40
1 PCI DSS Provisioning and Hardening Checklists & Forms
1
PCI DSS Provisioning and Hardening
Checklists & Forms
i
Table of Contents
1. Firewall Provisioning and Hardening Checklists (Overview) 3
2. Cisco PIX Firewall Provisioning and Hardening Checklist 4
3. CISCO PIX Firewall Business Needs Checklist 8
4. CISCO PIX Firewall Review and Audit Checklist 9
5. Cisco ASA Firewall Provisioning and Hardening Checklist 10
6. CISCO ASA Firewall Business Needs Checklist 15
7. CISCO ASA Firewall Review and Audit Checklist 16
8. Juniper Networks NetScreen & SSG Firewall Provisioning and Hardening Checklist 17
9. Juniper Networks NetScreen & SSG Firewall Business Needs Checklist 22
10. Juniper Networks NetScreen & SSG Firewall Review and Audit Checklist 23
11. Linux Iptables Firewall Provisioning and Hardening Checklist 24
12. Linux Iptables Firewall Business Needs Checklist 29
13. Linux Iptables Firewall Review and Audit Checklist 30
14. SonicWALL Firewall Provisioning and Hardening Checklist 31
15. SonicWALL Firewall Business Needs Checklist 36
16. SonicWALL Firewall Review and Audit Checklist 37
17. Fortinet FortiGate Firewall Provisioning and Hardening Checklist 38
18. Fortinet FortiGate Firewall Business Needs Checklist 44
19. Fortinet FortiGate Firewall Review and Audit Checklist 45
20. Palo Alto Firewall Provisioning and Hardening Checklist 46
21. Palo Alto Firewall Business Needs Checklist 53
22. Palo Alto Firewall Review and Audit Checklist 54
23. Checkpoint Firewall Provisioning and Hardening Checklist 55
24. Checkpoint Firewall Business Needs Checklist 62
25. Checkpoint Firewall Review and Audit Checklist 63
26. Barracuda Web Filter Firewall Provisioning and Hardening Checklist 64
27. Barracuda Web Filter Firewall Business Needs Checklist 71
28. Barracuda Web Filter Firewall Review and Audit Checklist 72
29. Microsoft Windows Server Provisioning and Hardening Checklists (Overview) 73
30. Windows Server 2003 (WIN2K3) Provisioning and Hardening Checklist 74
31. Windows Server 2008 (WIN2K8) Provisioning and Hardening Checklist 83
32. Windows Server 2008 R2 (WIN2K8 R2) Provisioning and Hardening Checklist 95
33. UNIX Server Provisioning and Hardening Checklists (Overview) 108
34. SOLARIS Provisioning and Hardening Checklist 109
35. HP‐UX 11I Provisioning and Hardening Checklist 116
36. LINUX Distributions Provisioning and Hardening Checklist 124
37. Red Hat Enterprise LINUX (RHEL) 5 Provisioning and Hardening Checklist 134
38. Red Hat Enterprise LINUX (RHEL) 6 Provisioning and Hardening Checklist 139
39. Web Server Provisioning and Hardening Checklists (Overview) 148
40. Apache (Version 2.2) LINUX Web Server Provisioning and Hardening Checklist 149
41. Apache (Version 2.2) Windows Web Server Provisioning and Hardening Checklist 154
ii
42. Microsoft Internet Information Services (IIS) Web Server Provisioning and Hardening Checklist 160
43. Apache Tomcat Web Server Provisioning and Hardening Checklist 166
44. Database Provisioning and Hardening Checklists (Overview) 171
45. Oracle 11 Database Provisioning and Hardening Checklists 172
46. MySQL 5 Database Provisioning and Hardening Checklists 178
47. Microsoft (MS) SQL Server 2005 Provisioning and Hardening Checklist 183
48. Microsoft (MS) SQL Server 2008 Provisioning and Hardening Checklist 189
49. Microsoft (MS) SQL Server 2008 R2 Provisioning and Hardening Checklist 196
50. Microsoft (MS) SQL Server 2012 Provisioning and Hardening Checklist 203
1
License Agreement
The document you have purchased contains an electronic watermark, which is a unique identifier applied
to every document originating from www.pcipolicyportal.com. The use of this document is limited
exclusively to a one‐time usage license for any individual or organization seeking to comply with the
Payment Card Industry Data Security Standards (PCI DSS) requirements. Any redistribution of this
document to another individual or organization is strictly prohibited and is punishable by law.
Common examples of the redistribution of this document include but are not limited to the following:
the sharing of this document to assist other individuals or organizations in PCI DSS compliance or
for any other reason
the knowing dissemination of this document to another individual or organization without the
said individual or organization having purchased the one‐time usage license from
www.pcipolicyportal.com
Any attempt to reproduce, publish, license, create derivative works from, transfer, post on any network,
broadcast in any media or sell any information, software, products or services obtained from the this
document, unless explicitly permitted by www.pcipolicyportal.com, is prohibited and is subject to severe
legal ramifications.
2
About this Document
Congratulations, you have just purchased the most in‐depth and comprehensive set of information
security provisioning and hardening documents found anywhere today. Additionally, these helpful forms
and checklists can be utilized for any compliance mandate – or best practices – for ensuring all critical
system are adequately provisioned, hardened, secured, and locked‐down as needed.
3
Firewall Provisioning and Hardening Checklists (Overview)
The below referenced documents are an excellent resource for properly provisioning, hardening, securing, and locking‐down all system components in accordance with the
mandated PCI DSS requirements.
