Review and Assessment of Information Security Policies
- Date: 2007-02-21 - Word Count: 7342
Share This!
This article is a joint effort of Srijit Mukherjee and Hemant Narain, who are the copyright holders of the work in the article.
INTRODUCTION
In the corporate world, we are used to the presence of Corporate Policy, Human Resources Policy, Financial Policy and so on. We assume that legal luminaries, HR wizards and finance and management gurus must have sculpted these polices to protect and increase the company's assets. Only a few people are aware that information is as valuable an asset as the financial assets of a company and needs suitable protection. However, in this era of Internet, awareness is now spreading to the upper echelons and suddenly, the IT professionals; find that they are facing the challenge of defining an information security policy to protect information assets. The prime question is: where do we begin? How do we write the security policy statement, which is binding? How do we convince people to really accept the security policy and implement it in their routine work? Through the present research project an attempt has been made to lay down the foundation guidelines for this difficult task and the method to assess and review the implementation of an information security policy in an organisation. It is worth noting that the method and level of implementation of these guidelines will be slightly different from organisation to organisation depending upon each organisation's individual profile and structure.
The right place to start the formulation of the Information Security Policy is by meeting the topnotch management of the company. They may have only a hazy idea about the threats inherent in the 'open' nature of the Internet / intranet. However, they may not be aware of the magnitude of losses in case of a security breach of the company network. A considerable amount of time has to be spent in enlightening the top management about Information Security. Next, the following issues need attention :
(1) What are the information assets of a company or organisation in terms of hardware and software, including network as well as the future investment plan in Information Technology and Information Security.
(2) What is the company's or organisation's dependence on Information Technology in real measurable terms financial benefits, better return to clients, improved image and market share.
(3) How much the company or organisation will suffer due to any loss, leakage or distortion of information.
It must be remembered that writing an Information Security Policy is just the tip of an iceberg and the rest counts in the implementation process of the same where lots of effort, time and money is required to be spent.
Once the abovementioned data is collected, writing the information security policy is the next task. At the very preset, a policy statement should be drafted stating the real and actual need for an information security policy to a company or an organisation. This statement should demonstrate the strong belief that if information is not made secure, the company or organisation will suffer huge financial loss. The statement should have the top management's commitment and strong support for all measures that will be implemented to achieve Information Security objectives. In fact, the statement should become 'Orders from the superiors' in the long run. The security policy statement should be used as a public document to inform employees, customers and business associates, and should be treated on the same level as that of the corporate quality policy.
The next step is of risk assessment. Business risks, physical risks, environmental risks, technological risks, human risks and the list continues. Risk assessment exercise should be taken very seriously, though realistically. There will be a tendency to cry wolf for every assumed risk. On the other hand, we may brush aside even major risks with an optimistic assumption that this cannot happen to us. A balanced approach is needed. Every risk which a company may have encountered in the past, companies in similar business have encountered, companies in the same geographical area or companies using the same technology have encountered - in short, anything that can help us identify what are the potential risks that could affect the information systems, thereby impacting the company's business must be recorded and documented. Wherever possible, the risk assessment should be quantitative, because figures speak for themselves. The actual loss the company may suffer due to non-implementation of an Information Security Policy must be made predictable (especially in monetary terms). Of course, everything cannot be quantified. But even the intangible, qualitative losses , could be business threatening and as such should be documented. If the risks are tabulated and the probabilities and consequences of these risks are identified, product of the probability and consequence will give the priority level of the risk . So the end result of the risk assessment exercise will be a prioritized list of all the risks required to be faced boldly.
Security policy is not the final word. It is a master plan, which identifies a company or organization's security concerns and is the first step towards building a secure infrastructure. Security can never be achieved through a single tier of defense. There should be multiple layers to protect the assets. For each security risk tabulated, the preventive measures that could be used to reduce the risk must be identified, i.e. factors influencing risk mitigation. The measures for risk mitigations could be: administrative measures, physical measures or technical measures.
Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training . Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring. Technical measures will include logical access control, network access controls, identification and authentication devices and data encryption .
INFORMATION SECURITY POLICY STRUCTURE
Fundamentally, the objective of the policy is to convey the risk concerning information security and what preventive measures a company or organisation has adopted. The security policy has to be understood and followed by the employees. It should be brief, precise and unambiguous, but should strive to cover all aspects. A suggested outline of an information security policy document is as follows:
- Policy Statement: Outline the objective of the policy. Emphasize the actual risks that will be addressed by this policy. Make it as near to the company or organisation's business as possible so that the reader is convinced about the necessity of the policy.
- Policy Scope: Specify the areas of concern, which the policy attempts to address. This will list the organizational units, individuals and technical system covered by the policy.
- Validity: Define the life-span for the policy and when it will be reviewed next. The review must be done at least once a year to keep the policy current and up-to-date.
- Review-details: Record of previous reviews and the changes therein.
- Compliance requirements: Punitive actions that should be taken if the policy is not adhered to. This of course needs clearance from Human Resources, but absence of this will make the polices 'best ignored practices' instead of 'best practices'.
- Specific issues that the policy is addressing: Give the background, describe the risks that have been identified, state the security expectations that the policy will fulfill.
- Best practices: Give a detailed list of recommended best practices.
- Mandatory practices: This is the minimum standard which has to be implemented.
- Procedure for implementation: A step-by-step procedure, which will be followed for implementation of the policy. There will be references to forms, templates, standards, guidelines etc. which could be given as annexure. Names and designations of the appointed persons who will enforce the policy must be clearly mentioned in the policy itself.
- Monitoring and reporting mechanism to ensure proper implementation.
Implementation of Information Security Policy
One or all of the following steps can be taken to successfully implement an information security policy in a company or an organisation:
- Conduct Security Awareness Seminars, workshops, quizzes.
- Have Security Week for the organization.
- Prepare Do's & Don'ts of Security Policy, distribute and display them.
- Create posters, stickers, t-shirts, mugs, mouse pads, all with security messages.
- Run slogan competitions.
- Give wide publicity to any security breaches in (other) companies.
- And of course, perform security audits.
A security policy may be defined as 'an agreed approach in theoretical form, which has been agreed to / ratified by, a governing body, and which defines direction and degrees of freedom for action.' In other words, a security policy is the stated views of the senior management (or Board of Directors) on a given subject.
Information Security Policy Objectives
Information Security Policy has the following objectives:
- To protect the organisation's business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability.
- To establish safeguards to protect the organisation's information resources from theft, abuse, misuse and any form of damage.
- To establish responsibility and accountability for Information Security in the organisation.
- To encourage management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of Information Security incidents.
- To ensure that the organisation is able to continue its commercial activities in the event of significant Information Security incidents.
- To provide suitable coverage of International Standards ISO 17799 and BS 7799.
Scope of Information Security Policy
Information Security policy is intended to support the protection, control and management of the organisation's information assets. These policies are required to cover all information within the organisation which could include data and information that is:
- Stored on databases
- Stored on computers and
- Transmitted across internal and public networks
- Printed or hand written on paper, white boards etc.
