a Version Upgrade, Hierarchy of Access – who can inquire versus who can make changes, Approvals, Sign-offs, Maintenance, Back-ups, Disaster Planning and Back-up, Change management, Incident Management, etc.

 

PCI Terminology

PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA), volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

 

IT Governance / Regulations – Next PAGES – HIPAA, PCI, SOX, NIST

Omnibus Final Rule Summary

http://www.ama-assn.org/resources/doc/washington/HIPAA-omnibus-final-rule-summary.pdf

 

PCI / DSS

PCI DSS:   PCI DSS: v3.0, changes from 2.o to 3.0, terms, ROC Reporting instructions, prioritized approach tool, FAQ’s, SAQ’s

PCI / DSS 3.1: https://www.pcisecuritystandards.org/security_standards/documents.php

 

TERMINOLOGY:   PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA),dependent on volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

PCI/DSS 2.0:  https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

(compensating controls p. 64+)

 

PCI / DSS Risk Assessment Guidelines: https://www.pcisecuritystandards.org/documents/PCI_DSS_v2_Risk_Assmt_Guidelines.pdf

 

PCI DSS – QSA – ROC:   PCI – Data Security Std – Validation Requirements

PCI-DSS: (SAQ/Attestation guide): http://www.elementps.com/merchants/pci-dss/compliance-level/

PCI / DSS:     https://www.pcisecuritystandards.org/security_standards

(ISO 27005, NIST SP 800-XX/30, Octave)

 

HIPAA and PCI Compliance ARE NOT INTERCHANGABLE (Data Center Knowledge.com)

SOX:

http://www.sox-online.com/act_section_404.html

SOX:SANS: Overview:        An Overview of Sarbanes-Oxley for the Information Security Professional

SSAE 16  / ISAE 3402 / SOC 1-3: Service Organization Controls Report:  https://www.ssae-16.com/

IACPA – SOC – Service Organization Controls:

SOC 1 / SOC 2, SOC3 (Type 2): http://www.ssae16.org/white-papers/ssae-16-soc-1-2-3.html

 

Understanding SaaS Compliance – SSAE 16 / SOC 1 / SOC 2: https://en.wikipedia.org/wiki/Service_Organization_Controls

 

Terminology: (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level

GLBA:

http://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act

 

ISO:

ISO/27001 / 2:

http://www.27000.org/iso-27001.htm

http://www.27000.org/iso-27002.htm

 

ISO/27005:

http://www.27000.org/iso-27005.htm

 

NIST:

NIST SP 800 Series

NIST SP 800-53 (R4):

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

NIST RMF RISK MANAGEMENT FRAMEWORK (800-37):

NIST SP 800-64: Security in the SDLC: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

NIST SP 800-30: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

IT Controls Checklists:  http://www.checklist20.com/

 

Technology Risk

5 Biggest IT risks explained (very good): http://www.youtube.com/watch?v=5UXhJyTunhM

(Hacking/ social engineering, Fraud, Disasters, Change / Disruptive, ROI)

 

Risk Register: 4 Steps (very good):  http://www.youtube.com/watch?v=mNQzRdWy9Ow

(Risk Frameworks, Categories, Strategic Objectives/Map / Balanced Scorecards / Weightings / Likelihood / Impacts / Risk Score)

Why most Risk Assessments are Wrong (TR): http://www.youtube.com/watch?v=PA9rqNBZWIw&feature=endscreen&NR=1

 

Risk Assessment (TR): http://www.youtube.com/watch?v=eD2mQ6ooYO4

Archer: Risk Management: http://www.youtube.com/watch?v=6KaapSEkOlQ

 

IT Risk Management 2.0: http://www.youtube.com/watch?v=VkmIOJYA3hM

Strategic Risk Management Dashboards: http://www.otusanalytics.com/wp/?p=422

Risk, Event Management& Importance of Excellence (Great ): http://www.youtube.com/watch?v=t8Mr23rLps0

 