PCI DSS Requirement 12.1 Information Security Policy Table of Contents
Overview 3
Purposes 3
Scope 3
Policy 4
Roles and Responsibilities 4 o Chief Technology Officer | Chief Information Officer 4 o Director of Information Technology | Senior Information Security Officer 4 o Network Engineer | Systems Administrator 4 o Software Developers | Coders 5 o Change Management | Change Control Personnel 6 o End Users 6 o Vendors, Contractors, Other Third-Party Entities 6
Information Security Solutions 7
Defense-in-Depth 7
Layered Security 8
Cyber Security 8
Cloud Computing 9
Email Guidelines, Responsibilities and Acceptable Use 9
The CAN-SPAM ACT 12
Internet Guidelines, Responsibilities and Acceptable Use 13
Network Guidelines, Responsibilities and Acceptable Use 15
Social Media Guidelines, Responsibilities and Acceptable Use 17
Identity Theft 20
Securing Your Home Network 21
Online Security and Mobile Computing 23
Online Shopping 24
Other Important Security Considerations 25
Helpful Security Resources 29
Security Updates 33
Workstation Security 34
Laptop Security 36
Software Licensing and Usage 37
Internal Threats 38
Clean Desk Policy 39
Data Security Breaches 40
Data and Information Classification 41
Security Categorization 42
Asset Inventory 42
Personally Identifiable Information (PII) 43
Protected Health Information (PHI) 44
Personally Identifiable Financial Information (PIFI) 44
Physical Security and Environmental Security 45
Personnel 45
Security Awareness Training 46
Provisioning and Hardening 46
Reference Material 47
Time Synchronization 47
Access Rights 48
Methods of Authentication 48
Password Parameters 49
De-Provisioning | Off-boarding Process 50
Remote Access 51
Wireless Security 51
Malware 53
Change Control | Change Management 53
Software Development Life Cycle (SDLC) 54
Patch Management 56
Vulnerability Management 57
Configuration Management 58
Vendor Management 58
Backup and Storage 59
Encryption 60
Event Monitoring 61
Configuration and Change Monitoring 61
Performance and Utilization Monitoring 62
Logging and Reporting 62
Data Retention and Disposal 63
Incident Response 63
Performance and Security Testing 64
Disaster Recovery 64
Authorization Form for User Access | New Employees 67
Authorization Form for User Access | Vendors 71
Authorization Form for User Access | Guests 75
User De-provisioning | Off-boarding Form | All Users (Employee, Guest, Vendor, Other) 79
Employee Separation Form 82
Change Management Request Form (CMRF) 85
Change Management Logging System (CMLS) 87
Remote Access Request Form 88
Incident Response Plan Form 91
Security Awareness Training Instructional Guide 92
Wireless Security Checklist 101
PCI DSS Requirement 12.1 Information Security Policy and Procedures
1.0 Overview In accordance with mandated organizational security requirements set forth and approved by management, [company name] has established a formal set of information security policy and supporting procedures.
This comprehensive policy document is to be implemented immediately along with all relevant and applicable procedures. Additionally, this policy is to be evaluated on a(n) [annual, semi-annual, quarterly] basis for ensuring its adequacy and relevancy regarding [company name]'s needs and goals.
1.0 Purpose This policy and supporting procedures are designed to provide [company name] with a documented and formalized information security policy in accordance with Requirement 12.1 of the PCI DSS standards. Additionally, this policy also serves as the organization’s primary, enterprise-wide information security manual. Compliance with the stated policy and supporting procedures helps ensure the safety and security of all [company name] system components within the cardholder data environment and any other environments deemed applicable.
1.0 Scope This policy and supporting procedures encompasses all system components within the cardholder data environment that are owned, operated, maintained, and controlled by [company name] and all other system components, both internally and externally, that interact with these systems, and all other relevant systems.
Internal system components are those owned, operated, maintained, and controlled by [company name] and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and applications that reside on them) and any other system components deemed in scope.
External system components are those owned, operated, maintained, and controlled by any entity other than [company name], but for which these very resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the cardholder data environment and any other environments deemed applicable.
Please note that when referencing the term "system component(s)" or “system resource(s)” it implies the following: Any network component, server, or application included in or connected to the cardholder data environment (Source: pcisecuritystandards.org glossary) or any other relevant environment deemed in-scope for purposes of information security.
1.0 Policy [Company name] is to ensure that the information security policy adheres to the following conditions for purposes of complying with the mandated organizational security requirements set forth and approved by management:
Roles and Responsibilities The following roles and responsibilities are to be developed and subsequently assigned to authorized personnel within [company name] regarding information security practices:
Chief Technology Officer (CTO) | Chief Information Officer (CIO): Responsibilities include providing overall direction, guidance, leadership and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations. The CTO | CIO is to report to other members of senior management on a regular basis regarding all aspects of the organization’s information systems posture.
Director of Information Technology | Senior Information Security Officer: Responsibilities include also providing overall direction, guidance, leadership and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations, along with researching and developing information security standards for the organization as a whole. This will require extensive identification of industry benchmarks, standards, and frameworks that can be effectively utilized by the organization for provisioning, hardening, securing, and locking-down critical system components. Subsequent to the researching of such standards, the senior security officer is to then oversee the establishment of a series of baseline configuration standards to include, but limited to, the following system components: network devices, operating systems, applications, internally developed software and systems, and other relevant hardware and software platforms. Because baseline configuration can and will change, this authorized individual is to also update the applicable configurations, documenting all modifications and enhancements as required. Additional duties of the Director of Information Technology | Senior Information Security Officer include the following:
o Responsible for all major facets of information technology throughout the organization, such as management, recommendations as necessary
o Providing leadership, direction and guidance for current and existing projects o Overseeing the development of all applicable operational, business specific, and
information security policies, procedures, forms, checklists, templates, provisioning and hardening documents and other necessary material.
o Overseeing initiative for developing internal Requests for Proposals (RFPs), along with answering RFP's for services from the organization.
o Assistance in developing annual information technology budget. o Displaying integrity, honesty, and independence at all times. o Supporting the Director of Information Technology | Senior Information Security Officer
and other members of senior management as necessary.
Network Engineer | Systems Administrator: Responsibilities include actually implementing the baseline configuration standards for all in-scope system components. This requires obtaining a current and accurate asset inventory of all such systems, assessing their initial posture with the stated baseline, and the undertaking the necessary configurations. Because of the complexities and depth often involved with such activities, numerous personnel designated as Network Engineers | System Administrators are often involved in such activities. Furthermore, these individuals are also responsible for monitoring compliance with the stated baseline configuration standards, reporting to senior management all instances of non-compliance and efforts undertaken to correct such issues. Additionally, due to the fact that these individuals are to undertake the majority of the operational and technical procedures for the organization, it is critical to highlight other relevant duties, such as the following:
o Assessing and analyzing baseline configuration standards for ensuring they meet the intent and rigor for the overall safety and security (both logically and physically) of critical system components.
o Ensuring the asset inventory for all in-scope system components is in fact kept current and accurate.
o Ensuring that network topology documents are also kept current and accurate. o Facilitating requests for validation of baseline configurations for purposes of regulatory
compliance assessments and audits – such as those for PCI compliance, SSAE 16 reporting, HIPAA, FISMA, GLBA, etc.
