Information Security Booklet
Information Security Booklet – July 2006TABLE OF CONTENTSINTRODUCTION . 1Overview. 1Coordination with GLBA Section 501(b) . 2Security Objectives . 2Regulatory Guidance, Resources, and Standards . 3SECURITY PROCESS. 4Overview. 4Governance . 5Management Structure. 5Responsibility and Accountability . 5INFORMATION SECURITY RISK ASSESSMENT. 9Overview. 9Key Steps . 10Gather Necessary Information . 10Identification of Information and Information Systems. 11Analyze the Information . 11Assign Risk Ratings . 14Key Risk Assessment Practices. 15INFORMATION SECURITY STRATEGY . 17Key Concepts . 18Architecture Considerations . 19Policies and Procedures. 19Technology Design . 20Outsourced Security Services . 21SECURITY CONTROLS IMPLEMENTATION. 22Access Control. 22Access Rights Administration. 22Authentication . 25Network Access . 37Operating System Access . 46Application Access . 48
Information Security Booklet – July 2006Remote Access . 50Physical and Environmental Protection. 52Data Center Security. 53Cabinet and Vault Security. 54Physical Security in Distributed IT Environments . 54Encryption . 56How Encryption Works . 57Encryption Key Management . 57Encryption Types . 58Examples of Encryption Uses . 59Malicious Code Prevention . 60Controls to Protect Against Malicious Code . 61Systems Development, Acquisition, and Maintenance . 63Software Development and Acquisition. 63Systems Maintenance . 67Personnel Security. 70Background Checks and Screening . 71Agreements: Confidentiality, Non-Disclosure, and Authorized Use. 71Job Descriptions. 72Training . 72Data Security . 72Theory and Tools . 73Practical Application . 73Service Provider Oversight . 76Trust Services . 77SAS 70 Reports . 77Business Continuity Considerations. 78Insurance . 79SECURITY MONITORING . 81Architecture Issues . 82Activity Monitoring. 82Network Intrusion Detection Systems . 83Honeypots . 85Host Intrusion Detection Systems . 86Log Transmission, Normalization, Storage, and Protection. 87Condition Monitoring . 87
Information Security Booklet – July 2006Self Assessments. 87Metrics. 88Independent Tests . 88Analysis and Response . 90Security Incidents. 91Intrusion Response . 92Outsourced Systems. 93SECURITY PROCESS MONITORING AND UPDATING . 95Monitoring . 95Updating . 96APPENDIX A: EXAMINATION PROCEDURES. A-1APPENDIX B: GLOSSARY . B-1APPENDIX C: LAWS, REGULATIONS, AND GUIDANCE C-1
Information Security Booklet – July 2006INTRODUCTIONOVERVIEWInformation is one of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institutionand its customers, maintain compliance with the law, and protect the reputation of theinstitution. Timely and reliable information is necessary to process transactions and support financial institution and customer decisions. A financial institution’s earnings andcapital can be adversely affected if information becomes known to unauthorized parties,is altered, or is not available when it is needed.Information security is the process by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations.On a broad scale, the financial institution industry has a primary role in protecting thenation’s financial services infrastructure. The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer financialinformation. Individual financial institutions and their service providers must maintaineffective security programs adequate for their operational complexity. These securityprograms must have strong board and senior management level support, integration ofsecurity activities and controls throughout the organization’s business processes, andclear accountability for carrying out security responsibilities. This booklet providesguidance to examiners and organizations on assessing the level of security risks to theorganization and evaluating the adequacy of the organization’s risk management.Organizations often inaccurately perceive information security as the state or condition ofcontrols at a point in time. Security is an ongoing process, whereby the condition of afinancial institution’s controls is just one indicator of its overall security posture. Otherindicators include the ability of the institution to continually assess its posture and reactappropriately in the face of rapidly changing threats, technologies, and business conditions. A financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk inaccordance with risk assessment and acceptable risk tolerance levels. Financial institutions protect their information by instituting a security process that identifies risks, formsa strategy to manage the risks, implements the strategy, tests the implementation, andmonitors the environment to control the risks.Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk managementprocess, including the duties, obligations, and responsibilities of the service provider forinformation security and the oversight exercised by the financial institution.FFIEC IT Examination HandbookPage 1