- Sent by facsimile (fax), telex or other communications method
- Stored on removable media such as CD-ROMs, Zip Disk, hard disks, tapes and other similar media
- Stored on fixed media such as hard disks and disk sub-systems
- Held on film or microfiche
- Presented on slides, overhead projectors, using visual and audio media
- Spoken during telephone calls and meetings or conveyed by any other method
Ingredients of Information Security Policy
Information Security policy statements need to cover the full range of risks associated with creating, amending or storing information. The following areas should be covered and they collectively include all key aspects of the Information Security Standards ISO 17799 and BS 7799.
- Securing Hardware, Peripherals and Other Equipment
- Controlling Access to Information and Systems
- Processing Information and Documents
- Purchasing and Maintaining Commercial Software
- Developing and Maintaining In-house Software
- Combating Cyber Crime
- Complying with Legal and Policy Requirements
- Planning for Business Continuity
- Addressing Personnel / HR Issues Relating to Information Security
- Controlling e-Commerce Information Security
- Delivering Training and Staff Awareness
- Dealing with Premises Related Considerations
- Detecting and Responding to Security Incidents
- Classifying Information and Data
INFORMATION SECURITY MANAGEMENT SYSTEM AND THE CONCEPT OF BEST PRACTICE
An Information Security Management System is a system of management concerned with information security. The expression arises primarily out of ISO / IEC 17799, a code of practice for information security management. The best known ISMS is the ISO 27001, which is complementary to ISO 17799. ISO 17799 is akin to BS 7799. ISM3 is another creditable ISMS developed from ITIL, ISO 9001 and ISO 27001. While ISO 27001 is controls based, ISM3 is process based. Other ISMS are ISF Standard of Good Practice, ITIL Security Management, COBIT etc.
ISO / IEC 17799
This information security standard was published in 2005 by the International Organisation for Standardisation and the International Electrotechnical Commission. ISO / IEC 17799 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard as:
"The preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required).
The 2005 version of the standard contains the following eleven main sections:
1. Security Policy
2. Organisation of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance
Within each section, information security control objectives are specified and a range of controls are outlined that are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since (a) each organization is expected to undertake a structured information security risk assessment process to determine its requirements before selecting controls that are appropriate to its particular circumstances; and (b) it is practically impossible to list all conceivable controls in a general purpose standard.
ISO 17799 is an internationally recognized Information Security Management Standard. ISO 17799 is high level, broad in scope, and conceptual in nature. This approach allows it to be applied across multiple types of enterprises and applications. It has also made the standard controversial among those who believe standards should be more precise. In spite of this controversy, ISO 17799 is the only "standard" devoted to Information Security Management in a field generally governed by "Guidelines" and "Best Practices."
ISO 17799 defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:
-Confidentiality - ensuring that information is accessible only to those authorized to have access.
-Integrity - safeguarding the accuracy and completeness of information and processing methods.
-Availability - ensuring that authorized users have access to information and associated assets when required.
ISO 17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS 7799. The BS 7799 standard consists of Part 1: Code of Practice, and Part 2: Specification of Information Security Management Systems.
BS 7799 Part 1 (ISO 17799) versus BS 7799 Part 2
It is important to understand the distinctions between Part 1 and Part 2 of the BS 7799 standard in order to later understand the dilemma facing conformance assessment. Part 1 is an implementation guide, based on suggestions. It is used as a means to evaluate and build sound and comprehensive information security infrastructure. It details information security concepts an organization "should" do. BS 7799 Part 2 is an auditing guide based on requirements. To be
certified as BS 7799 compliant, organizations are audited against Part 2. It details information security concepts an organization "shall" do. This rigidity precluded widespread acceptance and support.
ISO / IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) specifies a number of requirements for establishing, implementing, maintaining and improving an information security management system consistent with the best practices outlined in ISO / IEC 17799. This is a revision of BS 7799-2:2002: Information security management systems - Specification with guidance for use. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification / registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.
Standard of Best Practice
This is a detailed documentation of best practices for information security. It is published and revised biannually by the Information Security Forum (ISF), an international best practices organisation. The Standard is developed from research based on the actual practices of and incidents experienced by major organizations. Its relatively frequent update cycle (every two years) also allows it to keep up with technological developments and emerging threats. The Standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT. The Standard is categorised into five categories or aspects as follows:
1. Aspect SM (Security Management): The Standard provides: "Keeping the business risks associated with information systems under control within an enterprise requires clear direction and commitment from the top, the allocation of adequate resources, effective arrangements for promoting good information security practice throughout the enterprise and the establishment of a secure environment."
2. Aspect SD (Systems Development): The Standard provides: "Building security into systems during their development is more cost-effective and secure than grafting it on afterwards. It requires a coherent approach to systems development as a whole, and sound disciplines to be observed throughout the development cycle. Ensuring that information security is addressed at each stage of the cycle is of key importance."
3. Aspect CD (Critical Business Applications): The Standard provides: "A critical business application requires a more stringent set of security controls than other applications. By understanding the business impact of a loss of confidentiality, integrity, or availability of information, it is possible to establish the level of criticality of an application. This provides a sound basis for identifying business risks and determining the level of protection required to keep risks within acceptable limits."
4. Aspect CI (Computer Installations): The Standard provides: "Computer installations typically support critical business applications and safeguarding them is, therefore, a key priority. Since the same information security principles apply to any computer installation-irrespective of where information is processed or on what scale or type of computer it takes place-a common standard of good practice for information security should be applied."
5. Aspect NW (Networks): The Standard provides: "Computer networks convey information and provide a channel of access to information systems. By their nature, they are highly vulnerable to disruption and abuse. Safeguarding business communications requires robust network design, well-defined network services, and sound disciplines to be observed in running networks and managing security. These factors apply equally to local and wide area networks, and to data and voice communications."
Standards of Best Practice consist of 10 security controls, which are used as the basis for the security risk assessment. They are:
1. Security policy
2. Organizational security
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. System development and maintenance
9. Business continuity management
10. Compliance
Security Policy
Security Policy control addresses management support, commitment, and direction in accomplishing information security goals.
Organizational Security
Organizational Security control addresses the need for a management framework that creates, sustains, and manages the security infrastructure.
Asset Classification and Control
Asset Classification and Control addresses the ability of the security infrastructure to protect organizational assets.
Personnel Security
Personnel Security control addresses an organization's ability to mitigate risk inherent in human Interactions.
Physical and Environmental Security
Physical and Environmental Security control addresses risk inherent to organizational premises.
Communications and Operations Management
Communication and Operations Management control addresses an organization's ability to ensure correct and secure operation of its assets.
Access Control
Access Control addresses an organization's ability to control access to assets based on business and security requirements.
System Development and Maintenance
System Development and Maintenance control addresses an organization's ability to ensure that appropriate information system security controls are both incorporated and maintained.