Technology Risk Radar: http://www.kpmg.co.uk/email/11Nov13/OM006033A/index.html#46

Archer: eGRC:  http://www.youtube.com/watch?v=SMkj8twTM6c

Archer Smart Suite Framework: http://www.infosecurityproductsguide.com/technology/2007/Archer_Compliance.html

Technology Risk Assessments

RISK Assessments:   https://www.smart-ra.com/News/Uploads/100511122641_ISACA_CPE%20Meet_May%202011_1.pdf

Risk Assessment Report Template – example: Risk Assessment Report Template (CDC – OCIO)

Information Risk Assessments: Understanding the process:

OCTAVE – Method – Intro: http://www.cert.org/octave/methodintro.html

 

IT Information Security Risk Assessments Tools / Templates / Audit Guides:

RISK Assessment Toolkit: CA – CIO.gov (good info):  http://www.cio.ca.gov/OIS/government/risk/toolkit.asp

 

Agile Risk Management in 5 simple steps: http://michaellant.com/2010/06/04/five-simple-steps-to-agile-risk-management

Burndown Chart: http://www.mountaingoatsoftware.com/blog/managing-risk-on-agile-projects-with-the-risk-burndown-chart

 

Some of the independent resources available include:

·         Center for Internet Security (CIS):  http://benchmarks.cisecurity.org/

·         National Institute of Standards and Technology (NIST):  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

·         National Security Agency (NSA):  https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

Comments Off on PCI, SOX, GLBA and Security Resources

Sample Visio – Public vs Private Cloud

Public vs Private Cloud

www.bestitdocuments.com

 

Comments Off on Sample Visio – Public vs Private Cloud

Sample – Healthcare (HIPAA, HiTRust, HiTech) Tiered Application and System Support Services

Healthcare (HIPAA, HiTrust, HiTech) Tiered Application and System Support Services

Tiered Application and System Support Services

Measures include:

o   Time to Respond (Priority 1-4)

o   Time to Resolve (Priority 1-4)

o   % of Open Break Fix Issues that Exceed the SLA

o   Tier 1 Applications / System Availability (system uptime):

 

  • Cerner
  • Meditech
  • PACs
  • PPP
  • McKesson Star
  • Lawson
  • Core Network Systems
  • EICU

 

Tiered Application and System Support Services

  • Time to Respond – Amount of time required for an incident (ticket) to be assigned for work.

Ø  Monthly Goals:

Description Proposed Goal
Priority 1 (Urgent): 90% within 15 minutes
Priority 2 (High): 90% within 4 Business Hours
Priority 3 (Med): 90% within 1 Business Day
Priority 4 (Low): 90% within 3 Business Days

 

Name of SLA Proposed Goal
Time to Respond Priority 1 (Urgent) 90% within 15 Minutes
Time to Respond Priority 2 (High) 90% within 4 Business Hours
Time to Respond Priority 3 (Medium) 90% within 1 Business Day
Time to Respond Priority 4 (Low) 90% within 3 Business Days

 

Tiered Application and System Support Services

  • Time to Resolve – Amount of time required for an incident (service) to be restored.

Ø  Monthly Goals:

Description Proposed Goal
Priority 1 (Urgent): 90% within 4 Hours
Priority 2 (High): 90% within 8 Business Hours
Priority 3 (Med): 90% within 3 Business Days
Priority 4 (Low): 90% within 10 Business Days

 

Name of SLA Proposed Goal
Time to Resolve Priority 1 (Urgent) 90% within 4 Hours
Time to Resolve Priority 2 (High) 90% within 8 Hours
Time to Resolve Priority 3 (Medium) 90% within 3 Business Days
Time to Resolve Priority 4 (Low) 90% within 10 Business Days

 

  • % of Open Break Fix Issues that Exceed SLA – percentage of open Incidents (tickets) that exceed the SLA for all Priority levels in a given month.