Information Security Booklet – July 2006COORDINATION WITH GLBA SECTION 501(B)Member agencies of the Federal Financial Institutions Examination Council (FFIEC) implemented section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA) 1 by defininga process-based approach to security in the “Interagency Guidelines Establishing Information Security Standards” (501(b) guidelines) . The 501(b) guidelines afford the FFIECagencies 2 (agencies) enforcement options if financial institutions do not establish andmaintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operationsand all related data, and serves as a supplement to the agencies’ GLBA 501(b) expectations.SECURITY OBJECTIVESInformation security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives. 3 1Availability—The ongoing availability of systems addresses the processes,policies, and controls used to ensure authorized users have prompt accessto information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems.Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.Confidentiality of Data or Systems—Confidentiality covers the processes,policies, and controls employed to protect information of customers andthe institution against unauthorized access or use.Accountability—Clear accountability involves the processes, policies, andcontrols necessary to trace actions to their source. Accountability directlysupports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.Assurance—Assurance addresses the processes, policies, and controlsused to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design andSee Appendix C for a listing of laws, regulations, and agency guidance.2Board of Governors of the Federal Reserve System (Federal Reserve Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC),and Office of Thrift Supervision (OTS).3Underlying Models for IT Security, NIST, SP800-33, p. 2.FFIEC IT Examination HandbookPage 2
Information Security Booklet – July 2006include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.Integrity and accountability combine to produce what is known as non-repudiation. Nonrepudiation occurs when the financial institution demonstrates that the originators whoinitiated the transaction are who they say they are, the recipient is the intended counterparty, and no changes occurred in transit or storage. Non-repudiation can reduce fraudand promote the legal enforceability of electronic agreements and transactions. Whilenon-repudiation is a goal and is conceptually clear, the manner in which non-repudiationcan be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification. 4REGULATORY GUIDANCE, RESOURCES, ANDSTANDARDSFinancial institutions developing or reviewing their information security controls, policies, procedures, or processes have a variety of sources upon which to draw. First, federal laws and regulations address security, and regulators have issued numerous securityrelated guidance documents. 5 Institutions also have a number of third-party or securityindustry resources to draw upon for guidance, including outside auditors, consultingfirms, insurance companies, and information security professional organizations. In addition, many national and international standard-setting organizations are working to defineinformation security standards and best practices for electronic commerce. While noformal industry accepted security standards exist, these various standards providebenchmarks that both financial institutions and their regulators can draw upon for the development of industry expectations and security practices. Some standard-setting groupsinclude the following organizations: 4The National Institute of Standards and Technology (NIST) atwww.nist.gov;The International Organization for Standardization (ISO) Informationtechnology at www.iso.ch with specific standards such asThe code of practice for information security management (ISO/IEC17799) andInformation technology—Security techniques—Evaluation criteria forIT security (ISO/IEC 15408); and The Information Systems Audit and Control Association (ISACA)—Control Objectives for Information Technology (COBIT), atwww.isaca.org/cobit.htm.The federal E-Sign Act, 15 USC 7001, et seq., does not resolve this issue.5See Appendix B for a listing of laws, regulations, and agency guidance. See also the FFIEC IT ExaminationHandbook series of booklets, of which this booklet is a part.FFIEC IT Examination HandbookPage 3
