Security Management

Download Free IT Risk Assessment Report and Template Toolkit

This templates including Risk Register and IT Control for selected risk criteria such as:
Risk Assessment Matrix:
- Vulnerability
- Threat
- Risk
- Risk Sumary
- Risk Likelihood
- Rating
- Risk
- Impact
- Rating
- Overall Risk Rating
- Analysis ofRelevant Controls and Other Factors
- Recommendations

Download Free IT Risk Assessment Templates, this template is created using NIST-SP 800:30 standard for Risk Management Guide for Information Technology Systems. Covering some basic process during IT Risk Assessment that include: System Characterization, Threat Identification Vulnerability Identification, Control Analysis, Likelihood Determination,

So basically what is the simplest approach for ITGC? do we should check every changes and modification in our application and infrastructure? or do we should only focus to significant one? The simplest approach is by using minimum requirement by the government/regulation. So here is some scope of ITGC based on Sarbanes Oxley Section 404

Program Development Program Change
Acquire or develop application software The organization's system development life cycle (SDLC) includes security, availability and processing integrity requirements of the organization.

Acquire or develop application software An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with business and end-user strategies and objectives.

Logical Access
Ensure systems security An information security policy exists and has been approved by an appropriate level of executive management.

The organization is subject to data retention requirements resulting from a mix of legal, industry, and business mandates. These data retention requirements govern the storage of the organization's information, records, and data. Regulations dictate that different data types be stored for specific periods. They also dictate the media storage format that must be used to store specific data types.

The organization's Data Retention Policy exists to ensure all organization information, records, and data are retained and stored in compliance with legal, industry, and business regulations. It includes a policy you can customize to meet your needs as well as a risk assessment spreadsheet you can use to judge just how much your organization is at risk by not having this policy in place.

Download Page

These guidelines apply to all participants in the new information society and suggest the need for a greater awareness and understanding of security issues, including the need to develop a "culture of security" - that is, a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks. The guidelines constitute a foundation for work towards a culture of security throughout society.

Generally Accepted System Security Principles incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems.

GASSP relates to physical, technical, and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus regarding accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.

GAAP versus GASSP?

If you are an Information System Auditor, an Security Analyst or even a Chief Information Officer. Then at some high level of management you will need this Free Security Management Application. Security Management And Risk Tracking is a web based application to manage information security practice. This is a comprehensive solution that enables a corporation to manage:
· Information security policy
· Security policy exception handling
· Security Certification and Accreditation (SC&A)
· Issue tracking for security audit, pen testing, SOX, and so on
· Third party connection management
· Asset and vendor managementA number of other services are also included in this solution. This is an enterprise ready application that greatly reduces the time and effort to manage a security practice.

Key Feature
· Web based user interface

Perhaps, one of the biggest questions every internal IT auditor must answer is about IT Inventory Management. And the next question would be:

- Do we know which software or hardware component is installed on a computer?
- Are we able to deploy software or configuration scripts on your computers?
- Do we know all devices connected to your IT network?

This question is easy to be answered if we use proprietary solution from Microsoft SMS or Novell, however if we want to rely to Open Source then OCS Inventory NG is one of the best choice. OCS Inventory NG is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network.

By using this application every question above could be answered within a short period of time. Why don't you try?

Website

Since the massive implementation of information technology, the need of proper end point security become one of the critical discussion in the company about how manage end point security effectively.

End Point Security Definition:

• A strategy in which security software is distributed to end-user devices but centrally managed [searchsecurity.techtarget.com]
• An information security concept that basically means that each device (end-point) is responsible for its own security [wikipedia.com]
• An individual computer system or device that acts as a network client and serves as a workstation or personal computing device[endpointsecurity.org]

Example of  End Point Devices:
Laptop, PCs, Handhelds, specialized equipment such as inventory scanners and point-of-sale terminals

An auditing system consists of three components: the logger, the analyzer, and the notifier. These components collect data, analyze it, and report the results.

1. Logger
Logging mechanisms record information. The type and quantity of information are dictated by system or program configuration parameters. The mechanisms may record information in binary or human-readable form or transmit it directly to an analysis mechanism (see Section 21.2.2). A log-viewing tool is usually provided if the logs are recorded in binary form, so a user can examine the raw data or manipulate it using text-processing tools.

EXAMPLE: Microsoft's Windows NT has three different sets of logs. The system event log contains records of events that Microsoft has determined warrant recording, such as system crashes, component failures, and other events. The application event log contains records that applications have added. These records are under the control of the applications. The security event log contains records corresponding to security-critical events such as logging in and out, system resource overuses, and accesses to system files. Only administrators can access the security event log.