security

PCI DSS 1.1 Audit Work Program Templates Free Download

Control 1 - All cardholder-entered PINs are processed in equipment that conforms to the requirements for Tamper-Resistant Security Modules (TRSMs). PINs must never appear in the clear outside of a TRSM

Control 2 - All cardholder PINs processed online are encrypted and decrypted using an approved cryptographic technique that provides a level of security compliant with international and industry standards.

Download Free North American Reliability Corp (NERC) Critical Infrastructure Protection (CIP) standards or simply NERC/CIP is a set of Cyber Security Framework standard that force of by law by the Federal Energy Regulatory Commission (FERC). This standard consist of several domain such as:

CIP-001-1 Sabotage Reporting
Disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies.

CIP-002-1 Critical Cyber Asset Identification
NERC Standards CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.

CIP-002-2 Cyber Security - Critical Cyber Asset Identification
NERC Standards CIP-002-2 through CIP-009-2 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.

1. Ensuring the confidentiality and integrity of your organization’s data-in-transit to and from your public cloud provider

2. Ensuring proper access control (authentication, authorization, and auditing) to whatever resources you are using at your public cloud provider

3. Ensuring the availability of the Internet-facing resources in a public cloud that are being used by your organization, or have been assigned to your organization by your public cloud providers

Download Free SAS 70 (Statement on Auditing Standards no 70) Report Content Templates

The SAS 70 type ii report includes three required sections: the auditor’s opinion, the service organization’s description of controls, and tests of operating system effectiveness and the results of those tests. The report may also include an additional section with other information provided by the service organization (provided for informational purposes but not subject to audit).

Section I: Service Auditor’s Opinion
The following is example SAS 70 Type II audit opinion text for a scenario in which the service organization achieves the specified control objectives. The opinion would be modified to suit the circumstances of the specific audit.

Section II: Description of Controls
The service organization’s description of controls typically includes narrative descriptions of the following components:
• Overview of operations
• Description of services provided by the service organization that are covered in the report
• Control objectives and supporting control activities
• Control environment, risk assessment processes, and monitoring processes
• Information systems and communication processes
• User control considerations (i.e., controls that users of the service organization should have in place to address their responsibilities with regard to controls over the service)

North American Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) Software Minimum Requirements:
- Coordinated management of compliance across all legal entities and functional roles.
- Relational database which serves as system of record for legal entities, functional roles and corresponding NERC and regional standards, requirements and measures, ISOtariffs, etc.
- Configurable tasks, roles and statuses.
- Automated task assignment and tracking based on regional and NERC audit schedules.