information security management

Download Free SAS 70 IT Control Objectives Toolkit. This Statement Auditing Standards (SAS) no 70 contain samples of Program Change Control, Access Control and Computer Operation Control Objectives as described below:

Program Change Control
- Ensure that production environment changes are approved by management prior to implementation in accordance with documented policies and procedures.
- Ensure that necessary modifications to the existing production environment are implemented within the timeframes required by documented policies and procedures.
- Ensure that modifications to the production environment are tested prior to implementation and function consistent with documented policies and procedures.

The NSA Certified Information Security Assessment Methodology (NSA IAM) is an information security assessment methodology that baselines assessment activities. It breaks information security assessments into three phases: pre-assessment, on-site activities, and post-assessment. Each of these phases contains mandatory activities to ensure information security assessment consistency. It is important to note, however, that NSA IAM assessments consist of only documentation review, interviews, and observation. There is no testing done during an NSA IAM assessment. The NSA released the INFOSEC Evaluation Methodology to baseline testing activities.

I. Pre-assessment Phase
The purpose of the pre-assessment phase is to define customer requirements, set the assessment scope and determine assessment boundaries, gain an understanding of the criticality of the customer's information, and create the assessment plan. The NSA IAM measures both organizational information criticality and system information criticality. Organizational information consists of the information required to perform major business functions. System information then is identified by analyzing the information that is processed by the systems that support the major business functions.

On-Site Activities Phase

1. IT Security Risk Identification
- What IT services are being provided to the organization related to cyber security or FISMA compliance (e.g., externally facing Internet systems, systems that have personally identifiable information (PII), etc.)?
- What are the organizational and IT units, and how are they managed (e.g., the centralized IT services group, an IT outsourcer, etc.)?
- What are the other relevant regulatory and contractual requirements for the organization process (e.g., HIPAA, NERC, interagency agreements, contractual service level agreements, the Freedom of Information Act (FOIA), etc.)?
- What technologies and IT processes are being used for an in-scope asset (e.g., Microsoft Windows Server, Sun Solaris, Oracle, Microsoft SQL Server, etc.)?
- Are there any high-level risk indicators from the past to be aware of (e.g., repeat audit findings, frequent outages, etc.)

WITH A SYSTRUST EXAMINATION, THERE IS AN AUDITOR’S OPINION. In addition, the service provider provides a management assertion and a system description that are attached to the auditor’s opinion to form the SysTrust reporting package. Optionally, the reporting package can also include a schedule of controls that the service provider has implemented to address the Trust Services criteria.

SysTrust Auditor’s Opinion

To the Management of XYZ Service Provider, Inc.:

Download Free Microsoft Payment Card Industry Data Security Standard Compliance (PCI DSS) Requirements Matrix Template.
Requirement 1 Install and maintain a firewall configuration to protect cardholder data.
Risk Assessment; Network Security

Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters.
Network Security

Requirement 3 Protect stored cardholder data.
Document Management; Risk Assessment; Data Classification and Protection

Requirement 4 Encrypt transmission of cardholder data across open, public networks.
Risk Assessment; Messaging and Collaboration; Data Classification and Protection; Network Security