Browse
Search
Agenda 12-04-23; 8-f - End Point Protection – Managed Detection Response CrowdStrike Contract Renewal
OrangeCountyNC
>
Board of County Commissioners
>
BOCC Agendas
>
2020's
>
2023
>
Agenda - 12-04-2023 Business Meeting
>
Agenda 12-04-23; 8-f - End Point Protection – Managed Detection Response CrowdStrike Contract Renewal
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
11/30/2023 11:12:32 AM
Creation date
11/30/2023 11:14:06 AM
Metadata
Fields
Template:
BOCC
Date
12/4/2023
Meeting Type
Business
Document Type
Agenda
Agenda Item
8-f
Document Relationships
Agenda for December 4, 2023 BOCC Meeting
(Message)
Path:
\Board of County Commissioners\BOCC Agendas\2020's\2023\Agenda - 12-04-2023 Business Meeting
Minutes-12-04-2023-Business Meeting
(Message)
Path:
\Board of County Commissioners\Minutes - Approved\2020's\2023
OTHER-2023-076 Crowdstrike Service Contract
(Message)
Path:
\Board of County Commissioners\Various Documents\2020 - 2029\2023
RES-2023-074-Refund-Release Resolution-Approval
(Message)
Path:
\Board of County Commissioners\Resolutions\2020-2029\2023
RES-2023-075-Refund-Release Resolution-Approval
(Message)
Path:
\Board of County Commissioners\Resolutions\2020-2029\2023
RES-2023-076-Exemption-Exclusion Resolution
(Message)
Path:
\Board of County Commissioners\Resolutions\2020-2029\2023
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
33
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
31 <br /> Appendix 1 <br /> Information Security Controls for CrowdStrike Systems <br /> Security Control Description <br /> Category <br /> 1. Governance a. Assign to an individual or a group of individuals appropriate roles for developing, <br /> coordinating, implementing, and managing CrowdStrike's administrative, physical, and <br /> technical safeguards designed to protect the security, confidentiality, and integrity of <br /> Personal Data <br /> b. Use of data security personnel that are sufficiently trained, qualified, and experienced to <br /> be able to fulfill their information security-related functions <br /> 2. Risk Assessment a. Conduct periodic risk assessments designed to analyze existing information security <br /> risks, identify potential new risks, and evaluate the effectiveness of existing security <br /> controls <br /> b. Maintain risk assessment processes designed to evaluate likelihood of risk occurrence <br /> and material potential impacts if risks occur <br /> c. Document formal risk assessments <br /> d. Review formal risk assessments by appropriate mana erial personnel <br /> 3. Information a. Create information security policies, approved by management, published and <br /> Security Policies communicated to all employees and relevant external parties. <br /> b. Review policies at planned intervals or if significant changes occur to ensure its <br /> continuing suitability, adequacy, and effectiveness. <br /> 4. Human Resources a. Maintain policies requiring reasonable background checks of any new employees who <br /> Security will have access to Personal Data or relevant CrowdStrike Systems, subject to local law <br /> b. Regularly and periodically train personnel on information security controls and policies <br /> that are relevant to their business responsibilities and based on their roles within the <br /> organization <br /> 5. Asset Management a. Maintain policies establishing data classification based on data criticality and sensitivity <br /> b. Maintain policies establishing data retention and secure destruction requirements <br /> c. Implement procedures to clearly identify assets and assign ownership <br /> 6. Access Controls a. Identify personnel or classes of personnel whose business functions and responsibilities <br /> require access to Personal Data, relevant CrowdStrike Systems and the organization's <br /> premises <br /> b. Maintain controls designed to limit access to Personal Data, relevant CrowdStrike <br /> Systems and the facilities hosting the CrowdStrike Systems to authorized personnel <br /> c. Review personnel access rights on a regular and periodic basis <br /> d. Maintain physical access controls to facilities containing CrowdStrike Systems, including <br /> by using access cards or fobs issued to CrowdStrike personnel as appropriate <br /> e. Maintain policies requiring termination of physical and electronic access to Personal <br /> Data and CrowdStrike Systems after termination of an employee <br /> f. Implement access controls designed to authenticate users and limit access to <br /> CrowdStrike Systems <br /> g. Implement policies restricting access to the data center facilities hosting CrowdStrike <br /> Systems to approved data center personnel and limited and approved CrowdStrike <br /> personnel <br /> h. Maintain dual layer access authentication processes for CrowdStrike employees with <br /> administrative access rights to CrowdStrike Systems <br /> 7. Cryptography a. Implement encryption key management procedures <br /> b. Encrypt sensitive data using a minimum of AES/128 bit ciphers in transit and at rest <br /> 8. Physical Security a. Require two factor controls to access office premises <br /> b. Register and escort visitors on premises <br /> 9. Operations a. Perform periodic network and application vulnerability testing using dedicated qualified <br /> Security internal resources <br /> b. Contract with qualified independent 3rd parties to perform periodic network and <br /> application penetration testing <br /> c. Implement procedures to document and remediate vulnerabilities discovered during <br /> vulnerability and penetration tests <br /> CrowdStrike Form May 27 2019 16 of 17 <br />
The URL can be used to link to this page
Your browser does not support the video tag.