SlideShare a Scribd company logo

Security Auditing

Jigisha Aryya
Jigisha Aryya

ITMS 578 Cyber Security Management (ITM, School of Applied Technology)

Technology
1 of 13
Download to read offline
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER INFORMATION SECURITY AUDIT REPORT BLUE TEAM NIKITA K. KOTHARI JIGISHAARYYA ZDENEK R. JAKS
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER ABSTRACT This outline gives an investigation of the approach and offers proposals to improve the arrangement have security. To compress, the arrangement lessens security breaks and makes the framework more secure with records and passwords for care. It ensures the information of the client and the organization because exclusive individuals with records and passwords in the organization can login and get to the information. The strategy helps in setting the benefits of clients considering their approval level. It is found that the secret key length and the multifaceted nature of passwords shifted for various clients, which helped in setting their approval level. A survey of the standard arrangement of "Client Account and Password Management" and standard approach of "Secret word Complexity" was finished. The standard strategy was then contrasted with the University of Florida approach and upgrades that could be made to the current UF arrangement was found. Proposals include: ● Improve the openness of clients by helping them login in various stages in the meantime. ● Improve security by rolling out client’s improvement passwords often. ● Improve security by making clients with more approval experience a larger number of steps as opposed to simply making them utilize a more drawn out or a more intricate secret key. ● Improve security by every now and again going-over strategies and making overhauls. In short,to have security. .It ensures security of access.
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER EXECUTIVE SUMMARY A record review was performed for the University of Florida Health Care Information Security Department. The strategy that was evaluated was the User Account and Password Management approach under the Technical Security classification. The purpose of the review is to enhance the arrangement that the University of Florida (UF) utilizes for their User Accounts and Password Management. Here is the rundown of goals that ought to be secured: ● Improve secret word qualities. ● Assign distinctive parts to clients. ● Assign benefits to clients considering parts. ● Use the Policy standard to advance enhance current arrangement. This review will give a correlation with the present approach and the models. Inability to recognize and execute the exhortation of the review can prompt to information ruptures of touchy data. # BS ISO IEC 17799: 2005 Section Level of Compliance 1. Security Policy Compliant 2. Organization of Information Security Compliant 3. Asset Management Compliant 4. Human Resources Security Compliant 5. Physical and Environmental Security Compliant 6. Communications and Operations Management Partially compliant 7. Access Control Partially compliant 8. Information Systems Acquisition, Development and Maintenance Compliant 9. Information Security Incident Management Compliant 10. Business Continuity Management Partially compliant 11. Compliance Compliant
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER BACKGROUND USER ACCOUNT AND PASSWORD MANAGEMENT PURPOSE: To set up a standard for client record and secret word administration. Client confirmation is a way to control who has admittance to an IT Resource. Get to picked up by a non‐authorized element can bring about loss of data secrecy, uprightness and accessibility. This may bring about loss of income, obligation, loss of trust, or it can make shame HSC. Here is the rundown of norms that ought to constantly be utilized. 1. Records and passwords should not be shared. 2. Confined or Sensitive data should have a programmed log-off element. 3. Pointless pre-arranged or default accounts must be expelled or changed. 4. Passwords to essential default accounts must be changed before joining the framework to the system. 5. For circumstances including the utilization of passwords as a confirmation system, UFHSC Units must embrace a secret word design intelligent of the way of the data or data asset got to. 6. Put away passwords might be scrambled or generally defended with non-reversible hash or another comparative component. 7. Clients must not evade secret word passage with auto logon, utilization of uses recollecting passwords, inserted scripts or hard coded passwords in customer programming. PASSWORD COMPLEXITY PURPOSE: To determine if the proper prerequisites were met in the complexity of new and in-use passwords. 1. Password development qualities for every secret key strategy level are chosen to accomplish the predetermined least entropy.
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER 2. Password rules require the incorporation of 3 of the 4 taking after character sets: lowercase letters, capitalized letters, numerals and uncommon characters. 3. For all approach levels, the determination of a passphrase of no less than 18 characters kills the secret word synthesis standards and lexicon check. Passphrases are liable to insignificant tests to counteract utilization of basic or trifling expressions. 4. Multi-Factor Authentication (MFA) might be offered for use with strategy levels P3-P5, and is required for P6. While secret word is the most ordinarily utilized strategy for confirming clients entering PC frameworks, passwords are every now and again focused by assailants needing to break into frameworks. It is important that this first line of guard against unapproved get to is successful by thoroughly rehearsing great secret key administration arrangements. Diverse passwords ought to be utilized for various frameworks concerning the security prerequisites and the estimation of data resources the should be ensured. Make utilization of different get to control components to encourage secret word administration and decrease the exertion required by clients in retaining an extensive number of passwords. This ought to be upheld with great security arrangements and rules, bolstered by client mindfulness preparing and instruction on the prescribed procedures in picking and taking care of passwords. What's more, for viable data security administration, thought ought to likewise be given in zones including yet not constrained to physical security, information and application security, organize security, and advancements for reinforcing security insurance, for example, firewalls, VPN and SSL. Distinctive data frameworks will have diverse security prerequisites, contingent upon the utilitarian qualities and arrangement of information on every framework. When in doubt, validation components ought to be conveyed with various levels of modernity, proportionate with the estimation of data resources that should be secured. For example, an inward application taking care of grouped data requires tight get to control, while an Internet application for general data seeking may permit mysterious logins.