Business Continuity Management
Business Continuity Management control addresses an organization's ability to counteract interruptions to normal operations.
Compliance
Compliance control addresses an organization's ability to remain in compliance with regulatory, statutory, contractual, and security requirements.
INFORMATION SECURITY RISK ASSESSMENT
The overriding goal of Information Security is to protect the confidentiality, integrity and availability of business information, alternatively known as Information Assets - used by the organisation in its day-to-day activities. The loss, corruption, deletion, disclosure or non-availability of which, could result in measurable loss / embarrassment to the organisation. The Information Security Risk Assessment is one of the key steps in the creation of an Information Security programme. Without such an assessment, the organisation would be unaware of what it should protect, the level to which such protection should be implemented, and the costs - in terms of financial cost and operational constraints - which the organisation believes to be appropriate to reduce the risks to acceptable levels. The Information Security Risk Assessment will result in:
1. The nature and value of the Information Assets or Business Assets
2. The threats against those assets, both internal and external
3. The likelihood of those threats occurring
4. The impact upon the organisation.
PROCEDURAL ASPECTS OF RISK ASSESSMENT
Assembling the Risk Assessment Team:
The Risk Assessment process is an important part of determining Information Security associated risks. The process should be established as a formal project and persons identified to assist in the process. The management of the Risk Assessment process would normally be the responsibility of the Information Security Officer who could be appointed as the Risk Assessment Project Manager. This function could equally be carried out by another member of senior management who is sufficiently familiar with Information Security issues.
The Risk Assessment Team would consist of members of key departments within the organisation who are familiar with the value and nature of information within their own departments or divisions.
The Team will meet regularly during the project period and will provide input into the process in respect of their own knowledge and understanding of the organisation's information assets and processes.
Review Documentation, Charts etc.:
Use of the following headings as a 'check list' is to ensure that all the key documents are gathered for review. If some documents are not available, these should be highlighted and enquiry made to the sponsoring executive / manager.
- Latest organisation chart
- List of current business and office software
- Network diagram(s), including key applications
- List of the organisation's products and services
- Business Strategy and Planning documents
- IT Strategy
- Information Security Policies and any associated Information Security Guidelines
- IT Security Policies and / or Standards
- Results of an Information Security audit - both within the business units and within IT
- Information Security incident response plans / procedures
- Access Control standards and procedures
- Systems Administration Procedures
- Business Continuity Plans and procedures
- IT and Applications architecture and diagrams
Site Survey:
Having gathered and reviewed the available documentation the site survey should be performed. This will enable the Information Security Risk Assessment team to validate and verify their understanding and also to enhance their documentation with additional detail.
Use of the following headings as a 'check list' is to ensure that all the key issues are discussed during the survey. Where issues are not addressed or where your organisation maintains a different approach, they should be highlighted and an enquiry made to the sponsoring executive / manager.
- Evidence of an Induction Course for new entrants / new users .
- Evidence of physical access controls .
- Access Control Lists, naming those authorised to access secure areas.
- Rules which prohibit eating, drinking and smoking anywhere within close proximity to systems and peripherals.
- Evidence of clean and tidy working and storage areas.
- Evidence of password / key changes to electronic locks on a regular basis.
- Logs maintained showing access in and out of secure areas; reason for entry and, where a third party, evidence of being accompanied by an appropriate member of staff.
- Physical access to the main computers should be controlled. Such computers should be housed within a secure room with access controlled by the manager for Systems Operations.
- Is equipment physically secured to prevent removal e.g. workstations and laptops.
- Is an inventory maintained and updated regularly with 'spot checks' to identify items that appear missing or lost or stolen.
- Is there any evidence of a log in which suspicious activities are recorded and maintained.
- Are the organisation's sensitive information and files maintained under physical security as well as electronic .
- Are fire extinguishers placed in accessible positions, both near and within areas housing both systems and sensitive information. Such extinguishers should conform to local recommended fire prevention regulations.
- Is the temperature and humidity controlled within the Computer / Server room(s).
- Ensure that an uninterruptible power supply (UPS) is present. The first power 'outage' will convince you that this is indispensable for an orderly shut-down to safeguard your data.
- Surge protectors should be properly grounded. Consult with a qualified electrician if in any doubt.
- In the Computer / Server rooms anti-static carpeting is preferable to avoid static discharge near sensitive equipment. This is critical in extremely dry environments where static discharge can damage circuits beyond repair.
- In case of an electric storm to occur, with lightning, is there a procedure for orderly shutdown and disconnection.
- Are backup tapes protected from any magnetic discharge from lightning by keeping them stored away from the metal frame of the building.
POTENTIAL THREATS TO ORGANISATIONAL ASSETS
Having identified the information assets which must be protected, it is important to identify the threats to these information assets. The threats can be classified into six categories as follows:
- Techno-Crime: These are premeditated, planned and often with advance probing for weaknesses. If the organisation is 'high profile' one, connected to the Internet, and has something of value within its networks and systems; this threat is very real; both from external persons (unknown); or from disgruntled employees.
- Techno-Vandalism: These are opportunistic, random manipulation of data and / or systems. Again, the source may be external or internal.
- Negligence: Information Assets are placed at risk because the organisation's personnel fail to exercise appropriate care and safety . In any event, negligence is a genuine threat to organisations.
- Human Error: Accidents are a major source of information security incidents. Unlike negligence, human error is normally a signal for additional training and / or review of procedures.
- Systems Failure: The sudden failure of a system can have a disastrous impact, not only upon that specific system, but also upon systems which rely upon the failed system.
- Environmental: Natural disasters are a serious threat . The only way to prepare for this threat is to ensure that a Disaster Recovery Plan and a Business Continuity Plan are both in place and tested.
FRAMEWORK OF INFORMATION SECURITY ASSESSMENT
The Information Security Assessment Framework identifies five levels of IT security program effectiveness. The five levels measure specific management, operational and technical control objectives. Each of the five levels contains criteria to determine if the level is adequately implemented. For example, in Level 1 all written policy should contain the purpose and scope of the policy, who is responsible for implementing the policy, and the consequences and penalties for not following the policy. The policy for an individual control must be reviewed to ascertain that the criteria for level 1 are met. Assessing the effectiveness of the individual controls, not simply their existence, is key to achieving and maintaining adequate security.
The information asset owner, in partnership with those responsible for administering the information assets, which includes IT Systems, must determine whether the measurement criteria are being met at each level. Before making such a determination, the degree of sensitivity of information and systems must be determined by considering the requirements for confidentiality, integrity, and availability of both the information and systems -- the value of information and systems is one of the major factors in risk management.
The Framework describes an asset self-assessment and provides levels to guide and prioritize agency efforts as well as a basis to measure progress. In addition, a questionnaire has been developed that gives the implementation tools for the Framework. The questionnaire will contain specific control objectives that should be applied to secure a system.
