The Federal Desktop Core Configuration (FDCC) is a security configuration that must be enabled on any desktop that connects to a federal network. FDCC began with a 2007 memorandum by the United States Office of Management and Budget (OMB). That memo discusses the need for a centralization of effort in defining a central configuration for all desktops contained within federal IT environments. Such a unified configuration would strengthen federal IT security by mandating a tested configuration across all federal IT organizations.

This configuration would additionally provide a standardized starting point for external vendors, easing their process with developing solutions that work across the whole of government IT. In conjunction with the FDCC, the OMB also began work on the Security Content Automation Protocol (SCAP), a cross platform vulnerability management protocol that enables outside vendors to validate their productsf functionality with FDCC desktops as well as other regulations required by government systems.

Download Free Cloud Computing IT Security Control Objectives

Asset management, access control

Data protection/segregation/encryption
To provide logical segregation of CSP customers’ data
To enable customer classification of sensitive data
To enable protection of data commensurate with risk and defined information classifications

Information systems acquisition, development, and maintenance

Encryption standards
To enable encryption of sensitive data using consistent mechanisms
To enable access to current and archived data regardless of which keys were used for encryption

Communications and operations management

WebTrust is AICPA/CICA audit framework, intended to focus on e-commerce services.often where there is a direct interaction with individual end users. WebTrust utilizes the same criteria as SysTrust (the Trust Services Security, Availability, Confidentiality and Processing Integrity principles and criteria). It can also include privacy criteria (based on the Generally Accepted Privacy Principles) where the service provider is interacting with and collecting personal information from individual end users in accordance with a Privacy Policy.. WebTrust results in an audit report indicating whether the specific criteria were met.

WebTrust topics covered by generally accepted privacy principles:
- Management
- Notice
- Choice and consent
- Collection

Download Free IT Risk Analysis Templates

Risk 1: Data corruption through loss or alteration of data without the application’s knowledge and consent
Source:
1. Faulty hardware (bit loss or incorrect ordering)
2. Software bugs (unexpected conditions reached and responded to incorrectly)
3. User or IT administrator error (accidental file deletion)

Risk 2: Downtime and/or data corruption through application errors

Download Free SAS 70 (Statement on Auditing Standards no 70) Service Auditor’s Opinion Templates


To XYZ Service Organization:
We have examined the accompanying description of controls related to the ABC application of XYZ Service Organization. Our examination included procedures to obtain reasonable assurance about whether
(1) The accompanying description presents fairly, in all material respects, the aspects of XYZ Service Organization’s controls that may be relevant to a user organization’s internal control as it relates to an audit of financial statements,

(2) The controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and

(3) Such controls had been placed in operation as of .