Table of Contents
Critical Business Information 4
Business Continuity and Disaster Recover Planning (BCDRP) Personnel 5
Additional Personnel 6
Meeting Information 7
Potential Hazards 8
Critical Organizational Assets - Information Systems 9
Organizational Assets Matrix 10
Critical Organization Assets – Prioritization of Critical Applications and Data 11
Critical Organizational Assets – Personnel 12
Critical Organizational Assets – Facilities 13
Critical Organizational Assets – Equipment 14
Critical Organizational Assets – Other 15
Critical Operations 16
Critical Third Party Entities 19
Data Safety and Recovery Initiatives 24
Alternate Locations 28
Critical Recovery Location Supplies List 30
Miscellaneous Recovery Location Supplies List 34
Employees and Workforce Members Notification Procedures 35
Testing Procedures 36
Insurance Information 40
Appendix A: Emergency Mode Operation Plan 43
Appendix B: Testing and Revision Procedures 46
Appendix C: Applications and Data Criticality Analysis 49
Overview
Business Continuity and Disaster Recovery Planning (BCDRP) refers to an organization’s ability to effectively plan and recover from a disaster and/or unexpected event, ultimately resuming operations as necessary. While there are numerous terms and phrases that encompass the broader subject of BCDRP, with countless numbers of organizations, industry associations, and best practices advocated, they all essentially illustrate a consistent theme, which is properly planning for the unexpected and hoping to recover as quickly and comprehensively as possible.
A comprehensive BCDRP template should include, at a minimum, the following elements:
Critical Business Information Business Continuity and Disaster Recover Planning (BCDRP) Personnel Additional Personnel Meeting Information Potential Hazards Critical Organizational Assets - Information Systems Organizational Assets Matrix Critical Organization Assets – Prioritization of Critical Applications and Data Critical Organizational Assets – Personnel Critical Organizational Assets – Facilities Critical Organizational Assets – Equipment Critical Organizational Assets – Other Critical Operations Critical Third Party Entities Data Recovery Initiatives Alternate Locations Critical Recovery Location Supplies List Miscellaneous Recovery Location Supplies List Employees and Workforce Members Notification Procedures Testing Procedures Insurance Information Appendix A: Emergency Mode Operation Plan Appendix B: Testing and Revision Procedures Appendix C: Applications and Data Criticality Analysis
Critical Business Information
Primary Business Location Secondary Business Location(s)
Business Name
Business Name
Street Address
Street Address
City, State, Zip Code
City, State, Zip Code
Telephone Number
Telephone Number
Primary Point of Contact Secondary Point of Contact
Primary Emergency Contact
Secondary Emergency Contact
Telephone Number
Telephone Number
Alternate Telephone Number
Secondary Telephone Number
E‐mail Address
E‐mail Address
Emergency Contact Information
Non‐emergency Police
Electricity Provider
Non‐emergency Fire
Gas Provider
Insurance Provider
water Provider
Other (e.g., equipment manufacturer)
Other (e.g., property management)
Other (e.g., Spill Clean‐Up)
Other (e.g., property security)
Other (e.g., IT support contractor)
Other (e.g., bank agent)
Other
Other
Other
Other
Fraud Policy and Procedure Manual
i
About this Document
Congratulations, you have just received the most in-depth and comprehensive Fraud Policy and Procedure Manual available today, compliments of pcipolicyportal.com. Developed by industry leaders in the field of fraud detection and prevention, this document provides all the policy, procedural and other supporting documentation necessary for developing and implementing a comprehensive fraud program within your organization.
To enhance user interface, this document has been interconnected between hyperlinked headings in the Table of Contents and their corresponding section in the text. Of course, you can avoid time-consuming reverse scrolling by pressing [ctrl + g + iii + enter] from any point to return to the Table of Contents page.
Every table throughout the document is a customizable template intended to be specified to your purposes. Information italicized in red serves as an example to assist and give you ideas on how to successfully complete the various tasks.
ii
TABLE OF CONTENTS
INTRODUCTION ........................................................................................................ 1
Overview ................................................................................................................................................................ 1
DEFINITION OF FRAUD ............................................................................................. 3
EXAMPLES OF COMMON FRAUDULENT SCHEMES .................................................. 4
Pyramid Schemes ................................................................................................................................................... 4
Ponzi Schemes ....................................................................................................................................................... 4
Letter of Credit Fraud ............................................................................................................................................ 4
Health Insurance Fraud.......................................................................................................................................... 5
Credit Card Fraud ................................................................................................................................................... 5
Occupational Fraud ................................................................................................................................................ 5
Invoice and Billing Fraud ........................................................................................................................................ 6
Identity Fraud ........................................................................................................................................................ 6
Telemarketing Fraud .............................................................................................................................................. 6
Financial Correspondence Fraud (Nigeria) and Advanced Fee Fraud (AFF)........................................................... 7
Bid Rigging ............................................................................................................................................................. 7
Phishing ................................................................................................................................................................. 7
Cashier’s Check Fraud ............................................................................................................................................ 8
Debt Elimination Fraud .......................................................................................................................................... 8
Work‐at‐Home Employment Schemes .................................................................................................................. 8
Tax Fraud ............................................................................................................................................................... 8
Securities Fraud ..................................................................................................................................................... 9
RESOURCES FOR UNDERSTANDING, IDENTIFYING AND REPORTING FRAUD ......... 10
Overview .................................................................................................................................... 10
iii
The National Check Card Fraud Center (http://ckfraud.org) .................................................... 10
USA.gov (www.usa.gov) ............................................................................................................ 10
Internal Revenue Service (www.irs.gov) ................................................................................... 11
Econsumer.gov (www.econsumer.gov) .................................................................................... 11
Treasurydirect.gov (www.treasurydirect.gov) .......................................................................... 11
United States Government Accountability Office (GAO) (www.gao.gov/index.html) .............. 11
The Federal Bureau of Investigation (www.fbi.gov) ................................................................. 12
Securities and Exchange Commission (www.sec.gov) .............................................................. 12
The United States Department of Labor | Occupational Safety and Health Administration
(www.osha.gov) ......................................................................................................................... 12
The United States Department of Health and Human Services (www.hhs.gov) ...................... 13
United States Postal Inspection Service (https://postalinspectors.uspis.gov/) ........................ 13
The Federal Trade Commission (www.ftc.gov) ......................................................................... 13