Figure: Information Security Assessment Framework
LEVEL 1 DOCUMENTED POLICY
LEVEL 2 DOCUMENTED PROCEDURES
LEVEL 3 IMPLEMENTED PROCEDURES AND CONTROLS
LEVEL 4 TESTED AND REVIEWED PROCEDURES AND CONTROLS
LEVEL 5 FULLY INTEGRATED PROCEDURES AND CONTROLS
LEVEL - 1: DOCUMENTED POLICY
Level 1 of the Framework includes:
1. Formally documented and disseminated security policy covering agency headquarters and major components . The policy may be asset specific.
2. Policy that references most of the basic requirements and guidance issued.
An asset is at level 1 if there is a formally, up-to-date documented policy that establishes a continuing cycle of assessing risk, implements effective security policies including training, and uses monitoring for program effectiveness. Such a policy may include major agency components or specific assets. A documented security policy is necessary to ensure adequate and cost effective organizational and system security controls. A sound policy delineates the security management structure and clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress and compliance. The criteria listed below should be applied when assessing the policy developed for the controls.
Criteria
A) Purpose and scope. An up-to-date security policy is written that covers all major facilities and operations agency-wide or for the asset. The policy is approved by key affected parties and covers security planning, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The policy clearly identifies the purpose of the program and its scope within the organization.
B) Responsibilities. The security program comprises a security management structure with adequate authority, and expertise. IT security manager(s) are appointed at an overall level and at appropriate subordinate levels. Security responsibilities and expected behaviors are clearly defined for asset owners and users, information resources management and data processing personnel, senior management, and security administrators.
C) Compliance. General compliance and specified penalties and disciplinary actions are also identified in the policy.
LEVEL - 2: DOCUMENTED PROCEDURES
Level 2 of the Framework includes:
1. Formal, complete, well-documented procedures for implementing policies established at level one.
2. The basic requirements and guidance issued.
An asset is at level 2 when formally documented procedures are developed that focus on implementing specific security controls. Formal procedures promote the continuity of the security program. Formal procedures also provide the foundation for a clear, accurate, and complete understanding of the program implementation. An understanding of the risks and related results should guide the strength of the control and the corresponding procedures. The procedures document the implementation of and the rigor in which the control is applied. Level 2 requires procedures for a continuing cycle of assessing risk and vulnerabilities, implementing effective security policies, and monitoring effectiveness of the security controls. Approved system security plans are in place for all assets. Well-documented and current security procedures are necessary to ensure that adequate and cost effective security controls are implemented. The criteria listed below should be applied when assessing the quality of the procedures for controls.
Criteria
A) Control areas listed and organization's position stated. Up-to-date procedures are written that covers all major facilities and operations within the asset. The procedures are approved by key responsible parties and cover security policies, security plans, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The procedures clearly identify management's position and whether there are further guidelines or exceptions.
B) Applicability of procedures documented. Procedures clarify where, how, when, to, whom, and about what a particular procedure applies.
C) Assignment of IT security responsibilities and expected behavior. Procedures clearly define security responsibilities and expected behaviors for (1) asset owners and users, (2) information resources management and data processing personnel, (3) management, and (4) security administrators.
D) Points of contact and supplementary information provided. Procedures contain appropriate individuals to be contacted for further information, guidance, and compliance.
LEVEL - 3: IMPLEMENTED PROCEDURES AND CONTROLS
Level 3 of the Framework includes:
1. Security procedures and controls that are implemented.
2. Procedures that are communicated and individuals who are required to follow them.
At level 3, the Information Security procedures and controls are implemented in a consistent manner and reinforced through training. Ad hoc approaches that tend to be applied on an individual or case-by-case basis are discouraged. Security controls for an asset could be implemented and not have procedures documented, but the addition of formal documented procedures at level 2 represents a significant step in the effectiveness of implementing procedures and controls at level 3. While testing the on-going effectiveness is not emphasized in level 3, some testing is needed when initially implementing controls to ensure they are operating as intended. The criteria listed below should be used to determine if the specific controls are being implemented.
Criteria
A) Owners and users are made aware of security policies and procedures. Security policies and procedures are distributed to all affected personnel, including system / application rules and expected behaviors. Requires users to periodically acknowledge their awareness and acceptance of responsibility for security.
B) Policies and procedures are formally adopted and technical controls installed. Automated and other tools routinely monitor security. Established policy governs review of system logs, penetration testing, and internal / external audits.
C) Security is managed throughout the life cycle of the system. Security is considered in each of the life-cycle phases: initiation, development / acquisition, implementation, operation, and disposal.
D) Procedures established for authorizing processing (certification and accreditation). Management officials must formally authorize system operations and manage risk.
E) Documented security position descriptions. Skill needs and security responsibilities in job descriptions are accurately identified.
F) Employees trained on security procedures. An effective training and awareness program tailored for varying job functions is planned, implemented, maintained, and evaluated.
LEVEL - 4: TESTED AND EVALUATED PROCEDURES AND CONTROLS
Level 4 of the Framework includes:
1. Routinely evaluating the adequacy and effectiveness of security policies, procedures, and controls.
2. Ensuring that effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual security incidents or through security alerts issued by vendors, and other trusted sources.
Routine evaluations and response to identified vulnerabilities are important elements of risk management, which includes identifying, acknowledging, and responding, as appropriate, to changes in risk factors (e.g., computing environment, data sensitivity) and ensuring that security policies and procedures are appropriate and are operating as intended on an ongoing basis. Routine self-assessments are an important means of identifying inappropriate or ineffective security procedures and controls, reminding employees of their security related responsibilities, and demonstrating management's commitment to security. Self assessments can be performed by agency staff or by contractors or others engaged by agency management. Independent audits are an important check on agency performance, but should not be viewed as a substitute for evaluations initiated by agency management. To be effective, routine evaluations must include tests and examinations of key controls. Reviews of documentation, walk-throughs of agency facilities, and interviews with agency personnel, while providing useful information, are not sufficient to ensure that controls, especially computer-based controls, are operating effectively. Examples of tests that should be conducted are network scans to identify known vulnerabilities, analyses of router and switch settings and firewall rules, reviews of other system software settings, and tests to see if unauthorized system access is possible (penetration testing). Tests performed should consider the risks of authorized users exceeding authorization as well as unauthorized users (e.g., external parties, hackers) gaining access. Similar to levels 1 through 3, to be meaningful, evaluations must include security controls of interconnected assets, e.g., network supporting applications being tested. When assets are first implemented or are modified, they should be tested and certified to ensure that controls are initially operating as intended. Requirements for subsequent testing and recertification should be integrated into an agency's ongoing test and evaluation program. In addition to test results, agency evaluations should consider information gleaned from records of potential and actual security incidents and from security alerts, such as those issued by software vendors. Such information can identify specific vulnerabilities and provide insights into the latest threats and resulting risks. The criteria listed below should be applied to each control area to determine if the asset is being effectively evaluated.