Ø  Monthly Goal:  < 35%

Name of SLA Proposed Goal
% of Open Break Fix Issues that Exceed SLA < 35% of Open Break Fix Issues

 

 

 

 

 

  • Tier 1 Applications / System Availability

Ø  Monthly Goal:  >99.9%

Name of SLA Proposed Goal
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability

(Core Network Systems)

>99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability

 

Customer Support Services

  • Measures include:

Ø  Total Call Volume

Ø  Average Speed to Answer

Ø  Call Abandonment Rate

Ø  First Call Resolution Rate

 

  • Total Call Volume – number of calls into each of the Help Desks in a given month.
Help Desk Proposed Goal
Denver  Administration xxxxxx
Houston HD xxxxxx
California Server xxxxxx
  • Average Speed to Answer / per Queue (Seconds) – average length of time required (in seconds) to answer calls into the Help Desk in a given month.

Ø  Monthly Goal:  < 55 seconds

 

Help Desk Proposed Goal
Denver  Administration < 55 seconds
Houston HD < 55 seconds
California Server < 55 seconds

 

  • Call Abandonment Rate / per Queue – rate of calls where the caller hung up while phoning the Help Desk in a given month.

Ø  Monthly Goal:  < 15%

Help Desk Proposed Goal
Denver  Administration < 15%
Houston HD < 15%
California Server < 15%

 

  • First Call Resolution Rate – rate of incidents resolved during the first call to the Help Desk.

Ø  Monthly Goal:  > 50%

Help Desk Proposed Goal
Denver  Administration > 50%
Houston HD > 50%

 

 

 

  • Measures currently include:

Ø  Tier 1 Application and System Back-Ups

v  Monthly Goal:  >75% Successfully backed up within window

Name of SLA Proposed Goal
Tier 1 Application and System Back Ups >75% Successfully

 

Security Services

  • Measures include:

Ø  Virus Protection on Currency Servers within 7 days

Ø  Virus Protection on Currency Desktops within 7 days

v  Monthly Goal:  > 90%

Name of SLA Proposed Goal
Virus Protection Currency Servers (Within 7 Days) > 90% Virus Protection Compliance
Virus Protection Currency Desk Tops (Within 7 Days) > 90% Virus Protection Compliance

 

  • Measures include:

Ø  Change Timeliness of Non-Routine Changes (Urgent, High, and Medium)

Ø  Change Accuracy of Non-Routine Changes (Urgent, High, and Medium)

Ø  % of Urgent and High Unplanned Emergency Changes

Name of SLA Proposed Goal
Change Timeliness of Non-Routine Changes (Urgent, High, and Medium) > 95% Of Changes completed within the Change window
Change Accuracy of Non Routine Changes (Urgent, High, and Medium) > 95% Change Success
% of Urgent and High Unplanned Emergency Changes < 20% of High and Urgent Changes Submitted as Emergency

 

Report and Review Services

  • SLA Review Reports published to the OCIO and Service Delivery Sub-Committee on time
  • Percentage of SLAs that meet or exceed targets (Scorecard Metric)
  • Scorecard published to the OCIO and Service Delivery Sub-Committee on time
  • Scorecard data received on time
  • Percentage of Scorecard measures that meet or exceed targets

Ø  SLA Dashboard and ITS Balanced Scorecard are published on the last business day of each reporting month

 

Name of SLA Proposed Goal
SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time > 95% Reported on Time
Percentage SLAs that meet or exceed targets (SCORECARD METRIC) > 80% Reported Green (18 month goal)
Scorecard Published to OCIO and Service Delivery Sub-Committee on Time > 95% (15th of the Month)
Scorecard Data Received on Time > 95% (Received prior to the 26th of the Month)
Percentage of Scorecards measures that meet or exceed targets > 80% Reported Green

 

 

Report and Review Services

Measures include:

Ø  Customer Satisfaction (LITED) Reports Published to the OCIO and Service Delivery Sub-Committee on Time

Ø  LITED:  percent overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD METRIC)