The United States Secret Service (http://www.secretservice.gov/) ....................................... 14
The United States Department of Justice (http://www.justice.gov) ........................................ 14
Internet Crime Complaint Center (www.ic3.gov)...................................................................... 14
The Federal Communications Commission (www.fcc.gov) ....................................................... 15
Association of Certified Fraud Examiners (www.acfe.com) ...................................................... 15
Association of Certified Fraud Specialists (www.acfsnet.org) .................................................. 15
The Better Business Bureau (www.bbb.org) ............................................................................. 15
National Consumers League Fraud Center (NCL) (www.fraud.org) .......................................... 16
National White Collar Crime Center (www.nw3c.org) .............................................................. 16
Consumer Fraud Reporting (http://www.consumerfraudreporting.org/) ............................... 16
iv
National Association of Attorneys General (NAAG) (www.naag.org) ....................................... 17
RESOURCES FOR UNDERSTANDING, IDENTIFYING AND REPORTING FRAUD
OUTSIDE THE UNITED STATES ................................................................................ 19
Serious Fraud Office (SFO) | The United Kingdom (www.sfo.gov.uk/) ..................................... 19
Reporting Economic Crimes Online (RECOL) | Canada (www.recol.ca/intro.aspx) .................. 19
SCAMwatch | Australia (www.scamwatch.gov.au/content/index.phtml/tag/scamwatch/) ... 19
South African Fraud Prevention Service (SAFPS) | South Africa (http://safps.org.za/) ............ 20
Additional Resources for Understanding, Identifying and Reporting Fraud Outside the United
States ......................................................................................................................................... 20
LAWS AND LEGISLATION CONCERNING FRAUD ..................................................... 21
Overview .................................................................................................................................... 21
Title 18 of the United States Code (Crimes and Criminal Procedures) ..................................... 21
The Sarbanes‐Oxley Act of 2002 ................................................................................................ 21
Section 302: ......................................................................................................................................................... 22
Section 404: ......................................................................................................................................................... 22
Section 802: ......................................................................................................................................................... 22
Section 1107: ....................................................................................................................................................... 22
Additional Resources FOR Laws and Legislation CONCERNING Fraud ...................................... 23
TYPES OF FRAUD .................................................................................................... 24
Overview .................................................................................................................................... 24
Misappropriation of Assets ....................................................................................................... 25
Payroll and Expense Reimbursement Schemes ................................................................................................... 25
Billing and Invoice Schemes ................................................................................................................................. 26
Register Disbursement Schemes ......................................................................................................................... 27
Incident Response Plan & Policy and Procedures
Title [company name] Incident Response Policy and Procedures
Version Version 1.0
Date TBD
Language English
Individual and/or Department
Responsible for Distribution of
Document
[company name] Information Technology Department
Individual and/ or Department
Responsible for Timely Update
of Document
[name and title]
Developed by: [company name]
Subject Incident Response
Approval Date TBD
Purpose of Document To implement comprehensive Incident Response policies, procedures, and practices whereby all employees and other
intended parties are readily aware of the organization’s incident response policies.
Distribution of Document Disbursed to all employees of [company name] and available by request to all other intended parties.
Summary of Changes from Prior
Version to Current Version and
any other Comments
TBD
Signature(s) of Final Approval Name and Title Signature
Name and Title Signature
Name and Title Signature
Overview Data breaches, cyber security threats, and many other malicious exploits are challenging organizations like never
before, ultimately requiring comprehensive security measure for helping ensure the confidentiality, integrity, and
availability of one’s entire information systems landscape. Unfortunately, security breaches do happen ‐ even with
the best controls in place ‐ thus the ability to respond swiftly and effectively is a must for mitigating any further
damages. It’s the main reason why every organization should have a well‐defined and in‐depth incident response
plan in place ‐ one complete with documented policies and procedures, along with essential forms and templates to
be used as necessary. Structured protocol is extremely important for incident response initiatives as it achieves the
following:
Responding immediately with best‐of‐breed information security practices.
Isolating the affected systems as quickly as possible, helping minimize the threat to other critical system
resources.
Helping minimize system downtime, while restoring critical infrastructure to full operational capabilities as
quickly as possible.
Providing a “lessons learned” approach for every incident, regardless of size, scale, complexity, and severity.
Comprehensive incident response measures require participation and involvement from everyone within [company
name], from senior management all the way down to end‐user of systems ‐ along with being aware of the following
core components of incident response:
Preparation
Detection
Initial Response and Containment
Security Analysis | Recovery and Repair
Communication
Post Incident Activities and Awareness
Training and Testing
In accordance with mandated organizational security requirements set forth and approved by management,
[company name] has established a formal Incident Response policy and supporting procedures. This policy is to be
implemented immediately along with all relevant and applicable procedures. Additionally, this policy is to be
evaluated on a(n) [annual, semi‐annual, quarterly] basis for ensuring its adequacy and relevancy regarding [company
name]'s needs and goals.
Purpose This policy and supporting procedures are designed to provide [company name] with a documented and formalized
Incident Response policy that is to be adhered to and utilized throughout the organization at all times. Additionally,
compliance with the stated policy and supporting procedures helps ensure the confidentiality, integrity, and
availability (CIA) of [company name]’s system resources.
Scope This policy and supporting procedures encompasses all system resources that are owned, operated, maintained, and
controlled by [company name] and all other system resources, both internally and externally, that interact with these
systems.
Internal system resources are those owned, operated, maintained, and controlled by [company name] and
include all network devices (firewalls, routers, switches, load balancers, other network devices), servers
(both physical and virtual servers, along with the operating systems and the underlying application(s) that
reside on them) and any other system resources deemed in scope.
External system resources are those owned, operated, maintained, and controlled by any entity other than
[company name], but for which such external resources may impact the confidentiality, integrity, and
availability (CIA) and overall security of the aforementioned description of "Internal system resources".
Note: While [company name] does not have the ability to actually provision, harden, secure, and deploy
another organization’s system resources, [company name] will follow due‐diligence best practices by
obtaining all relevant information ensuring that such systems are safe and secure.
Roles and Responsibilities Implementing and adhering to organizational policies and procedures is a collaborative effort, requiring a true
commitment from all personnel, including management, internal employees and users of system resources, along
with vendors, contractors, and other relevant third parties. Additionally, by being aware of one’s roles and
responsibilities as it pertains to [company name] information systems, all relevant parties are helping promote the
Confidentiality, Integrity, and Availability (CIA) principles for information security in today’s world of growing
cybersecurity challenges.
