security

IT Security Plan Template

Download Free IT Security Plan Template

A. APPLICATION/SYSTEM IDENTIFICATION

A.1 Application/System Category
- Indicate whether the application/system is a Major Application or a General Support System.
- A Major Application is "an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application."
- A General Support System is an "interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people."

Download Free Sarbanes Oxley (SOX) 404 IT General Control Test Plan

- Obtain a copy of the organization’s SDLC methodology.

- Review the methodology to determine that it addresses security, availability and processing integrity requirements.

- Review the organization’s SDLC methodology to determine if it considers both the development and acquisition of new systems and major changes to existing systems.

- Review the methodology to determine if it addresses application controls.

All user accounts in use within organization should be domain accounts and not local accounts held on each workstation's local user account database. The benefit of implementing standard user naming convention are:

1. Enable administrator of the domain to better manage, support and secure the user accounts.
2. Facilitate ease of management and support

PCI DSS 1.1 Audit Work Program Templates Free Download

Control 1 - All cardholder-entered PINs are processed in equipment that conforms to the requirements for Tamper-Resistant Security Modules (TRSMs). PINs must never appear in the clear outside of a TRSM

Control 2 - All cardholder PINs processed online are encrypted and decrypted using an approved cryptographic technique that provides a level of security compliant with international and industry standards.

Download Free North American Reliability Corp (NERC) Critical Infrastructure Protection (CIP) standards or simply NERC/CIP is a set of Cyber Security Framework standard that force of by law by the Federal Energy Regulatory Commission (FERC). This standard consist of several domain such as:

CIP-001-1 Sabotage Reporting
Disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies.

CIP-002-1 Critical Cyber Asset Identification
NERC Standards CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.

CIP-002-2 Cyber Security - Critical Cyber Asset Identification
NERC Standards CIP-002-2 through CIP-009-2 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.