Ø  LITED:  percent of Action Plans completed on Time (SCORECARD METRIC)

Ø  SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time

Ø  Percentage of SLAs that meet or exceed targets (SCORECARD METRIC)

Ø  Scorecard Published to OCIO and Service Delivery Sub-Committee on Time

Ø  Scorecard Data Received on Time

Ø  Percentage of Scorecards measures that meet or exceed targets

 

Customer Satisfaction (LITED) Reports Published to the OCIO and Service Delivery Sub-Committee on Time

Ø  Published on the last business day of the reporting month

Name of SLA Proposed Goal
Customer Satisfaction (LITED) Reports Published to OCIO and Service Deliver Sub-Committee on Time > 95% Reported on Time

 

LITED:  Percent overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD Performance Review and National Scorecard METRIC)

Ø  Did IT meet the overall expectations of Service Delivery in the following Focus Areas:

  • Operations Service Delivery (OSD) – includes Help Desk, Desktop Support and Direct Customer Support
  • Program & Project Delivery (PPD) – includes EPMO, Legal, Contract & Vendor Management
  • Service Quality (SVC)
  • Value Creation (VAL)
  • Relationships (REL)

 

Name of SLA Proposed Goal
LITED:  % overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD METRIC) > 75% Reported Meets Expectations

 

 

LITED:  Percent of Action Plans completed on time.  (SCORECARD Performance Review and National Scorecard METRIC)

Name of SLA Proposed Goal
LITED:  % of Action Plans completed on Time (SCORECARD METRIC) >95% Completed

 

SLA Review Reports published to the OCIO and Service Delivery Sub-Committee on time

  • Percentage of SLAs that meet or exceed targets (Scorecard Metric)
  • Scorecard published to the OCIO and Service Delivery Sub-Committee on time
  • Scorecard data received on time
  • Percentage of Scorecard measures that meet or exceed targets

Ø  SLA Dashboard and IT Balanced Scorecard are published on the last business day of each reporting month

Name of SLA Proposed Goal
SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time > 95% Reported on Time
Percentage SLAs that meet or exceed targets (SCORECARD METRIC) > 80% Reported Green (18 month

goal)

Scorecard Published to OCIO and Service Delivery Sub-Committee on Time > 95% (15th of the Month)
Scorecard Data Received on Time > 95% (Received prior to the 26th of the Month)
Percentage of Scorecards measures that meet or exceed targets > 80% Reported Green

 

Tiered Applications and System Support Services

Customer Support Services

Business Continuity Management Services

Security Services

Change Management Services

IT Release and Project Management Services

Report and Review Services

Contracting and Vendor Management Support Services

 

In relation to the clinical needs of the patient

    1. In anticipation of Medicare AND insurer changes
  1. These are not the only influencers of cost & revenue (i.e. Case Managers, Physicians, OR Staff, Service Line Leadership)
    1. Cerner
    2. Meditech
    3. PACs
    4. PPP
    5. McKesson Star
    6. Lawson
    7. Core Network Systems
    8. EICU

 

Corporate Future Growth Strategy Involves Significant Influx Of New Physicians, Staff, And Clinical Facilities.

  • Align newly acquired operations with Corporate security standards quickly and efficiently – without impact to acquisition/integration timelines.

 

Address security gaps at time of acquisition.

  • Avoid inheriting non-compliant systems or processes
  • Synergy with tech-refresh activities associated with the acquisition

 

Due Diligence

  • Identify any security issues that are material to the acquisition.
  • Assess amount of security investment needed to bring acquired operation into compliance with Corporate standards.

 

 

Pre-Integration

  • Risk assessment to identify gaps in infrastructure and processes.
  • Remediation to stop-gap any critical items.
  • Establish roles and provision access for new staff.
  • Overlay Corporate standard security technologies.

 

Post-Integration

  • Bring systems and processes into alignment with Corporate standards.
  • Ensure and maintain compliance.