Management Commitment: Responsibilities include providing overall direction, guidance, leadership and
support for the entire information systems environment, while also assisting other applicable personnel in
their day‐to‐day operations. The [CTO | CIO, or other designated title] is to report to other members of
senior management on a regular basis regarding all aspects of the organization’s information systems
posture.
Internal Employees and Users: Responsibilities include adhering to the organization’s information security
policies, procedures, practices, and not undertaking any measure to alter such standards on any [company
name] system resources. Additionally, end users are to report instances of non‐compliance to senior
authorities, specifically those by other users. End users – while undertaking day‐to‐day operations – may
also notice issues that could impede the safety and security of [company name] system resources, and are
to also report such instance immediately to senior authorities.
Vendors, Contractors, other Third‐Party Entities: Responsibilities for such individuals and organizations
are much like those stated for end users: adhering to the organization’s information security policies,
procedures, practices, and not undertaking any measure to alter such standards on any such system
components.
Risk Management Policy and Procedures
Title [company name] Risk Management Policy and Procedures
Version Version 1.0
Date TBD
Language English
Individual and/or Department Responsible for Distribution of Document
[company name] Information Technology Department
Individual and/ or Department Responsible for Timely Update of Document
[name and title]
Developed by: [company name]
Subject Change Management
Approval Date TBD
Purpose of Document To implement comprehensive change management policies, procedures, and practices whereby all employees and other intended parties are readily aware of the organization’s risk management initiatives.
Distribution of Document Disbursed to all employees of [company name] and available by request to all other intended parties.
Overview The concept of risk management, which includes the process of performing a risk assessment, has quickly become one of the most notable topics in today’s growing world of regulatory compliance. Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, mission/business process level, and information system level. Because risk management is ongoing, risk assessments are conducted throughout the system development life cycle, from pre-system acquisition (i.e., material solution analysis and technology development), through system acquisition (i.e., engineering/manufacturing development and production/deployment), and on into sustainment (i.e., operations/support). Additionally, an actual risk assessment is one of the fundamental components of an organizational risk management process.
Furthermore, The purpose of a risk assessment is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring).
Source: National Institute of Standards and Technology, http://csrc.nist.gov/publications/PubsSPs.html#SP 800
Purpose This policy and supporting procedures are designed to provide [company name] with a documented and formalized risk management & risk assessment policy that is to be adhered to and utilized throughout the organization at all times. Additionally, compliance with the stated policy and supporting procedures helps ensure the confidentiality, integrity, and availability (CIA) of [company name]’s system resources.
Scope This policy and supporting procedures encompasses all system resources that are owned, operated, maintained, and controlled by [company name] and all other system resources, both internally and externally, that interact with these systems.
• Internal system resources are those owned, operated, maintained, and controlled by [company name] and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and the underlying application(s) that reside on them) and any other system resources deemed in scope.
• External system resources are those owned, operated, maintained, and controlled by any entity other than [company name], but for which such external resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the aforementioned description of "Internal system resources".
• Note: While [company name] does not have the ability to actually provision, harden, secure, and deploy another organization’s system resources, [company name] will follow due-diligence best practices by obtaining all relevant information ensuring that such systems are safe and secure.
• Scope: Yet another critical component of any risk assessment is scope – defining the boundaries of the risk assessment itself and determining what people, policies, procedures, processes, systems – and other supporting elements – will be included. While some organizations make focus primarily on one or few elements of risk, other entities may be much broader in scope, including most – if not all – elements of risk, such as financial, social, technology, and third – party risks, just to name a select few. The size – or lack thereof – regarding scope – is a large determining factor as to the speed, efficiency, and overall time-commitments needed for any type of credible risk assessment process. Additionally, the results of any given risk assessment process has a finite life, meaning it’s important to assess the relevancy of the results in terms of time when making decisions based on one’s findings.
Elements of Risk One of the biggest considerations in assessing risk within an organization is identifying which of the numerous risk elements is one to include within scope. More specifically, entities have the option of choosing from the following risk elements:
• Information Technology & Information Security Risk(s): These are risks arising from any number of information technology and information security issues, such as inadequate I.T. resources (hardware and software) along with lack of manpower. Additionally, risks can arise from abuse, misuse of information technology resources, while data breaches and security compromises can occur because of improperly designed networks, little to no information security policies, procedures, etc. Other serious information technology risks can include not correctly provisioning and hardening critical system resources, failing to implement “defense in depth” and layered security protocols, etc.
• PII & PHI Risk(s): These are risks that arise from failing to ensure the confidentiality, integrity, and availability of Personally Identifiable Information (PII). In today’s growing world of cyber security threats and ever-increasing reliance on information systems, the safety and security of PII is now more important than ever. Common risks would be for an organization to violate compliance regarding the safety and security of Personally Identifiable Information (PII), such as having exposed such information to unauthorized parties, based on threats from malicious hackers, as a result of vulnerabilities from weak passwords for accessing systems. PII is a large risk for many financial services and consumer services companies, especially those having to comply with mandates such as Gramm Leach Bliley (GLBA) and other regulatory measures. Furthermore, while considered an actual subset of the broader domain of Personally Identifiable Information (PII), Protected Health Information (PHI) has gained much attention due in large part to the continued growth and awareness of the Health Insurance Portability and Accountability Act, simply known as HIPAA to all. More specifically, Covered Entities (CE) and Business Associates (BA) face tremendous risks arising from the failure to ensure the confidentiality, integrity, and availability of Protected Health Information (PII). Huge fines loom for data breaches of PHI, thus it’s critically important that healthcare organizations put in place comprehensive measure for protecting such information.
• Cardholder Data Risk(s): These are risks that arise from failing to ensure the confidentiality, integrity, and availability of cardholder data in accordance with the Payment Card Industry Data Security Standards (PCI DSS). In today’s growing world of cyber security threats and ever-increasing reliance on information systems, the safety and security of cardholder data is now more important than ever.