Criteria
A) Effective program for evaluating adequacy and effectiveness of security policies, procedures, and controls. Evaluation requirements, including requirements regarding the type and frequency of testing, should be documented, approved, and effectively implemented. The frequency and rigor with which individual controls are tested should depend on the risks that will be posed if the controls are not operating effectively. At a minimum, controls should be evaluated whenever significant system changes are made or when other risk factors, such as the sensitivity of data processed, change. Even controls for inherently low-risk operations should be tested at a minimum of every 3 years.
B) Mechanisms for identifying vulnerabilities revealed by security incidents or security alerts. Agencies should routinely analyze security incident records, including any records of anomalous or suspicious activity that may reveal security vulnerabilities. In addition, they should review security alerts issued by vendors and others.
C) Process for reporting significant security weaknesses and ensuring effective remedial action. Such a process should provide for routine reports to senior management on weaknesses identified through testing or other means, development of action plans, allocation of needed resources, and follow-up reviews to ensure that remedial actions have been effective. Expedited processes should be implemented for especially significant weaknesses that may present undue risk if not addressed immediately.
LEVEL - 5: FULLY INTEGRATED PROCEDURES AND CONTROLS
Level 5 of the Framework includes:
1. A comprehensive security program that is an integral part of an agency's organizational culture.
2. Decision-making based on cost, risk, and mission impact.
The consideration of IT security is pervasive in the culture of a level 5 asset. A proven life cycle methodology is implemented and enforced and an ongoing program to identify and institutionalize best practices has been implemented. There is active support from senior management. Decisions and actions that are part of the IT life cycle include:
- Improving security program
- Improving security program procedures
- Improving or refining security controls
- Adding security controls
- Integrating security within existing and evolving IT architecture
- Improving mission processes and risk management activities
Each of these decisions result from a continuous improvement and refinement program instilled within the organization. At level 5, the understanding of mission-related risks and the associated costs of reducing these risks is considered with a full range of implementation options to achieve maximum mission cost-effectiveness of security measures. Entities should apply the principle of selecting controls that offer the lowest cost implementation while offering adequate risk mitigation, versus high cost implementation and low risk mitigation. The criteria listed below should be used to assess whether a specific control has been fully implemented.
Criteria
A) There is an active enterprise-wide security program that achieves cost-effective security.
B) IT security is an integrated practice within the asset.
C) Security vulnerabilities are understood and managed.
D) Threats are continually re-evaluated, and controls adapted to changing security environment.
E) Additional or more cost-effective security alternatives are identified as the need arises.
F) Costs and benefits of security are measured as precisely as practicable.
G) Status metrics for the security program are established and met.
AUDIT OF IMPLEMENTATION OF INFORMATION SECURITY POLICY INITIATIVES
The risk an organisation carries with regard to the threat to its information is the result of a combination of factors, changes to any one of which will alter the risk profile just as the risk of a car accident will change, dependent on factors such as the area, the driver, the car, the weather, the traffic conditions etc.
Information Security is concerned with the active management of, on the one hand, the exposure to the threats of (electronic) attack and, on the other hand, the threats of 'accidents' and opportunistic vandalism . Reviewing the Information Security structure of an organisation on a regular basis will ensure that the safeguards employed continue to offer the appropriate level of protection.
As per the standard Of Best Practices , there are 10 controls for the information security review and risk assessment.
1. Security Policy control
2. Organizational Security control
3. Asset Classification and Control
4. Personnel Security control
5. Physical and Environmental Security control
6. Communication and Operations Management control
7. Access Control
8. System Development and Maintenance control
9. Business Continuity Management control
10. Compliance control
Security policy control:
Objective: develop and implement information security
Organizational Security audit:
Objective: Maintain appropriate protection of organizational assets.
Reason for review: It is necessary to ensure that software license and hard ware appliance are up to date to secure ever ready to secure organizational assets.
Steps for audit:
1. Get Inventory list from the Manager
2. Remotely select some device (around 10% of the list)
3. Verify currency of the list by physical sighting the devices.
Frequency: It must be conducted Bi-annually.
Personnel security audit:
Objective:
- To reduce the risks of human error theft fraud or misuse of facilities.
- To ensure that users are aware of information security threats and concerns and are equipped to support organizational security policy in the course of their normal work
- To minimize the damage from security incident and malfunctions and to such incidents
Reason:
- The internet gateway operations involve sensitive information such as firewall rules, e-mails in transit staffs are properly screened and confidentiality agreement is signed.
- The support personnel should be aware of sensitivity of information. Steps to be taken when an incident takes place etc.
Steps:
- Get the list of support staff.
- Verify staffs screening results are filed for all relevant staff.
- Sight executed "Confidentiality Agreement "between the staff and ABC organisation.
- Sight staff's signed acknowledgment of receiving the "security brief" and annual refresher.
Frequency: It must be conducted annually.
Physical Security Audit
Objective:
- To prevent unauthorized physical access damage and interference to business premises and information.
- To prevent loss damage or compromise of assets and interruption to business activities.
Reason: The Internet gateway is housed in a secure room and security enforcing device are installed in locked up racks .It is important that implement physical security mechanism is enforced all the time.
Steps for audit:
- Access logs of electronic access control system.
- Verify percentage of failed access is not unusual.
- Audit physical visitor log-back is up to date by random entry checking.
- Audit equipment rack access physical log is up to date by random entry checking.
Frequency: it must be conducted quarterly.
Operational procedures audit - change management plan incident management plan
Objective: To ensure the correct and secure operation of information processing facilities.
Reason: It is important for the internet Gateway to have documented operational procedures. It is even more important to make sure that those procedures are followed.
Steps:
- Acquire change control record s. verify they are recorded as per plan.
- Acquire incident response records and verify they are filled up as per plan.
Frequency: It must be conducted bi-annually.
Antivirus application log and signature file audit:
Objective: To protect the integrity and information from damage by malicious software.
Reason: The threat of malicious software is real .it is very relevant to the gateway operations. There are virus scanning solutions implemented to detect malicious code .It is important to verify and when an event of malicious soft ware is detected .it does not go unnoticed.
Steps:
- Execute command to check the virus signature version.
- Verify that the version is up to date.
- Access virus scanner logs and verify detected viruses are cleaned appropriately quarantined and alter sent to monitors.
Frequency: It must be conducted daily.
Backup and Restore Audit:
Objective: To maintain the integrity and availability of information processing and communication service.
Reason: Backup system is integral to secure operation of the internet gateway .it is important and necessary that back up system operate regularly and backed up media is usable .
Steps:
- Access backup system logs and verify that backup takes place regularly and successfully.
- Verify backup tapes are labeled properly by random checking.
- Verify tapes are usable by executing a restore function.
Frequency: It must be conducted bi-Annually
User system access audit
Objective: To ensure that access rights to information system are appropriately authorized, allocated and maintained and maintained.