Information Security Booklet – July 2006SECURITY PROCESSAction SummaryFinancial institutions should implement an ongoing security processand institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the boardof directors, management, and employees.OVERVIEWThe security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage, and control therisks to system and data availability, integrity, and confidentiality, and to ensure accountability for system actions. The process includes five areas that serve as the frameworkfor this booklet: Information Security Risk Assessment—A process to identify and assessthreats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.Information Security Strategy—A plan to mitigate risk that integratestechnology, policies, procedures, and training. The plan should be reviewed and approved by the board of directors.Security Controls Implementation—The acquisition and operation of technology, the specific assignment of duties and responsibilities to managersand staff, the deployment of risk-appropriate controls, and the assurancethat management and staff understand their responsibilities and have theknowledge, skills, and motivation necessary to fulfill their duties.Security Monitoring—The use of various methodologies to gain assurancethat risks are appropriately assessed and mitigated. These methodologiesshould verify that significant controls are effective and performing as intended.Security Process Monitoring and Updating—The process of continuouslygathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used toupdate the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one-time event.Security risk variables include threats, vulnerabilities, attack techniques, the expectedfrequency of attacks, financial institution operations and technology, and the financialFFIEC IT Examination HandbookPage 4
Information Security Booklet – July 2006institution’s defensive posture. All of these variables change constantly. Therefore, aninstitution’s management of the risks requires an ongoing process.GOVERNANCEGovernance is achieved through the management structure, assignment of responsibilitiesand authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability. Governance is required to ensure that tasks arecompleted appropriately, that accountability is maintained, and that risk is managed forthe entire enterprise. Although all aspects of institutional governance are important to themaintenance of a secure environment, this booklet will speak to those aspects that areunique to information security. This section will address the management structure, responsibilities, and accountabilityMANAGEMENT STRUCTUREInformation security is a significant business risk that demand engag
Information is one of a financial institution’s most important assets. Protection of infor- . controls at a point in time. Security is an ongoing process, whereby the condition of a . Handbook series of booklets, of which this booklet is a part. FFIEC IT Examination Handbook Page 3.
this booklet contains important information installer: use the information in this booklet to install the appliance and affix this booklet adjacent to the appliance after installation. user: keep this booklet of information for future reference.
2016 national curriculum tests Key stage 2 [BLANK PAGE] This page is intentionally blank. Contents Booklet 2B 3 Booklet 5B 15 Booklet 8C 31 Booklet 9C 47 Booklet 12P 63 Booklet 14P 75. Sene n Bet 2B First name Middle name Last name Date of birth Day Month Year School name 2016 national urriculum ets Key e 2 53208. ST002B June16. 3. Page . 02 of .
P-6 1 SET-FE Test Booklet No. ijh{kk iqfLrdk la[;k Test Booklet Series ijh{kk iqfLrdk lhjht This Booklet contains 48 pages. bl iqfLrdk eas 48 i 'B gSaA FE Do not open this Test Booklet until you are asked to do so. bl ijh{kk iqfLrdk dks rc rd uk [kksysa tc rd dgk u tk,A Read carefully the instructions on the back cover of this booklet.
test booklet series test booklet g.s. (p) 2022 - sandhan aptitude test-sample paper time allowed: two hours maximum marks: 200 instructions 1. immediately after the commencement of the examination, you should check that this booklet does not have any unprinted or turn or missing pages or items, etc. if so, get it replaced by a .
Attending an AO briefing given by the Chief Information Security Officer. 4.1.2 Information Systems Security Managers (ISSM), Information Systems Security Officers (ISSO) Individuals currently serving as an Information Systems Security Manager (ISSM) and Information Systems Security Officer (ISSO) are also identified in GSA's FISMA inventory.
AVG Internet Security 9 ESET Smart Security 4 F-Secure Internet Security 2010 Kaspersky Internet Security 2011 McAfee Internet Security Microsoft Security Essentials Norman Security Suite Panda Internet Security 2011 Sunbelt VIPRE Antivirus Premium 4 Symantec Norton Internet Security 20
security controls (second edition), ISO/IEC 27002:2013 Information technology - Security techniques - Information security incident . In information security management, the "Security Operations" functional area includes the deployment of proper security protection and safeguards to reduce the
organization level helps react to security situations better. A security model is a formal description of a security policy, which in turn captures the security requirements of an enterprise and describes the steps that must be taken to achieve security. The goal of implementing a security model is to provide information assurance. FCPB security