• Determine the Likelihood: Simply stated, the likelihood is essentially the probability – and frequency – that
the actual event would occur. Or, in more technical terms, according to the NIST publication, SP-800-30, Guide for Conducting Risk Assessments, it is “…a weighted risk factor based on an analysis of a probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).” Additionally, it’s important to note the “likelihood” is often expressed in terms of time – specifically – when will the event occur. As for assigning various degrees of “likelihood”, the following are best practices: o 0: No Event: Event and associated threat is simply Not Applicable (N/A) to control environment. o 1: Unlikely: Rare degree of probability that the event will occur within the stated time period. o 2: Possible: Moderate degree of probability that the event will occur within the stated time period. o 3: Likely: High degree of probability that the event will occur within the stated time period. o 4: Very Likely: Very high degree of probability that the event will occur within the stated time period. o 5: Event will Undoubtedly Occur: Complete certainty that the event will occur within the stated time
period. • Determine the Impact: The “impact” can best be stated as the harm done to the organization. More
specifically, the United States Federal Information Processing Standards Publication 199 (FIPS PUB 199), "Standards for Security Categorization of Federal Information and Information Systems", details the following three (3) security categories (i.e. "potential impact") that correspond to each one of the respective CIA objectives (confidentiality, integrity, and availability): o Impact: LOW-The unauthorized disclosure, modification, destruction, deletion, and removal of
information along with the disruption of access to information results in a LIMITED adverse effect on the organization.
o Impact: MODERATE- The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a SERIOUS adverse effect on the organization.
o Impact: HIGH- The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a SEVERE | CATASTROPHIC adverse effect on the organization.
Thus, using the aforementioned three (3) categories as a baseline minimum for assessing the impact onto the organization is a necessity for proper risk assessment.
• Determine Current Overall Risk Rating | Level of Risk: The process of determining the overall risk rating and level of risk is direct reflection of the likelihood of the event would occur, and the impact that is would have. From a matrix perspective, overall risk, one that assigns a risk rating and level of risk, is best expressed in the following manner:
OVERALL RISK RATING | LEVEL OF RISK IMPACT Low Moderate High
Like
lihoo
d
Event will Undoubtedly Occur Medium Risk High Risk High Risk Very Likely Medium Risk High Risk High Risk
Likely Medium Risk Medium Risk High Risk Possible Low Risk Medium Risk High Risk Unlikely Low Risk Low Risk Medium Risk No Event Low Risk Low Risk Low Risk
PCI DSS Requirement 12.8 Third Party Service Provider Monitoring Packet
Requirement 12.8 is an important mandate for PCI DSS compliance considering today’s continued growth
of outsourcing and relying on other companies for various products and service offerings. It’s therefore
essential that merchants and service providers have in place comprehensive initiatives regarding initial
due‐diligence measures and continued oversight regarding services provided by various third parties.
Therefore, the comprehensive Third‐Party Service Provider Monitoring Packet provided by
pcipolicyportal.com contains the following documentation:
1. Management of Service Providers Policy and Procedures
2. Written agreement and contract to be used between your organization and service providers who either
store, process, and/or transmit cardholder data on your behalf, or could impact the security of the
customer’s cardholder data environment.
3. Information Security Due‐Diligence Checklist (Excel Spreadsheet) to be used for specific service providers
prior to engagement.
4. Annual PCI DSS Monitoring Program Checklist to be used for comprehensively monitoring service providers
on an annual basis.
5. PCI DSS Responsibilities Control Matrix to be used for determining compliance responsibilities between you
and your service providers.
Requirement 12.8
Management of Service Providers Policy and Procedures
12.8 Overview In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
name] has established a formal policy and supporting procedures concerning management of service
providers. This policy is to be implemented immediately. It will be evaluated on a(n) [annual, semi‐annual,
quarterly] basis for ensuring its adequacy and relevancy regarding [company name]’s needs and goals.
12.8 Policy [Company name] will ensure that the Management of Service Providers policy adheres to the following
conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS)
initiatives (PCI DSS Requirements and Security Assessment Procedures, Version 3.2):
A current and accurate list of service providers is to be maintained, complete with contact
information of all personnel.
For any services engaged with service providers that may affect or have a relationship or function
associated with [company name]’s cardholder data environment, the written agreement shall
include an acknowledgement by the service providers of their responsibility for securing
cardholder data.
Due diligence must be exercised before engaging with any service providers that may affect or
have a relationship or function associated with [company name]‘s cardholder data environment.
12.8 Procedure [Company name] has developed and implemented a comprehensive Management of Service Providers
program, which encompasses the categories and supporting activities listed below. These policy directives
will be fully enforced by [company name] to ensure that the management of service providers initiatives
are executed in a formal manner and on a consistent basis.
TABLE 12.8
LIST OF SERVICE PROVIDERS
Name of
Service
Provider
Primary
Function
Name and Contact
Information of Service
Provider Personnel
Due Diligence
Conducted on
Service
Provider
Contractual
Documentation
and Written
Agreements in
Place
Program
Used for
Monitoring
Service
Provider
Compliance
ABC Data
Center
Co‐location
and rack
space
Tom Anderson,
Mike Allen,
Dun and
Bradstreet
credit check
conducted and
Master Service
Agreement (MSA),
Statement of Work
(SOW) and signed
Service
providers is
responsible
for providing
annual PCI
verification of
business license
agreement regarding
PCI DSS compliance
certification to
us, along with
answering
annual general
security
questionnaires.
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
12.8 Responsibility for Policy Maintenance The [title of responsible party] is responsible for ensuring that the aforementioned policy is kept current
as needed for purposes of compliance with the Payment Card Industry Data Security Standards (PCI DSS)
initiatives.
Vendor Management Policy and Procedures
Title [company name] Vendor Management Policy and Procedures
Version Version 1.0
Date TBD
Language English
Individual and/or Department Responsible for Distribution of Document
[company name] Information Technology Department
Individual and/ or Department Responsible for Timely Update of Document
[name and title]
Developed by: [company name]
Subject Change Management
Approval Date TBD
Purpose of Document To implement comprehensive vendor management policies, procedures, and practices whereby all employees and other intended parties are readily aware of the organization’s vendor management initiatives.
Distribution of Document Disbursed to all employees of [company name] and available by request to all other intended parties.
General Overview
With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today’s business world. Vendor management principles have been around for many years as common due diligence practices constituted a normal part of business for any entity relying on another for services. The banking community has utilized vendor management principles for many years, as the FDIC Compliance Examination Manual states that,
“The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”
-Source: fdic.gov
Proper vendor management means conducting extensive due diligence in vendor selection, assessing current vendors with regards to minimum requirements, reviewing all necessary contractual documentation, along with numerous continuous monitoring activities and management oversight. What’s brought about increased focus on vendor management is the growth in information technology and the need for properly monitoring an organization’s growing list of third-party providers. Using the baseline parameters for vendor management developed by the banking industry, while also including provisions relating to information technology, results in a comprehensive vendor management policy and procedures document listed below.