Reason: It is important for the secure operations of the internet gateway that access to any system is controlled. A formal authorization process should be in place many times former employee user accounts remain in the system.
Steps:
- Acquire list of authorized user from the formal record of authorization process.
- Verify users in the system and their access levels are as per documentation.
- This test shall be repeated for all multi-user systems in the gateway environment.
Frequency: It must be conducted Bi-annual.
Intrusion Detection System log Audit / Firewall log audit / system log audit
Objective: To detect unauthorized activities.
Reasons:
- Network Ids is the key monitoring tool implements in the Internet gateway. It is important that the logs are analyzed regular basis.
- Firewall is the main network traffic filtering device in the internet gateway. It is important to check the logs regularly to fid out about permitted or blocked traffic to ensure that the gateway access policy is enforced.
Steps:
- Access online IDS log.
- Check for interesting events. (Successful or unsuccessful event intrusions).
- Access online firewall log.
- Check for blocked traffic and analyses the traffic pattern
- Check for permitted traffic and randomly verify that they are as per documented access policy.
- Access logs in central syslog server
- Execute scripts from the log analysis tool to detect anomalies.
Frequency: It must be conducted daily.
THE PDCA MODEL
The PDCA Model depict the Plan, Do, Check and Act stages of the implementation, development, maintenance and improvement life - cycle of the Information Security management System in an organisation.
Plan
- Establish the ISMS
- Define the Scope of the ISMS
- Define the ISMS Policy
- Define a Systematic Approach to Risk Assessment
- Identify Risks
- Assess the Risks
- Identify and Evaluate options for the treatment of the Risks
- Select Control Objectives and Controls for the treatment of the Risks
- Prepare a Statement of Applicability
Do
- Formulate a Risk Treatment Plan
- Implement the Risk Treatment Plan
- Implement Controls
- Implement Training and Awareness Programmes
- Manage Operations and Resources
- Implement Procedures and other Controls for Incident Handling
Check
- Monitor and Review the ISMS
- Undertake Regular reviews
- Conduct Internal ISMS Audits
- Record actions and events that could have an effect on the effectiveness or performance of the ISMS
Act
- Maintain and Improve the ISMS
- Implement the Identified Improvements
- Take Appropriate preventive and corrective actions
- Communicate the results and actions and agree with all interested parties
- Ensure that the improvements achieve their intended objectives
INTRODUCTION
In the corporate world, we are used to the presence of Corporate Policy, Human Resources Policy, Financial Policy and so on. We assume that legal luminaries, HR wizards and finance and management gurus must have sculpted these polices to protect and increase the company's assets. Only a few people are aware that information is as valuable an asset as the financial assets of a company and needs suitable protection. However, in this era of Internet, awareness is now spreading to the upper echelons and suddenly, the IT professionals; find that they are facing the challenge of defining an information security policy to protect information assets. The prime question is: where do we begin? How do we write the security policy statement, which is binding? How do we convince people to really accept the security policy and implement it in their routine work? Through the present research project an attempt has been made to lay down the foundation guidelines for this difficult task and the method to assess and review the implementation of an information security policy in an organisation. It is worth noting that the method and level of implementation of these guidelines will be slightly different from organisation to organisation depending upon each organisation's individual profile and structure.
The right place to start the formulation of the Information Security Policy is by meeting the topnotch management of the company. They may have only a hazy idea about the threats inherent in the 'open' nature of the Internet / intranet. However, they may not be aware of the magnitude of losses in case of a security breach of the company network. A considerable amount of time has to be spent in enlightening the top management about Information Security. Next, the following issues need attention :
(1) What are the information assets of a company or organisation in terms of hardware and software, including network as well as the future investment plan in Information Technology and Information Security.
(2) What is the company's or organisation's dependence on Information Technology in real measurable terms financial benefits, better return to clients, improved image and market share.
(3) How much the company or organisation will suffer due to any loss, leakage or distortion of information.
It must be remembered that writing an Information Security Policy is just the tip of an iceberg and the rest counts in the implementation process of the same where lots of effort, time and money is required to be spent.
Once the abovementioned data is collected, writing the information security policy is the next task. At the very preset, a policy statement should be drafted stating the real and actual need for an information security policy to a company or an organisation. This statement should demonstrate the strong belief that if information is not made secure, the company or organisation will suffer huge financial loss. The statement should have the top management's commitment and strong support for all measures that will be implemented to achieve Information Security objectives. In fact, the statement should become 'Orders from the superiors' in the long run. The security policy statement should be used as a public document to inform employees, customers and business associates, and should be treated on the same level as that of the corporate quality policy.
The next step is of risk assessment. Business risks, physical risks, environmental risks, technological risks, human risks and the list continues. Risk assessment exercise should be taken very seriously, though realistically. There will be a tendency to cry wolf for every assumed risk. On the other hand, we may brush aside even major risks with an optimistic assumption that this cannot happen to us. A balanced approach is needed. Every risk which a company may have encountered in the past, companies in similar business have encountered, companies in the same geographical area or companies using the same technology have encountered - in short, anything that can help us identify what are the potential risks that could affect the information systems, thereby impacting the company's business must be recorded and documented. Wherever possible, the risk assessment should be quantitative, because figures speak for themselves. The actual loss the company may suffer due to non-implementation of an Information Security Policy must be made predictable (especially in monetary terms). Of course, everything cannot be quantified. But even the intangible, qualitative losses , could be business threatening and as such should be documented. If the risks are tabulated and the probabilities and consequences of these risks are identified, product of the probability and consequence will give the priority level of the risk . So the end result of the risk assessment exercise will be a prioritized list of all the risks required to be faced boldly.
Security policy is not the final word. It is a master plan, which identifies a company or organization's security concerns and is the first step towards building a secure infrastructure. Security can never be achieved through a single tier of defense. There should be multiple layers to protect the assets. For each security risk tabulated, the preventive measures that could be used to reduce the risk must be identified, i.e. factors influencing risk mitigation. The measures for risk mitigations could be: administrative measures, physical measures or technical measures.
Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training . Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring. Technical measures will include logical access control, network access controls, identification and authentication devices and data encryption .
INFORMATION SECURITY POLICY STRUCTURE
Fundamentally, the objective of the policy is to convey the risk concerning information security and what preventive measures a company or organisation has adopted. The security policy has to be understood and followed by the employees. It should be brief, precise and unambiguous, but should strive to cover all aspects. A suggested outline of an information security policy document is as follows:
- Policy Statement: Outline the objective of the policy. Emphasize the actual risks that will be addressed by this policy. Make it as near to the company or organisation's business as possible so that the reader is convinced about the necessity of the policy.
- Policy Scope: Specify the areas of concern, which the policy attempts to address. This will list the organizational units, individuals and technical system covered by the policy.
- Validity: Define the life-span for the policy and when it will be reviewed next. The review must be done at least once a year to keep the policy current and up-to-date.
- Review-details: Record of previous reviews and the changes therein.