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER FINDINGS OF FACTS AUDIT QUESTIONNAIRE AND RESPONSES RATING SCALE: 1 =YES 2 = Being Implemented 3 = In Development 4 = NO Response items: Preliminary Score, Action Item, Final score, Notes (if any) Password Management Audit questions and findings ➔ Are passwords difficult to crack? Rate: 1 – final score Note: Highly restricted rules are in place for making passwords difficult to crack ➔ Are adequate cryptographic tools in place to govern data encryption, and are tools properly configured? Rate: 1 – final score Note: Link to policies in place - http://www.it.ufl.edu/policies/web-related/develop-applications- for-secure-deployment/ ➔ Are passwords and accounts being shared? Rate: 1 – final score Note: Passwords are encrypted and not shared or stored in scripts or unprotected configuration files. ➔ Have employees been trained on proper password management? Rate: 4 – interim score Note: No clear indication of password management training to employees. ➔ Are users of all company-provided network resources required to change the initial default password? Rate: 1 – final score Note: Properly specified in the guideline:
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER https://security.ufl.edu/wp-content/uploads/2013/09/TS0005.02-User-Account-and-Password- Management-Standard.pdf ➔ Are the passwords required to use current tools as secure as the tools allow them to be? Rate: 1 – final score Note: There are 9 total guidelines for creating strong passwords. Without meeting those the passwords are not accepted by the system. ➔ Do terminating employees have their calling cards and voice-mail passwords disabled? Rate: 1 – final score Note: Calling cards are returned and voice mail passwords are terminated after 90 days. ➔ Does the organization has a published policy on prosecution of employees and outsiders if found guilty of serious premeditated criminal acts against the organization? Rate: 4 – interim score Note: No policy specifying that. ➔ Are employees made aware of their responsibility to keep remote access codes secure from unauthorized access and usage? Rate: 1 – final score Note: As per project doc. “Policy will be implemented to minimize the number of laptops authorized for use with confidential data. Full disk encryption will be required on all laptops used with confidential data. Remote data destruction and tracking software will also be required. Policy implementation will be verified at least annually”. Source: http://www.it.ufl.edu/wp-content/uploads/2012/10/risk-assessment-standard.pdf Application code and network security ➔ Are there access control lists (ACLs) in place on network devices to control who has access to shared data? Rate: 1 – final score
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER Note : Clear definitions available at icc.ifas.ufl.edu/ITAC/.../Lenel-IT-Standards-and- Procedures(rev2).doc ➔ Are there audit logs to record who accesses data? Rate: 4 – final score Note: No evidence that user name or ID is logged. ➔ Are audit logs reviewed? Rate: 1 – final score ➔ Have custom-built applications been written with security in mind? Rate: 1 – final score ➔ How have custom applications been tested for security flaws? Rate: 1 – final score Note: Automation and documented code for testing and review are in place. ➔ How are configuration and code changes documented at every level? Rate : 1 – final score ➔ How are these records reviewed and who conducts the review? Rate: 1 Note: With parsed log files. Application Developers and System Administrators review the code. ➔ Are the desktop platforms secured? Rate: 1 – final score Note: Automated tools for review and testing used to detect vulnerabilities in desktops and servers. ➔ Are host systems and servers as well as application servers secured? Rate: 1 – final score
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER Note: Both are connected to networks and are secured with authentication, encryption and using temporary files. Account Management audit ➔ Are unsecured user accounts (e.g., guest) still active? Rate: 1 – interim score Note: Guest accounts are automatically deleted after 7 calendar days. Process for getting a temporary guest account: http://identity.it.ufl.edu/identity-coordination/training/creating-a-gatorlink-guest-account/ ➔ Are temporary user accounts restricted and disabled in a timely fashion? Rate: 4 for restricted access and 1 for disabling in a timely fashion Reason: No proper guidelines and description has been mentioned for restricted access provided to guest account holders, but they are disabled after a fixed amount of time. Storage backup and business continuity audit Purpose: The purpose of this policy is to protect University Data from loss or destruction by specifying reliable backups that are based upon the availability needs of each unit and its data. ➔ How is backup media stored? Who has access to it? Is it up-to-date? Rate: 1 – final score Note: System administrators. http://www.it.ufl.edu/wp-content/uploads/2012/10/user-removable- media-guidelines.pdf ➔ Is there a disaster recovery plan? Rate: 1 – final score ➔ Have the participants and stakeholders ever rehearsed the disaster recovery plan? Rate – 1 final score