 

Internal Scans

  • Vendor being used for initial scans to allow for implementation of program by staff
  • Internal team will lead vendor initiative and implement program simultaneously

 

External Scans

  • All Corporate external addresses
  • Denver address space represented here
  • Remaining results to be reviewed with groups next week

 

Acquisition Scans

  • Qualys acquisition represented
  • Rescan April 2019
  • Remediation results reported after rescan
  • Chattanooga Heart scan report to be completed next week.

 

Divestiture Scans

  • No active divestitures

 

Future State Vision

  • Consistent, holistic enterprise-wide approach.
  • Cover all information assets.
  • Coordinate security and business resilience.
  • Enable access to accommodate physician growth and workforce mobility.
  • Establish a control structure framework to meet and manage HIPAA and PCI compliance.

 

Program Maturity Objectives

  • Meet defined customer service objectives.
  • Predictable cost for sustainable compliance.
  • Active management and significant reduction of risk.
  • Adoption across entire enterprise.
  • Business decisions influenced by trends and metrics.
  • Program covers new and emerging risks (mobile, virtualization etc.).

 

www.bestitdocuments.com

 

Comments Off on Sample – Healthcare (HIPAA, HiTRust, HiTech) Tiered Application and System Support Services

Healthcare IT Technology Issues to consider

Healthcare IT Technology Issues to consider

www.bestitdocuments.com

 

Comments Off on Healthcare IT Technology Issues to consider

Definition of an Application

An application is defined as an environment that consists of a set of deployed (installed) software that is executable on hardware supporting business function(s) and is managed as a unit.

 

Important information maintained about an application includes:

  • Design and functional information
  • Software information
  • Database Information
  • Descriptive / identifying information
  • Datacenter / geographical information
  • Disaster recovery information
  • Collaboration information
  • Support roles / responsibilities and Contact information.        
  • PCI Compliance information
  • HIPAA Compliance information
  • SOX Compliance information

 

www.bestitdocuments.com

Comments Off on Definition of an Application

Sample – HIPAA Access Components – Identity Management Visio

Comments Off on Sample – HIPAA Access Components – Identity Management Visio

Visio – Application Security Principles

Posted in Application (380),Compliances (1300),O S (375),Web Services (250) by Guest on the August 13th, 2018

Application Security Principles

www.bestitdocuments.com

Comments Off on Visio – Application Security Principles

WebSphere Application Server Internals.pdf

Comments Off on WebSphere Application Server Internals.pdf

Legacy – NetCache – CLI Help Documents

Comments Off on Legacy – NetCache – CLI Help Documents

Sample Visio – Cloud Governance Framework

Sample – Cloud Governance framework

www.bestitdocuments.com

Comments Off on Sample Visio – Cloud Governance Framework

Sample Visio – Cloud Application Services

Sample – Cloud Application Services

www.bestitdocuments.com

Comments Off on Sample Visio – Cloud Application Services

Sample Visio – Cloud Service Delivery Framework

Comments Off on Sample Visio – Cloud Service Delivery Framework

Sample – Asset Rating

Posted in Compliances (1300),Policies - Standards (600),Security (1500) by Guest on the September 3rd, 2016

Purpose

This document provides guidelines / instructions that enable Symantec users or the Technology Services Group members to developed, identify, evaluate and remediate system and application vulnerabilities in order to prevent a catastrophic systems failure.

 

Background

This document defines accountability and a process that coordinates the patch and vulnerability management effort to include communication, documentation and reporting requirements. By adhering to the following guidelines, Symantec can reduce risks that can lead to adverse security incidents. The primary parties responsible for complying with these procedures include key Information Technology (IT) managers and Risk Management’s Information Security Officer (ISO).

 

Technical Impact 1 – 5:       A measure of how important a device is to the communications of the network.

 

Threat 1 – 5:                          An activity that has either the potential of causing harm to a computer or a network.

 

Vulnerability 1 – 5:               A flaw, mis-configuration, or weakness that allows the security of the system to be violated.