Vendor Management Policy and Procedures
Overview In accordance with mandated organizational security requirements set forth and approved by management, [company name] has established a formal Vendor Management policy and supporting procedures. This policy is to be implemented immediately along with all relevant and applicable procedures. Additionally, this policy is to be evaluated on a(n) [annual, semi-annual, quarterly] basis for ensuring its adequacy and relevancy regarding [company name]'s needs and goals.
Purpose This policy and supporting procedures are designed to provide [company name] with a documented and formalized Vendor Management policy that is to be adhered to and utilized throughout the organization at all times. Compliance with the stated policy and supporting procedures helps ensure the safety and security of [company name] system resources.
Today’s increased use of outsourcing to various third-parties has created a true need for monitoring such entities for baseline compliance measures with regards to [company name]’s minimally accepted standards for security. Specifically, all outsourced processes, procedures, and practices relevant to [company name]’s business are to be monitored on a regular basis, which includes undertaking various measures on all third-parties providing critical services. The subsequent policies and procedures relating to vendor management initiatives for [company name] strive to ensure the overall confidentiality, integrity, and availability (CIA) of the organization’s network.
Scope This policy and supporting procedures encompasses all system resources that are owned, operated, maintained, and controlled by [company name] and all other system resources, both internally and externally, that interact with these systems.
• Internal system resources are those owned, operated, maintained, and controlled by [company name] and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and applications that reside on them) and any other system resources deemed in scope.
• External system resources are those owned, operated, maintained, and controlled by any entity other than [company name], but for which these very resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the aforementioned description of "Internal system resources".
• When referencing the term “users”, this includes any individual that has been granted access rights by [company name] to various system resources and has went through all required provisioning steps. Users typically include, but may not be limited to, the following: employees, consultants, vendors, contractors, along with local, state, and federal personnel.
• For purpose of this policy, vendor management is defined as the following: The policies, procedures and related processes undertaken for managing activities conducted through third-party relationships, and
identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.
• Additionally, the terms “vendors”, “third-party”, third-parties”, “outsourcers”, “organizations”, and an variant thereof are defined as entities providing outsourcing services to [company name].
Policy [Company name] is to ensure that the vendor management policy adheres to the following conditions for purposes of complying with the mandated organizational security requirements set forth and approved by management:
Elements of Risk When using the services of various third-party outsourcing entities, a certain element of risk arises as responsibilities for critical initiatives are now in the hands of another organization. It’s important to understand these risks, what they are, and how [company name] can readily identify any issues, concerns, or constraints pertaining to these risks. Failure to mitigate and prevent these risks can result in significant financial loss, legal issues, and public opinion misconceptions, ultimately damaging the organization. As such, the following risks are to be thoroughly understood and assessed in regards to business and contractual relationships entered into with various third-parties:
• Compliance Risk: These are risks arising from violations of applicable laws, rules, regulatory mandates, and along with other issues, such as non-compliance of internal operational, business specific, and information security policies, procedures, and processes. A common example would be for an outsourced organization to violate compliance regarding the safety and security of Personally Identifiable Information (PII), such as having exposed such information to unauthorized parties, not having policies and procedures in place protecting PII, or not undergoing required annual compliance audits (i.e., SSAE 16, etc). Regulatory compliance is a large and critically important component for vendor management, requiring constant monitoring and oversight of third-parties for ultimately ensuring the safety and security of services being provided to [company name] by such entities. Common compliance initiatives for which third-parties are to adhere to including numerous laws, legislative mandates, and industry specific requirement, including, but not limited to, the following: Sarbanes-Oxley, HIPAA, HITECH, SOC 1 SSAE 16, SOC 2 and SOC 3 AT 101, GLBA, PCI DSS, and many others.
• Reputation Risk: These are risks arising from negative public perception and opinion of a third-party outsourcing entity for almost any imaginable reason, such as unethical business practices, data breaches resulting in loss of sensitive and confidential consumer information (i.e., Personally Identifiable Information - PII), investigations from regulators into questionable business practices, etc. It’s important to note that in today’s world of transparency and close media scrutiny, any perceived negative public opinion on a third party being utilized by [company name] ultimately affects the reputation of this organization. The rise of social media and many non-traditional media outlets have the ability to spread a story, going “viral” in literally minutes.
• Strategic Risk: These are risks arising from third-parties failing to implement business initiatives that align with the overall goals and ideas of [company name], such as not offering services that provide an acceptable return on investment, both short term and long term. Ultimately, when the long term strategic vision of both [company name] and the applicable third-party outsourcing entities do not align, relevant risks begin to surface which can significantly impact the business relationship, often in a negative manner.
Security Awareness & Training Employee Quiz
Listed below are a series of questions aimed at helping all employees, and other applicable personnel, gain a greater understanding of critical information security issues, threats, challenges – and best practices – in today’s world of information technology. With more functions being performed electronically than ever before, now’s the time to start training employees and workforce members on the broader subject of information security, ultimately helping ensure the safety and security of critical organizational assets. The below referenced questions consist of a mixture of True | False, multiple choice, and fill-in-the blank and cover a wide variety of general – and specific – informations security subject matter.
