FAIL (the browser should render some flash content, not this).




1. Risk Management — A broad based framework for managing assets and the relevant risks to those assets.

2. Policy Management - A program should control policy and procedural guidelines vis-à-vis employee computer usage.

3. Cyber-Intelligence- Experienced threat and technical intelligence analysis regarding threats, vulnerabilities, incidents, and countermeasure should provide timely and customized reporting to prevent a security incident before it occurs.

4. Access Controls/Authentication — Establish the legitimacy of a node or user before allowing access to requested information. The first line of defense is access controls; these can be divided in to passwords, tokens, biometrics, and public key infrastructure (PKI).

5. Firewalls — Create a system or combination of systems that enforces a boundary between two or more networks.

6. Active content filtering — At the browser level, it is prudent to filter all material that is not appropriate for the workplace or that is contrary to established workplace policies.

7. Intrusion detection system (IDS) — This is a system dedicated to the detection of break-ins or break-in attempts, either manually or via software expert systems that operate on logs or other information available on the network. Approaches to monitoring vary widely, depending on the types of attacks that the system is expected to defend against, the origins of the attacks, the types of assets, and the level of concern for various types of threats. The majority of IDS technologies are no in-line devices that also incorporate prevention mechanisms to stop attacks on the network before they reach their intended destination.

8. Virus scanners — Worms, Trojans, and viruses are methods for deploying an attack. Virus scanners hunt malicious code, but require frequent updating and monitoring. Virus scanners have traditionally been host based software products but the industry has seen the appearance of network based anti-virus appliances that stop malicious code before it reaches it’s intended destination. These are typically self-updating and require less administration.

9. Encryption — Encryption algorithms are used to protect information while it is in transit or exposed to theft via the storage device (e.g. removable backup media or notebook computer).

10. Vulnerability testing — Vulnerability testing entails obtaining knowledge of the vulnerabilities that exist on a computer system or network and using that knowledge to gain access to resources while bypassing normal authentication barriers.

11. Systems administration — This should be complete with a list of administrative failures that typically exist within financial institutions and corporations and a list of best practices.

12. Incident response plan (IRP) — The primary document used by a corporation to define how it will identify, respond to, correct, and recover from a computer security incident. The main necessity is to have an IRP and to test it periodically.