Tag: ITIL Application Services – SDLC – Web Services

High level architecture of Apache

Basic well known information on how is Apache organized? Apache is broken up into several pieces The server core The Apache portable runtime The Apache portable runtime utilities Support infrastructure Numerous modules How is the Apache source code organized? The server core source code resides in $SRCROOT/server The server core header files reside in $SRCROOT/include… Continue reading High level architecture of Apache

HITRUST – CSF Control Categories

CSF Control Categories Information Security Management Program Access Control Human Resources Security Risk Management Security Policy Organization of Information Security Compliance Asset Management Physical and Environmental Security Communications and Operations Management Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management www.bestitdocuments.com

Oracle hardening considerations

Disable install and demo accounts Disallow default user/password PUBLIC has execute System privilege PUBLIC has execute Object privilege PUBLIC has execute UTL_FILE privilege PUBLIC has execute UTL_SMTP privilege PUBLIC has execute UTL_HTTP privilege PUBLIC has execute UTL_TCP privilege PUBLIC has execute DBMS_RANDOM Password complexity Restrict number of failed login attempts Authentication protocol fallback Connect and… Continue reading Oracle hardening considerations

Sample of Application Support Management Services

When considering an Application Service Provider consider the understand that changes that are inevitable in any IT environment. Changes can happen in a business environment for many reasons; some key reasons are listed below: 1. Application Consolidation 2. Application Decommissioning etc. 3. Acquisitions 4. Divestiture 5. Down sizing Considering an Application Service Provider that has a very flexible development… Continue reading Sample of Application Support Management Services

Sample Visio – Simple Application upstream / downstream flow and interactions

This Sample drawing demonstrates how IT Applications should be documented. Systems, Databases flows and dependencies are important for Testing, Development, Support, reliability and auditing. Free – Visio Document download Application and flows www.bestitdocuments.com

Sample – EPHI (HIPAA) – Administrative Technical Controls

Thank you for your visit. If you like what you have found on our site please backlink our site and blog. Standards Sections Description Security Management Process  § 164.308(a)(1) Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility § 164.308(a)(2) Workforce Security § 164.308(a)(3) Authorization and/or Supervision Workforce Clearance Procedure Termination… Continue reading Sample – EPHI (HIPAA) – Administrative Technical Controls

Sample – EPHI (HIPAA) – Physical Technical Controls

Thank you for your visit. If you like what you have found on our site please backlink our site and blog. Standards Sections Description Facility Access Controls § 164.310(a)(1) Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use § 164.310(b) Workstation Security § 164.310(c) Device and Media Controls § 164.310(d)(1)… Continue reading Sample – EPHI (HIPAA) – Physical Technical Controls

Sample – EPHI (HIPAA) – Technical Security Controls

Thank you for your visit. If you like what you have found on our site please backlink our site and blog. Standards Sections Description Access Control § 164.312(a)(1) Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls § 164.312(b) Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information Person or… Continue reading Sample – EPHI (HIPAA) – Technical Security Controls

Limitations of Type I SAS 70

A Type II report will perform testing to determine that 1)      the description presents fairly the controls that have been placed in operation; 2)      the controls were suitably designed to achieve the control objectives; 3)      the controls were operating effectively Could result in a Qualified Opinion if the description of controls and/or tests of operating… Continue reading Limitations of Type I SAS 70

Regulations Touches Everyone

Implications Regulations affect everyone Non-regulated still implies best practices No one-stop solutions Real time alerting a vital component of compliance Customers are looking for real-time help on the mainframe Legislative Background Fourth Amendment FCA Title III FISA ECPA CALEA Digital Privacy Act of 2000 Electronic Privacy Act of 2000 The Information Technology (IT) Management Reform… Continue reading Regulations Touches Everyone

SAS70 Overview

What is Risk Management? The process of analyzing information technology, financial, and operational risks and implementing solutions to reduce or eliminate exposures in a cost effective manner. Information technology is broadly defined to include all forms of technology used to create, store, exchange, and use information in its various forms. Financial risk could result in… Continue reading SAS70 Overview

Countermeasures Based on Security Policy and Accountability

Briefly discuss the protection mechanisms available in the system that help to counter threats described in the above narrative.  This narrative should serve as a summary of the protection philosophy used in the design and implementation of the protection mechanisms.  Physical Security Assumptions (1)   Provide narrative, which states what physical security assumptions are made by… Continue reading Countermeasures Based on Security Policy and Accountability

Data Security Strategy

1. Obtain an understanding of the data security strategy. Identify the financial institution’s approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss). Obtain and review the risk assessment covering financial institution data. Determine Whether the risk assessment classifies data sensitivity in a reasonable manner and consistent with the… Continue reading Data Security Strategy

Sample Product Evaluation criteria

Task:  Identify criteria used to evaluate and recommend security products. Instructions: Refer the students to the email after the IS Security Program Review module. Allow the students to work on the exercise for approximately 10 minutes. Call on several students and ask them what criteria they use to evaluate countermeasures. Respond according to the students’… Continue reading Sample Product Evaluation criteria

Quality of Service (QOS) Considerations

Performance – ability to deliver results (throughput or bandwidth) within the least response time (latency). Scalability – ability to cater to greater demands imposed upon the system (e.g.: support increased number of users, products) without affecting any of the other QoS parameters. Reliability – ability to function with the least occurrence of failure. Availability –… Continue reading Quality of Service (QOS) Considerations

OWASP TOP 10

Issues and suggested remediation: ISSUE Explanation 6.5.1: Cross Site Scripting (XSS) Testing of parameters before inclusion. 6.5.2: Injection Flaws Testing of input to verify user data cannot modify meaning of commands and queries. 6.5.3: Malicious File Execution Validate input to verify application does not accept filenames or files from users. 6.5.4: Insecure Direct Object Reference… Continue reading OWASP TOP 10