 

Criticality 1 – 5: A measure of how important a system is to the organization’s mission.

 

1 – lowest – no risk or does not apply

 

2 – Low risk – little or no impact

 

3 – Would cause damage

 

4 – Would cause serious damage

 

5 – Would cause exceptionally grave damage

Comments Off on Sample – Asset Rating

Patch and Vulnerability Research Resources

Overview

This procedure was developed to identify and evaluate system and application vulnerabilities through research. This document defines accountability and a process that shows where to look for vulnerabilities that affect [Client] and how to access [Client] personalized resources. By adhering to the following guidelines, [Client] keep abreast of new vulnerabilities, exploits, viruses and worms. The primary party responsible for complying with these procedures is the Risk Management’s Information Security Officer (ISO). Instructions for the frequency at which the ISO (or designee) should be checking these resources is listed below.

 

Source Documentation/Information

  • Cassandra Incident Response Databasehttps://cassandra.cerias.purdue.edu/user/logout.php A website developed by the Center for Education and Research in Information Assurance and Security (CERIAS). This site allows security professionals to build a profile that lists the vendors and OS’ that apply to their infrastructure. The site gets its information from the ICAT database maintained by NIST. This site is secured using SSL 128 bit encryption.

 

  • The Internet Storm Centerhttp://isc.incidents.org/ Supported by the SysAdmin Audit Network Security Institute (SANS), a website that takes volunteered IDS logs from around the world (Over 3 million) and makes the statistics available on the internet free of charge. This web site is good to see what the top ten scanned ports are and the top ten IPs they are coming from.

 

  • CERT Current Activityhttp://www.cert.org/current/current_activity.html The CERT Coordination Center (CERT/CC) was formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988 in response to the needs identified during an Internet security incident. The CERT/CC is part of the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI), Carnegie Mellon University. The primary goal of the NSS Program is to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks.

 

  • Secuniahttp://www.secunia.com/advisories The Secunia Security Advisories list is free and designed for the IT professional who wants one source of information about the latest software vulnerabilities and security fixes. This site ranks the vulnerability based on a 1 – 5 ranking. Outstanding site for justifying the need for patches or mitigation.

 

  • SecureFocus BugTraq Vulnerability Forumhttp://online.securityfocus.com/archive/1 The Bugtraq forum is a site that lists all correspondence relating to vulnerabilities that may or may not be verified. There is a process once items are entered into the Bugtraq Forum where CERT reviews submitted issues, evaluates them and gives them a candidate number. After thorough evaluation, if the candidate is a true vulnerability, it will receive a CVE (Common Vulnerabilities and Exposures) designation.


  • Microsoft Security Notification Service – http://www.microsoft.com/security/security_bulletins/decision.asp Microsoft TechNet offers the Microsoft Security Notification Service. These e-mail messages are geared toward IT professionals and contain in-depth technical information. This information will state the date the problem was found, what the problem is and how to mitigate the problem. In many cases the bulletins list “Mitigating Factors” that may make the vulnerability non-applicable or may heighten the need for action. The bulletins also have patch information available such as if a patch is available, where to get the patch and what the patch does.

 

  • SANS Newsbites – http://portal.sans.org/register.php The SANS NewsBites is a weekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible. Spend five minutes per week to keep up with the high-level perspective of all the latest security news. Each issue is delivered weekly by email, Free.

 

  • ICAT Database – http://icat.nist.gov/icat.cfm The ICAT Metabase is a searchable index of computer vulnerabilities. ICAT links users into a variety of publicly available vulnerability databases and patch sites. ICAT indexes the information available in CERT advisories, ISS X-Force, Security Focus, NT Bugtraq, Bugtraq, and a variety of vendor security and patch bulletins. ICAT is maintained by the National Institute of Standards and Technology. The ICAT DB is Uses the CVE naming standard.
Comments Off on Patch and Vulnerability Research Resources

Sample – Sample VM Compliance Tracking Spreadsheet

Posted in Compliances (1300),O S (375),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the February 25th, 2016