- Compliance requirements: Punitive actions that should be taken if the policy is not adhered to. This of course needs clearance from Human Resources, but absence of this will make the polices 'best ignored practices' instead of 'best practices'.
- Specific issues that the policy is addressing: Give the background, describe the risks that have been identified, state the security expectations that the policy will fulfill.
- Best practices: Give a detailed list of recommended best practices.
- Mandatory practices: This is the minimum standard which has to be implemented.
- Procedure for implementation: A step-by-step procedure, which will be followed for implementation of the policy. There will be references to forms, templates, standards, guidelines etc. which could be given as annexure. Names and designations of the appointed persons who will enforce the policy must be clearly mentioned in the policy itself.
- Monitoring and reporting mechanism to ensure proper implementation.
Implementation of Information Security Policy
One or all of the following steps can be taken to successfully implement an information security policy in a company or an organisation:
- Conduct Security Awareness Seminars, workshops, quizzes.
- Have Security Week for the organization.
- Prepare Do's & Don'ts of Security Policy, distribute and display them.
- Create posters, stickers, t-shirts, mugs, mouse pads, all with security messages.
- Run slogan competitions.
- Give wide publicity to any security breaches in (other) companies.
- And of course, perform security audits.
A security policy may be defined as 'an agreed approach in theoretical form, which has been agreed to / ratified by, a governing body, and which defines direction and degrees of freedom for action.' In other words, a security policy is the stated views of the senior management (or Board of Directors) on a given subject.
Information Security Policy Objectives
Information Security Policy has the following objectives:
- To protect the organisation's business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability.
- To establish safeguards to protect the organisation's information resources from theft, abuse, misuse and any form of damage.
- To establish responsibility and accountability for Information Security in the organisation.
- To encourage management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of Information Security incidents.
- To ensure that the organisation is able to continue its commercial activities in the event of significant Information Security incidents.
- To provide suitable coverage of International Standards ISO 17799 and BS 7799.
Scope of Information Security Policy
Information Security policy is intended to support the protection, control and management of the organisation's information assets. These policies are required to cover all information within the organisation which could include data and information that is:
- Stored on databases
- Stored on computers and
- Transmitted across internal and public networks
- Printed or hand written on paper, white boards etc.
- Sent by facsimile (fax), telex or other communications method
- Stored on removable media such as CD-ROMs, Zip Disk, hard disks, tapes and other similar media
- Stored on fixed media such as hard disks and disk sub-systems
- Held on film or microfiche
- Presented on slides, overhead projectors, using visual and audio media
- Spoken during telephone calls and meetings or conveyed by any other method
Ingredients of Information Security Policy
Information Security policy statements need to cover the full range of risks associated with creating, amending or storing information. The following areas should be covered and they collectively include all key aspects of the Information Security Standards ISO 17799 and BS 7799.
- Securing Hardware, Peripherals and Other Equipment
- Controlling Access to Information and Systems
- Processing Information and Documents
- Purchasing and Maintaining Commercial Software
- Developing and Maintaining In-house Software
- Combating Cyber Crime
- Complying with Legal and Policy Requirements
- Planning for Business Continuity
- Addressing Personnel / HR Issues Relating to Information Security
- Controlling e-Commerce Information Security
- Delivering Training and Staff Awareness
- Dealing with Premises Related Considerations
- Detecting and Responding to Security Incidents
- Classifying Information and Data
INFORMATION SECURITY MANAGEMENT SYSTEM AND THE CONCEPT OF BEST PRACTICE
An Information Security Management System is a system of management concerned with information security. The expression arises primarily out of ISO / IEC 17799, a code of practice for information security management. The best known ISMS is the ISO 27001, which is complementary to ISO 17799. ISO 17799 is akin to BS 7799. ISM3 is another creditable ISMS developed from ITIL, ISO 9001 and ISO 27001. While ISO 27001 is controls based, ISM3 is process based. Other ISMS are ISF Standard of Good Practice, ITIL Security Management, COBIT etc.
ISO / IEC 17799
This information security standard was published in 2005 by the International Organisation for Standardisation and the International Electrotechnical Commission. ISO / IEC 17799 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard as:
"The preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required).
The 2005 version of the standard contains the following eleven main sections:
1. Security Policy
2. Organisation of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance
Within each section, information security control objectives are specified and a range of controls are outlined that are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since (a) each organization is expected to undertake a structured information security risk assessment process to determine its requirements before selecting controls that are appropriate to its particular circumstances; and (b) it is practically impossible to list all conceivable controls in a general purpose standard.
ISO 17799 is an internationally recognized Information Security Management Standard. ISO 17799 is high level, broad in scope, and conceptual in nature. This approach allows it to be applied across multiple types of enterprises and applications. It has also made the standard controversial among those who believe standards should be more precise. In spite of this controversy, ISO 17799 is the only "standard" devoted to Information Security Management in a field generally governed by "Guidelines" and "Best Practices."
ISO 17799 defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:
-Confidentiality - ensuring that information is accessible only to those authorized to have access.
-Integrity - safeguarding the accuracy and completeness of information and processing methods.
-Availability - ensuring that authorized users have access to information and associated assets when required.
ISO 17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS 7799. The BS 7799 standard consists of Part 1: Code of Practice, and Part 2: Specification of Information Security Management Systems.
BS 7799 Part 1 (ISO 17799) versus BS 7799 Part 2
It is important to understand the distinctions between Part 1 and Part 2 of the BS 7799 standard in order to later understand the dilemma facing conformance assessment. Part 1 is an implementation guide, based on suggestions. It is used as a means to evaluate and build sound and comprehensive information security infrastructure. It details information security concepts an organization "should" do. BS 7799 Part 2 is an auditing guide based on requirements. To be
certified as BS 7799 compliant, organizations are audited against Part 2. It details information security concepts an organization "shall" do. This rigidity precluded widespread acceptance and support.
ISO / IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) specifies a number of requirements for establishing, implementing, maintaining and improving an information security management system consistent with the best practices outlined in ISO / IEC 17799. This is a revision of BS 7799-2:2002: Information security management systems - Specification with guidance for use. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification / registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.
Standard of Best Practice
This is a detailed documentation of best practices for information security. It is published and revised biannually by the Information Security Forum (ISF), an international best practices organisation. The Standard is developed from research based on the actual practices of and incidents experienced by major organizations. Its relatively frequent update cycle (every two years) also allows it to keep up with technological developments and emerging threats. The Standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT. The Standard is categorised into five categories or aspects as follows:
1. Aspect SM (Security Management): The Standard provides: "Keeping the business risks associated with information systems under control within an enterprise requires clear direction and commitment from the top, the allocation of adequate resources, effective arrangements for promoting good information security practice throughout the enterprise and the establishment of a secure environment."
2. Aspect SD (Systems Development): The Standard provides: "Building security into systems during their development is more cost-effective and secure than grafting it on afterwards. It requires a coherent approach to systems development as a whole, and sound disciplines to be observed throughout the development cycle. Ensuring that information security is addressed at each stage of the cycle is of key importance."