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER Policy ➔ Is there an information security policy in place? Rate: 1 – final score Note: Covers almost all the aspects in detail. ➔ Does the policy state what is and is not permissible? Rate: 1 – final score ➔ Does the scope of the policy cover all facets of information Rate: 1 – final score Note: “Guidelines provide additional information for handling information and information systems in a secure manner to insure confidentiality, integrity and availability of data and information..” ➔ Does the policy define and identify what is classed as "information" Rate: 1 – final score Note: there is a Data classification policy in place. ➔ Does the policy support the business objectives or mission of the enterprise? Rate: 1 – final score Note: This is available in the home page of the official website ➔ Does the policy identify management and employee responsibilities? Rate: 1 – final score ➔ Does the policy make clear the consequences of non-compliance? Rate: 4 – final score Note: Not available readily.
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER CONCLUSIONS AND RECOMMENDATIONS Overall, our team feels that The University of Florida Information Security Department has some very good policies in place, but there are many policies in several areas that need to be addressed for several important reasons. We feel that attending to some policies that may be outdated, not complete, or not thorough enough are of vital importance to the university’s operations going forward. There are key aspects of UF’s contingency planning that pass with an appropriate policy, but there are many that fail. There needs to be better and more recently revised policies for all of those that were stated above, as contingency planning is a crucial aspect when disaster strikes, or when something unprecedented happens in the organization. There is an effective storage and backup plan, with only the right system administrators who would need access to that information, have access. There is an not appropriate recovery plan in the event of a system-wide emergency. It does not explicitly state what steps would be taken in the event of an emergency shutdown or data loss. The human resource policy for taking appropriate corrective actions against those violating the policies is also not specified very clearly in the policies. Hence we recommend to add policies in the above mentioned areas.
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER APPENDICES Reference documents: 1. https://www.sans.org/media/score/checklists/ISO-17799-2005.pdf 2. http://www.it.ufl.edu/policies/web-related/develop-applications-for-secure- deployment/ 3. http://identity.it.ufl.edu/identity-coordination/training/creating-a-gatorlink-guest- account/ 4. https://security.ufl.edu/wp-content/uploads/2013/09/TS0005.02-User-Account-and- Password-Management-Standard.pdf Terms and definitions: 1. Risk management is the way toward distinguishing, evaluating and controlling dangers to an association's capital and earnings. These dangers, or dangers, could originate from a wide assortment of sources, including budgetary vulnerability, lawful liabilities, vital administration blunders, mishaps and normal debacles. IT security dangers and information related dangers, and the hazard administration systems to lighten them, have turned into a top need for digitized organizations. Therefore, a hazard administration arrange progressively incorporates organizations' procedures for recognizing and controlling dangers to its computerized resources, including exclusive corporate information, a client's by and by identifiable data and scholarly property. Risk administration norms have been created by a few associations, including the National Institute of Standards and Technology and the ISO. These guidelines are intended to help associations distinguish particular dangers, evaluate one of a kind vulnerabilities to decide their hazard, recognize approaches to lessen these dangers and after that actualize chance decrease endeavors as indicated by hierarchical system. 2. Intellectual property alludes to manifestations of the astuteness for which a restraining infrastructure is relegated to assigned proprietors by law. Intellectual property rights (IPRs) are the securities conceded to the makers of IP, and incorporate trademarks, copyright, licenses, modern plan rights, and in a few locales exchange insider facts. Creative works including music and writing, and in addition disclosures, developments, words, expressions, images, and plans can all be ensured as protected innovation.
INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER While protected innovation law has developed over hundreds of years, it was not until the nineteenth century that the term licensed innovation started to be utilized, and not until the late twentieth century that it got to be distinctly typical in most of the world. The expressed target of most protected innovation law (except for trademarks) is to "Advance progress."By trading constrained restrictive rights for exposure of innovations and imaginative works, society and the patentee/copyright proprietor commonly advantage, and a motivator is made for designers and creators to make and reveal their work. A few pundits have noticed that the goal of licensed innovation officials and the individuals who bolster its execution gives off an impression of being "supreme assurance". "In the event that some protected innovation is alluring in light of the fact that it supports advancement, they reason, more is better. The reasoning is that makers won't have adequate motivating force to imagine unless they are lawfully qualified for catch the full social estimation of their developments". This supreme insurance or full esteem see regards licensed innovation as another sort of "genuine" property, commonly receiving its law and talk. Other late improvements in protected innovation law, for example, the America Invents Act, stretch worldwide harmonization. As of late there has likewise been much verbal confrontation over the allure of utilizing licensed innovation rights to secure social legacy, including immaterial ones, and additionally over dangers of modification got from this possibility. The issue still stays open in lawful grant.

Recommended

Third party datasecurity assurance questionnaire
Third party datasecurity assurance questionnaireThird party datasecurity assurance questionnaire
Third party datasecurity assurance questionnairePriyanka Aash
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnairePriyanka Aash
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
aPersona_EHR_Challenge_WhitePaper
aPersona_EHR_Challenge_WhitePaperaPersona_EHR_Challenge_WhitePaper
aPersona_EHR_Challenge_WhitePaperChris Reese
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
Information Security
Information SecurityInformation Security
Information Securitydivyeshkharade
 

Recommended

Third party datasecurity assurance questionnaire
Third party datasecurity assurance questionnaireThird party datasecurity assurance questionnaire
Third party datasecurity assurance questionnairePriyanka Aash
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnairePriyanka Aash
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
aPersona_EHR_Challenge_WhitePaper
aPersona_EHR_Challenge_WhitePaperaPersona_EHR_Challenge_WhitePaper
aPersona_EHR_Challenge_WhitePaperChris Reese
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
Information Security
Information SecurityInformation Security
Information Securitydivyeshkharade
 
Building HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsBuilding HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsGaurav Garg
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposalDavid Sweigert
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPace IT at Edmonds Community College
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Item46763
Item46763Item46763
Item46763madunix
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
 
Balaji Jagan -Resume
Balaji Jagan -ResumeBalaji Jagan -Resume
Balaji Jagan -ResumeBalaji Jagannathan
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
File1
File1File1
File1ivanmagalhaes__
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentInfosec
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Your Mission: Identify & Eliminate Cyber Attacks
Your Mission: Identify & Eliminate Cyber Attacks Your Mission: Identify & Eliminate Cyber Attacks
Your Mission: Identify & Eliminate Cyber Attacks Enterprise Management Associates
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 

More Related Content

What's hot

Building HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsBuilding HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsGaurav Garg
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposalDavid Sweigert
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPace IT at Edmonds Community College
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Item46763
Item46763Item46763
Item46763madunix
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentInfosec
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 

What's hot (20)

Building HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsBuilding HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teams
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposal
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guideline
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Item46763
Item46763Item46763
Item46763
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
 
Balaji Jagan -Resume
Balaji Jagan -ResumeBalaji Jagan -Resume
Balaji Jagan -Resume
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
File1
File1File1
File1
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessment
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Your Mission: Identify & Eliminate Cyber Attacks
Your Mission: Identify & Eliminate Cyber Attacks Your Mission: Identify & Eliminate Cyber Attacks
Your Mission: Identify & Eliminate Cyber Attacks
 

Similar to Security Auditing

Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight BackMTG IT Professionals
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOnRamp
 
HIPAA Safeguard Slides
HIPAA Safeguard SlidesHIPAA Safeguard Slides
HIPAA Safeguard Slidesprojectwinner
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfYoyo Sudaryo
 
Risk Management Process for Healthcare Organizations
Risk Management Process for Healthcare OrganizationsRisk Management Process for Healthcare Organizations
Risk Management Process for Healthcare OrganizationsCalance
 
Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breacheskimsrung lov
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Project Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxProject Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxstilliegeorgiana
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program AssessmentsJohn Anderson
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 

Similar to Security Auditing (20)

Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attr
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security Model
 
HIPAA Safeguard Slides
HIPAA Safeguard SlidesHIPAA Safeguard Slides
HIPAA Safeguard Slides
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Enterprise Se.docx
Enterprise Se.docxEnterprise Se.docx
Enterprise Se.docx
 
Enterprise Se.docx
Enterprise Se.docxEnterprise Se.docx
Enterprise Se.docx
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
 
Risk Management Process for Healthcare Organizations
Risk Management Process for Healthcare OrganizationsRisk Management Process for Healthcare Organizations
Risk Management Process for Healthcare Organizations
 
Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Security policies
Security policiesSecurity policies
Security policies
 
Project Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxProject Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docx
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program Assessments
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Security Auditing

  • 1. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER INFORMATION SECURITY AUDIT REPORT BLUE TEAM NIKITA K. KOTHARI JIGISHAARYYA ZDENEK R. JAKS
  • 2. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER ABSTRACT This outline gives an investigation of the approach and offers proposals to improve the arrangement have security. To compress, the arrangement lessens security breaks and makes the framework more secure with records and passwords for care. It ensures the information of the client and the organization because exclusive individuals with records and passwords in the organization can login and get to the information. The strategy helps in setting the benefits of clients considering their approval level. It is found that the secret key length and the multifaceted nature of passwords shifted for various clients, which helped in setting their approval level. A survey of the standard arrangement of "Client Account and Password Management" and standard approach of "Secret word Complexity" was finished. The standard strategy was then contrasted with the University of Florida approach and upgrades that could be made to the current UF arrangement was found. Proposals include: ● Improve the openness of clients by helping them login in various stages in the meantime. ● Improve security by rolling out client’s improvement passwords often. ● Improve security by making clients with more approval experience a larger number of steps as opposed to simply making them utilize a more drawn out or a more intricate secret key. ● Improve security by every now and again going-over strategies and making overhauls. In short,to have security. .It ensures security of access.
  • 3. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER EXECUTIVE SUMMARY A record review was performed for the University of Florida Health Care Information Security Department. The strategy that was evaluated was the User Account and Password Management approach under the Technical Security classification. The purpose of the review is to enhance the arrangement that the University of Florida (UF) utilizes for their User Accounts and Password Management. Here is the rundown of goals that ought to be secured: ● Improve secret word qualities. ● Assign distinctive parts to clients. ● Assign benefits to clients considering parts. ● Use the Policy standard to advance enhance current arrangement. This review will give a correlation with the present approach and the models. Inability to recognize and execute the exhortation of the review can prompt to information ruptures of touchy data. # BS ISO IEC 17799: 2005 Section Level of Compliance 1. Security Policy Compliant 2. Organization of Information Security Compliant 3. Asset Management Compliant 4. Human Resources Security Compliant 5. Physical and Environmental Security Compliant 6. Communications and Operations Management Partially compliant 7. Access Control Partially compliant 8. Information Systems Acquisition, Development and Maintenance Compliant 9. Information Security Incident Management Compliant 10. Business Continuity Management Partially compliant 11. Compliance Compliant
  • 4. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER BACKGROUND USER ACCOUNT AND PASSWORD MANAGEMENT PURPOSE: To set up a standard for client record and secret word administration. Client confirmation is a way to control who has admittance to an IT Resource. Get to picked up by a non‐authorized element can bring about loss of data secrecy, uprightness and accessibility. This may bring about loss of income, obligation, loss of trust, or it can make shame HSC. Here is the rundown of norms that ought to constantly be utilized. 1. Records and passwords should not be shared. 2. Confined or Sensitive data should have a programmed log-off element. 3. Pointless pre-arranged or default accounts must be expelled or changed. 4. Passwords to essential default accounts must be changed before joining the framework to the system. 5. For circumstances including the utilization of passwords as a confirmation system, UFHSC Units must embrace a secret word design intelligent of the way of the data or data asset got to. 6. Put away passwords might be scrambled or generally defended with non-reversible hash or another comparative component. 7. Clients must not evade secret word passage with auto logon, utilization of uses recollecting passwords, inserted scripts or hard coded passwords in customer programming. PASSWORD COMPLEXITY PURPOSE: To determine if the proper prerequisites were met in the complexity of new and in-use passwords. 1. Password development qualities for every secret key strategy level are chosen to accomplish the predetermined least entropy.
  • 5. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER 2. Password rules require the incorporation of 3 of the 4 taking after character sets: lowercase letters, capitalized letters, numerals and uncommon characters. 3. For all approach levels, the determination of a passphrase of no less than 18 characters kills the secret word synthesis standards and lexicon check. Passphrases are liable to insignificant tests to counteract utilization of basic or trifling expressions. 4. Multi-Factor Authentication (MFA) might be offered for use with strategy levels P3-P5, and is required for P6. While secret word is the most ordinarily utilized strategy for confirming clients entering PC frameworks, passwords are every now and again focused by assailants needing to break into frameworks. It is important that this first line of guard against unapproved get to is successful by thoroughly rehearsing great secret key administration arrangements. Diverse passwords ought to be utilized for various frameworks concerning the security prerequisites and the estimation of data resources the should be ensured. Make utilization of different get to control components to encourage secret word administration and decrease the exertion required by clients in retaining an extensive number of passwords. This ought to be upheld with great security arrangements and rules, bolstered by client mindfulness preparing and instruction on the prescribed procedures in picking and taking care of passwords. What's more, for viable data security administration, thought ought to likewise be given in zones including yet not constrained to physical security, information and application security, organize security, and advancements for reinforcing security insurance, for example, firewalls, VPN and SSL. Distinctive data frameworks will have diverse security prerequisites, contingent upon the utilitarian qualities and arrangement of information on every framework. When in doubt, validation components ought to be conveyed with various levels of modernity, proportionate with the estimation of data resources that should be secured. For example, an inward application taking care of grouped data requires tight get to control, while an Internet application for general data seeking may permit mysterious logins.
  • 6. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER FINDINGS OF FACTS AUDIT QUESTIONNAIRE AND RESPONSES RATING SCALE: 1 =YES 2 = Being Implemented 3 = In Development 4 = NO Response items: Preliminary Score, Action Item, Final score, Notes (if any) Password Management Audit questions and findings ➔ Are passwords difficult to crack? Rate: 1 – final score Note: Highly restricted rules are in place for making passwords difficult to crack ➔ Are adequate cryptographic tools in place to govern data encryption, and are tools properly configured? Rate: 1 – final score Note: Link to policies in place - http://www.it.ufl.edu/policies/web-related/develop-applications- for-secure-deployment/ ➔ Are passwords and accounts being shared? Rate: 1 – final score Note: Passwords are encrypted and not shared or stored in scripts or unprotected configuration files. ➔ Have employees been trained on proper password management? Rate: 4 – interim score Note: No clear indication of password management training to employees. ➔ Are users of all company-provided network resources required to change the initial default password? Rate: 1 – final score Note: Properly specified in the guideline:
  • 7. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER https://security.ufl.edu/wp-content/uploads/2013/09/TS0005.02-User-Account-and-Password- Management-Standard.pdf ➔ Are the passwords required to use current tools as secure as the tools allow them to be? Rate: 1 – final score Note: There are 9 total guidelines for creating strong passwords. Without meeting those the passwords are not accepted by the system. ➔ Do terminating employees have their calling cards and voice-mail passwords disabled? Rate: 1 – final score Note: Calling cards are returned and voice mail passwords are terminated after 90 days. ➔ Does the organization has a published policy on prosecution of employees and outsiders if found guilty of serious premeditated criminal acts against the organization? Rate: 4 – interim score Note: No policy specifying that. ➔ Are employees made aware of their responsibility to keep remote access codes secure from unauthorized access and usage? Rate: 1 – final score Note: As per project doc. “Policy will be implemented to minimize the number of laptops authorized for use with confidential data. Full disk encryption will be required on all laptops used with confidential data. Remote data destruction and tracking software will also be required. Policy implementation will be verified at least annually”. Source: http://www.it.ufl.edu/wp-content/uploads/2012/10/risk-assessment-standard.pdf Application code and network security ➔ Are there access control lists (ACLs) in place on network devices to control who has access to shared data? Rate: 1 – final score
  • 8. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER Note : Clear definitions available at icc.ifas.ufl.edu/ITAC/.../Lenel-IT-Standards-and- Procedures(rev2).doc ➔ Are there audit logs to record who accesses data? Rate: 4 – final score Note: No evidence that user name or ID is logged. ➔ Are audit logs reviewed? Rate: 1 – final score ➔ Have custom-built applications been written with security in mind? Rate: 1 – final score ➔ How have custom applications been tested for security flaws? Rate: 1 – final score Note: Automation and documented code for testing and review are in place. ➔ How are configuration and code changes documented at every level? Rate : 1 – final score ➔ How are these records reviewed and who conducts the review? Rate: 1 Note: With parsed log files. Application Developers and System Administrators review the code. ➔ Are the desktop platforms secured? Rate: 1 – final score Note: Automated tools for review and testing used to detect vulnerabilities in desktops and servers. ➔ Are host systems and servers as well as application servers secured? Rate: 1 – final score
  • 9. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER Note: Both are connected to networks and are secured with authentication, encryption and using temporary files. Account Management audit ➔ Are unsecured user accounts (e.g., guest) still active? Rate: 1 – interim score Note: Guest accounts are automatically deleted after 7 calendar days. Process for getting a temporary guest account: http://identity.it.ufl.edu/identity-coordination/training/creating-a-gatorlink-guest-account/ ➔ Are temporary user accounts restricted and disabled in a timely fashion? Rate: 4 for restricted access and 1 for disabling in a timely fashion Reason: No proper guidelines and description has been mentioned for restricted access provided to guest account holders, but they are disabled after a fixed amount of time. Storage backup and business continuity audit Purpose: The purpose of this policy is to protect University Data from loss or destruction by specifying reliable backups that are based upon the availability needs of each unit and its data. ➔ How is backup media stored? Who has access to it? Is it up-to-date? Rate: 1 – final score Note: System administrators. http://www.it.ufl.edu/wp-content/uploads/2012/10/user-removable- media-guidelines.pdf ➔ Is there a disaster recovery plan? Rate: 1 – final score ➔ Have the participants and stakeholders ever rehearsed the disaster recovery plan? Rate – 1 final score
  • 10. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER Policy ➔ Is there an information security policy in place? Rate: 1 – final score Note: Covers almost all the aspects in detail. ➔ Does the policy state what is and is not permissible? Rate: 1 – final score ➔ Does the scope of the policy cover all facets of information Rate: 1 – final score Note: “Guidelines provide additional information for handling information and information systems in a secure manner to insure confidentiality, integrity and availability of data and information..” ➔ Does the policy define and identify what is classed as "information" Rate: 1 – final score Note: there is a Data classification policy in place. ➔ Does the policy support the business objectives or mission of the enterprise? Rate: 1 – final score Note: This is available in the home page of the official website ➔ Does the policy identify management and employee responsibilities? Rate: 1 – final score ➔ Does the policy make clear the consequences of non-compliance? Rate: 4 – final score Note: Not available readily.
  • 11. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER CONCLUSIONS AND RECOMMENDATIONS Overall, our team feels that The University of Florida Information Security Department has some very good policies in place, but there are many policies in several areas that need to be addressed for several important reasons. We feel that attending to some policies that may be outdated, not complete, or not thorough enough are of vital importance to the university’s operations going forward. There are key aspects of UF’s contingency planning that pass with an appropriate policy, but there are many that fail. There needs to be better and more recently revised policies for all of those that were stated above, as contingency planning is a crucial aspect when disaster strikes, or when something unprecedented happens in the organization. There is an effective storage and backup plan, with only the right system administrators who would need access to that information, have access. There is an not appropriate recovery plan in the event of a system-wide emergency. It does not explicitly state what steps would be taken in the event of an emergency shutdown or data loss. The human resource policy for taking appropriate corrective actions against those violating the policies is also not specified very clearly in the policies. Hence we recommend to add policies in the above mentioned areas.
  • 12. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER APPENDICES Reference documents: 1. https://www.sans.org/media/score/checklists/ISO-17799-2005.pdf 2. http://www.it.ufl.edu/policies/web-related/develop-applications-for-secure- deployment/ 3. http://identity.it.ufl.edu/identity-coordination/training/creating-a-gatorlink-guest- account/ 4. https://security.ufl.edu/wp-content/uploads/2013/09/TS0005.02-User-Account-and- Password-Management-Standard.pdf Terms and definitions: 1. Risk management is the way toward distinguishing, evaluating and controlling dangers to an association's capital and earnings. These dangers, or dangers, could originate from a wide assortment of sources, including budgetary vulnerability, lawful liabilities, vital administration blunders, mishaps and normal debacles. IT security dangers and information related dangers, and the hazard administration systems to lighten them, have turned into a top need for digitized organizations. Therefore, a hazard administration arrange progressively incorporates organizations' procedures for recognizing and controlling dangers to its computerized resources, including exclusive corporate information, a client's by and by identifiable data and scholarly property. Risk administration norms have been created by a few associations, including the National Institute of Standards and Technology and the ISO. These guidelines are intended to help associations distinguish particular dangers, evaluate one of a kind vulnerabilities to decide their hazard, recognize approaches to lessen these dangers and after that actualize chance decrease endeavors as indicated by hierarchical system. 2. Intellectual property alludes to manifestations of the astuteness for which a restraining infrastructure is relegated to assigned proprietors by law. Intellectual property rights (IPRs) are the securities conceded to the makers of IP, and incorporate trademarks, copyright, licenses, modern plan rights, and in a few locales exchange insider facts. Creative works including music and writing, and in addition disclosures, developments, words, expressions, images, and plans can all be ensured as protected innovation.
  • 13. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER While protected innovation law has developed over hundreds of years, it was not until the nineteenth century that the term licensed innovation started to be utilized, and not until the late twentieth century that it got to be distinctly typical in most of the world. The expressed target of most protected innovation law (except for trademarks) is to "Advance progress."By trading constrained restrictive rights for exposure of innovations and imaginative works, society and the patentee/copyright proprietor commonly advantage, and a motivator is made for designers and creators to make and reveal their work. A few pundits have noticed that the goal of licensed innovation officials and the individuals who bolster its execution gives off an impression of being "supreme assurance". "In the event that some protected innovation is alluring in light of the fact that it supports advancement, they reason, more is better. The reasoning is that makers won't have adequate motivating force to imagine unless they are lawfully qualified for catch the full social estimation of their developments". This supreme insurance or full esteem see regards licensed innovation as another sort of "genuine" property, commonly receiving its law and talk. Other late improvements in protected innovation law, for example, the America Invents Act, stretch worldwide harmonization. As of late there has likewise been much verbal confrontation over the allure of utilizing licensed innovation rights to secure social legacy, including immaterial ones, and additionally over dangers of modification got from this possibility. The issue still stays open in lawful grant.