Sample VM Compliance Tracking Spreadsheet

Sample_VM_Compliance_Tracking.xlsx

Comments Off on Sample – Sample VM Compliance Tracking Spreadsheet

Sample Word – Visio RSA – ESI Event Source Integration

Sample Word and Vision document download

RSA – ESI Event Source Integration

 

 

Comments Off on Sample Word – Visio RSA – ESI Event Source Integration

Sample Word – POC Imprivata Hardware – Software Resources

Comments Off on Sample Word – POC Imprivata Hardware – Software Resources

Sample Word – POC Clinical Application VDI Desktop Integration

Free Word Document Download

POC Clinical Application VDI Desktop Integration

 

Comments Off on Sample Word – POC Clinical Application VDI Desktop Integration

Sample Word – Clinical Access SSO Test Cases

Free Word document download

Clinical Access SSO Test Cases

 

Comments Off on Sample Word – Clinical Access SSO Test Cases

Sample Excel – Sample Systems Migrated Tracking

Posted in Compliances (1300),Data Center - SOC - NOC,O S (375) by Guest on the August 21st, 2015

Free Excel document download

Sample Systems Migrated Tracking

 

Comments Off on Sample Excel – Sample Systems Migrated Tracking

Sample Word – POC Clinical Application VDI Use Cases

Free Word document download

POC Clinical Application VDI Use Cases

 

Comments Off on Sample Word – POC Clinical Application VDI Use Cases

Sample Word – Clinical Radiology Provisioning Architecture (PACs)

Free Word document download

HIPAA, HITech / HITrust

Clinical PACS System Detailed Information for provisioning

 

Comments Off on Sample Word – Clinical Radiology Provisioning Architecture (PACs)

Sample Word – Regulation and compliance log retention best practices

Posted in Compliances (1300),Policies - Standards (600),Security (1500) by Guest on the August 6th, 2015

Free word document downloads

The Basel II Accord,

FISMA,

GLBA,

HIPAA,

NERC

NISPOM,

PCI

SOX

EU

 

Comments Off on Sample Word – Regulation and compliance log retention best practices

Admission / Registrations Applications – IT Security Applications Group Manager Roles

Posted in Compliances (1300),Health Care HIPAA - HITECH - HITECH (98) by Guest on the August 1st, 2015

Revenue Cycle – Admission/Registrations Applications

This position will manage implementation and support of admissions/registration applications.  This will include but not be limited to applications from Meditech and McKesson.  Other applications which are used in the admissions processes and facilitate revenue cycle such as insurance verification, scheduling, authorization and referral management will fall in this area.  In addition this manager will oversee general financial applications implementation and support (GL, AP, MM, PP) at Meditech sites which have not gone live with Corporate Connect.

Revenue Cycle – Meditech Technical Support

This positions will manage Meditech technical support including NPR report writing / data extracts, custom programming, system performance, coordination of downtimes and systems architecture.  This position will have a dotted line reporting relationship to the Director of Meditech Clinical Applications.

Revenue Cycle – McKesson Technical Support

This positions will manage McKesson technical support including report writing / data extracts, custom programming, system performance, coordination of downtimes and systems architecture.  This position will coordinate heavily with clinical areas using McKesson applications.

Revenue Cycle – Billing Applications

This position will manage implementation and support of billing related applications.  This will include but not be limited to applications from Meditech and McKesson.  Other applications which are used in the billing processes and facilitate claims submission and revenue cycle processes such as ePremis will fall in this area.

Revenue Cycle – Abstracting / Coding / Medical Records Applications

This position will manage implementation and support of coding, abstracting and medical records applications.  This will include but not be limited to applications from Meditech and McKesson.  Other applications which are used in the coding processes and facilitate revenue cycle such as 3M encoder and grouper software will be supported in this area.

Comments Off on Admission / Registrations Applications – IT Security Applications Group Manager Roles
Next Page »