Control Objectives ...........................................................................236
Management Guidelines ..................................................................237
Use in a Security Assessment......................................................................238
ITIL (IT Infrastructure Library) Security Management .......................................238
Use in a Security Assessment......................................................................239
SAS (Statement on Auditing Standards) 70................................................239
Use in a Security Assessment......................................................................240
AICPA SysTrust.....................................................................................................240
Use in a Security Assessment......................................................................240
AICPA WebTrust ...................................................................................................241
Use in a Security Assessment......................................................................241
RFC 2196 — Site Security Handbook .................................................................241
Use in a Security Assessment......................................................................242
Other Resources.....................................................................................................242
SANS (SysAdmin, Audit, Network, Security)/FBI (Federal Bureau
of Investigation) Top 20 List ...........................................................242
Vendor Best Practices ..................................................................................243
Notes ......................................................................................................................243
Chapter 10
Information Security Legislation ................................................245
Relevance of Legislation in Security Assessments...............................................245
HIPAA (Health Insurance Portability and Accountability Act)............................246
GLBA (Gramm–Leach–Bliley Act) ......................................................................248
Sarbanes–Oxley Act...............................................................................................250
21 CFR Part 11......................................................................................................251
Safe Harbor............................................................................................................252
Federal Information Security Management Act (FIMSA)....................................252
Other Legislative Action........................................................................................253
Notes ......................................................................................................................254
Appendices
Security Questionnaires and Checklists......................................255
Appendix A
Preliminary Checklist to Gather Information.............................259
Appendix B
Generic Questionnaire for Meetings with Business
Process Owners ...........................................................................271
Appendix C
Generic Questionnaire for Meetings with Technology
Owners.........................................................................................277
Appendix D
Data Classification.......................................................................283
Appendix E
Data Retention.............................................................................291
Appendix F
Backup and Recovery .................................................................297
Appendix G
Externally Hosted Services .........................................................309
Appendix H
Physical Security.........................................................................325
AU1706_book.fm Page xiv Tuesday, August 17, 2004 11:02 AM
Appendix I
Employee Termination ................................................................343
Appendix J
Incident Handling........................................................................351
Appendix K
Business to Business (B2B)........................................................361
Appendix L
Business to Consumer (B2C)......................................................371
Appendix M
Change Management...................................................................385
Appendix N
User ID Administration...............................................................391
Appendix O
Managed Security........................................................................403
Appendix P
Media Handling...........................................................................415
Appendix Q
HIPAA Security...........................................................................423
Index ......................................................................................................................487
AU1706_book.fm Page xv Tuesday, August 17, 2004 11:02 AM
AU1706_book.fm Page xvi Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.