[Company Name] PCI DSS Security Awareness Training Program 1
PCI Security Awareness Training Program Manual
[Company Name] PCI DSS Security Awareness Training Program
[Company Name] PCI DSS Security Awareness Training Program 2
PCI Security Awareness Training Program ManualTable of Contents
Security Updates 47 Clean Desk Policy 48Workstation Security 49Laptop Security 52Software Licensing and Usage 54Internal Threats 56Physical Security and Environmental Security 58Incident Response 60Personally Identifiable Information (PII) 61Protecting Information (Hard‐Copy) 64Protecting Information (Electronic Format) 66Data Retention 69Identity Theft 71Online Security and Mobile Computing 73Shopping Online 76Securing Your Home Network 78Protecting your Children Online 81Security Tips for Travelling 84Other Important Security Awareness Considerations and Top Internet Scams 87If you see something, say something – Immediately 96Top 20 Security Considerations for I.T. Personnel 97Security Awareness Resources 108
The Importance of Security Awareness Training 6Data Security Breaches 7What is Information Security? 9Roles and Responsibilities 10Information Security Solutions 15Defense‐in‐Depth 16Layered Security 17Cyber Security 18Cloud Computing 1912 PCI DSS Requirements and their Relation to Security Awareness 21The Payment Card Industry Data Security Standards Council 30The Importance of PCI Compliance 31Cardholder Data 32 FERPA 35FACTA 35Red Flags Rule 36HIPAA 37HITECH 39GLBA 41Other Regulations 43Security Awareness Topics 44Account Security and Access Rights 45Malware 46
[Company Name} PCI DSS Security Awareness Training Program
[Company Name] PCI DSS Security Awareness Training Program 3
Overview
Compliance with the Payment Card Industry Data Security Standards (PCI DSS) requires organizations toimplement a security awareness training program for all employees and other related third‐party usersfor purposes of better understanding information security as a whole, and its applicability to cardholderdata. The use of information technology is extremely widespread in today's society, ushering inunprecedented levels of cost‐effectiveness and efficiency. Yet with great benefits also come greatchallenges, particularly when it comes to ensuring the confidentiality, integrity, and availability (CIA) ofcritical system components storing, processing and/or transferring sensitive and confidentialinformation, such as cardholder data, Personally Identifiable Information (PII), and other importantassets. It's imperative that all employees within [company name] and other in‐scope users have a strongunderstanding of information security, such as being aware of dangers and challenges, while also beingresponsive in helping combat such threats and challenges with appropriate measures.
Security awareness is about effectively designing, developing, implementing, and maintaining anenterprise‐wide program for which all employees can benefit from, one that implements the corecomponents of Awareness, Training, and Education. Specifically, "Awareness" in that numerousmeasures are initiated and implemented for keeping all employees knowledgeable regarding threats,responses and solutions to security issues affecting an organization. "Training" in that material isresearched, developed and subsequently utilized for educating employees on all aspects of securityawareness. And lastly, "Education, in that adequate measures are undertaken for ensuring continuingeducation on security awareness is provided to all employees on a routine basis – whatever that may be– quarterly, annually, etc. It must be stressed that security awareness training is dynamic in nature,changing as needed to meet the growing threats facing today’s organizations.
[Company Name] PCI DSS Security Awareness Training Program 4
The subsequent documentation found herein is [company name]'s formal security awareness trainingprogram covering both general, best‐of‐breed practices for information security, along with specificmeasures relating to the safety and security of any cardholder data being stored, processed, andtransmitted. Users are required to read the entire document annually, keep an electronic or hard‐copyform readily available for referencing, along with signing and returning the acknowledgement form on thelast page to authorized personnel at [company name]. You’ll hear the following phrase repeated a numberof times throughout this document ‐ “if you see something, say something”, which is the Department ofHomeland Security's (DHS) motto for reporting suspicious activity – a motto that you should strive toadhere to at all times.
Goals
There are many challenges when it comes to security awareness training for today's organizations, such astime constraints, lack of interest by end‐users, breaking from traditional practices, along with numerousother issues. As such, the [company name] security awareness training program seeks to successfullyachieve the following goals:
• Provide a comprehensive, yet easy‐to‐understand and engaging training program.• Offer in‐depth educational resources regarding many of today's most critically important security issues.• Deliver a clear and concise messages as to the what security awareness is, why it's important, what it
entails, and many other applicable issues.• Enhance end‐user skills, knowledge and overall awareness regarding information security.• Encourage best practices for information security, while also fundamentally changing the way employees
regard the need for security awareness provisions.• Finally, making security awareness a true part of the organization's fabric, one that requires a
commitment by ell employees for ultimately helping ensure the safety and security of [company name]'s critical system components.
1. If an incident arises that is a threat to the organization, and ultimately to the safety and security of confidential and sensitive information, employees are advised to: a. Immediately contact the authorities as the very first step. b. Exert patience and wait until you know the threat is actually real as perceived threats or false alarms can
be financially and operationally expensive and time consuming for businesses. c. Inform all customers, instructing them to shut down their networks and wait until further instructions
from authorized personnel. d. Follow standard procedures as put forth by your organization, which generally begins with contacting
select personnel in I.T., allowing them to assess the situation and take all necessary action immediately.
Answer:
2. It’s ok to access another employee’s workstation, as long as they’ve given you permission and you effectively log off and shut down their computer when finished. a. True. b. False.
Answer:
3. When sending and receiving confidential and sensitive information, the following is deemed highly critical: a. Ensure that the subject line in your email always details the exact nature for sending such information. b. Always implement procedures to guard against unauthorized access to such information, such as
encrypting data. c. Use fax machines when possible, as fax lines, though older in technology, cannot be intercepted by
malicious hackers. d. All of the above.
Answer:
4. It is acceptable to send confidential and sensitive information over unencrypted channels, such as email, as long as you have verified that the recipient is the intended party of the information, and not a fraudulent individual. a. True. b. False.
Answer:
5. For confidential and sensitive information to be safe and secure, organizations should strive at all times to ensure the following well-known information security principles are being met: a. Confidentiality, Integrity, and Authenticity. b. Confidentiality, Incident Awareness, and Availability. c. Confidentiality, Integrity, and Appropriateness. d. Confidentiality, Integrity, and Availability.
Answer:
6. Anti-virus must always be installed, active, and running on any computer you are using, especially if you are going to be working with confidential and sensitive information, such as Personally Identifiable Information (PII). a. True. b. False.
Answer:
7. Best practices for workstation security include which of the following: a. Using strong passwords. b. Not altering security settings on your computer. c. Not installing any unapproved software. d. Not using removable storage devices when working with confidential and sensitive information. e. All of the above.
Answer:
8. PHI stands for: a. Protected Health Insurance. b. Personal Health Information. c. Protected Health Informatics. d. Protected Health Information.
9. PII stands for:
a. Personally Identifiable Insurance. b. Personally Identity Insurance. c. Personally Identifiable Information. d. Protected Identifiable Information.
Answer:
10. Updating your Internet browsers (Internet Explorer, Mozilla, Google Chrome, etc.) is extremely important for ensuring all web pages display correctly, security holes are not still present, and all performance features are maximized. a. True. b. False.
Answer:
11. Hackers can create malicious files and other executables that can exploit Portable Document Format (PDF) protocol software, therefore it's important to click "yes" when Adobe software asks if you want to make security updates. a. True. b. False.
Answer:
