IT Examiner School, Providence, RI

IT General Controls (Continued)

Information Security Training and Awareness  Employees and agents should receive IT and information security awareness training on a periodic basis.  Customer awareness training may help reduce the risk of customers falling victim to criminal activities and may ultimately reduce monetary losses. Social Engineering Test  Usually performed by external services providers, often in conjunction with a penetration test or other engagement.  Test employees ability to follow information security policies and procedures and to not fall victim to phishing or other attempts to divulge information via email, phone, or the Internet. Encryption  Laptops should be encrypted, especially if the company allows employees remote access.  Employees should have the ability to encrypt email messages that include sensitive information.

IT General Controls (Continued)

Security Information Event Management (SIEM)

 Products/services that give management the capabilities to monitor various servers and hardware appliances and applications using a combination of real-time monitoring and notification (security event management) and log retention/data correlation (security information management).

 Provides various data security and data monitoring capabilities, including:  Log aggregation  External threat data  Security alerts  Forensic evidence retention  Flexible pattern and trend analysis dashboard reports.