3. Aspect CD (Critical Business Applications): The Standard provides: "A critical business application requires a more stringent set of security controls than other applications. By understanding the business impact of a loss of confidentiality, integrity, or availability of information, it is possible to establish the level of criticality of an application. This provides a sound basis for identifying business risks and determining the level of protection required to keep risks within acceptable limits."
4. Aspect CI (Computer Installations): The Standard provides: "Computer installations typically support critical business applications and safeguarding them is, therefore, a key priority. Since the same information security principles apply to any computer installation-irrespective of where information is processed or on what scale or type of computer it takes place-a common standard of good practice for information security should be applied."
5. Aspect NW (Networks): The Standard provides: "Computer networks convey information and provide a channel of access to information systems. By their nature, they are highly vulnerable to disruption and abuse. Safeguarding business communications requires robust network design, well-defined network services, and sound disciplines to be observed in running networks and managing security. These factors apply equally to local and wide area networks, and to data and voice communications."
Standards of Best Practice consist of 10 security controls, which are used as the basis for the security risk assessment. They are:
1. Security policy
2. Organizational security
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. System development and maintenance
9. Business continuity management
10. Compliance
Security Policy
Security Policy control addresses management support, commitment, and direction in accomplishing information security goals.
Organizational Security
Organizational Security control addresses the need for a management framework that creates, sustains, and manages the security infrastructure.
Asset Classification and Control
Asset Classification and Control addresses the ability of the security infrastructure to protect organizational assets.
Personnel Security
Personnel Security control addresses an organization's ability to mitigate risk inherent in human Interactions.
Physical and Environmental Security
Physical and Environmental Security control addresses risk inherent to organizational premises.
Communications and Operations Management
Communication and Operations Management control addresses an organization's ability to ensure correct and secure operation of its assets.
Access Control
Access Control addresses an organization's ability to control access to assets based on business and security requirements.
System Development and Maintenance
System Development and Maintenance control addresses an organization's ability to ensure that appropriate information system security controls are both incorporated and maintained.
Business Continuity Management
Business Continuity Management control addresses an organization's ability to counteract interruptions to normal operations.
Compliance
Compliance control addresses an organization's ability to remain in compliance with regulatory, statutory, contractual, and security requirements.
INFORMATION SECURITY RISK ASSESSMENT
The overriding goal of Information Security is to protect the confidentiality, integrity and availability of business information, alternatively known as Information Assets - used by the organisation in its day-to-day activities. The loss, corruption, deletion, disclosure or non-availability of which, could result in measurable loss / embarrassment to the organisation. The Information Security Risk Assessment is one of the key steps in the creation of an Information Security programme. Without such an assessment, the organisation would be unaware of what it should protect, the level to which such protection should be implemented, and the costs - in terms of financial cost and operational constraints - which the organisation believes to be appropriate to reduce the risks to acceptable levels. The Information Security Risk Assessment will result in:
1. The nature and value of the Information Assets or Business Assets
2. The threats against those assets, both internal and external
3. The likelihood of those threats occurring
4. The impact upon the organisation.
PROCEDURAL ASPECTS OF RISK ASSESSMENT
Assembling the Risk Assessment Team:
The Risk Assessment process is an important part of determining Information Security associated risks. The process should be established as a formal project and persons identified to assist in the process. The management of the Risk Assessment process would normally be the responsibility of the Information Security Officer who could be appointed as the Risk Assessment Project Manager. This function could equally be carried out by another member of senior management who is sufficiently familiar with Information Security issues.
The Risk Assessment Team would consist of members of key departments within the organisation who are familiar with the value and nature of information within their own departments or divisions.
The Team will meet regularly during the project period and will provide input into the process in respect of their own knowledge and understanding of the organisation's information assets and processes.
Review Documentation, Charts etc.:
Use of the following headings as a 'check list' is to ensure that all the key documents are gathered for review. If some documents are not available, these should be highlighted and enquiry made to the sponsoring executive / manager.
- Latest organisation chart
- List of current business and office software
- Network diagram(s), including key applications
- List of the organisation's products and services
- Business Strategy and Planning documents
- IT Strategy
- Information Security Policies and any associated Information Security Guidelines
- IT Security Policies and / or Standards
- Results of an Information Security audit - both within the business units and within IT
- Information Security incident response plans / procedures
- Access Control standards and procedures
- Systems Administration Procedures
- Business Continuity Plans and procedures
- IT and Applications architecture and diagrams
Site Survey:
Having gathered and reviewed the available documentation the site survey should be performed. This will enable the Information Security Risk Assessment team to validate and verify their understanding and also to enhance their documentation with additional detail.
Use of the following headings as a 'check list' is to ensure that all the key issues are discussed during the survey. Where issues are not addressed or where your organisation maintains a different approach, they should be highlighted and an enquiry made to the sponsoring executive / manager.
- Evidence of an Induction Course for new entrants / new users .
- Evidence of physical access controls .
- Access Control Lists, naming those authorised to access secure areas.
- Rules which prohibit eating, drinking and smoking anywhere within close proximity to systems and peripherals.
- Evidence of clean and tidy working and storage areas.
- Evidence of password / key changes to electronic locks on a regular basis.
- Logs maintained showing access in and out of secure areas; reason for entry and, where a third party, evidence of being accompanied by an appropriate member of staff.
- Physical access to the main computers should be controlled. Such computers should be housed within a secure room with access controlled by the manager for Systems Operations.
- Is equipment physically secured to prevent removal e.g. workstations and laptops.
- Is an inventory maintained and updated regularly with 'spot checks' to identify items that appear missing or lost or stolen.
- Is there any evidence of a log in which suspicious activities are recorded and maintained.
- Are the organisation's sensitive information and files maintained under physical security as well as electronic .
- Are fire extinguishers placed in accessible positions, both near and within areas housing both systems and sensitive information. Such extinguishers should conform to local recommended fire prevention regulations.
- Is the temperature and humidity controlled within the Computer / Server room(s).
- Ensure that an uninterruptible power supply (UPS) is present. The first power 'outage' will convince you that this is indispensable for an orderly shut-down to safeguard your data.
- Surge protectors should be properly grounded. Consult with a qualified electrician if in any doubt.
- In the Computer / Server rooms anti-static carpeting is preferable to avoid static discharge near sensitive equipment. This is critical in extremely dry environments where static discharge can damage circuits beyond repair.
- In case of an electric storm to occur, with lightning, is there a procedure for orderly shutdown and disconnection.
- Are backup tapes protected from any magnetic discharge from lightning by keeping them stored away from the metal frame of the building.
POTENTIAL THREATS TO ORGANISATIONAL ASSETS
Having identified the information assets which must be protected, it is important to identify the threats to these information assets. The threats can be classified into six categories as follows:
- Techno-Crime: These are premeditated, planned and often with advance probing for weaknesses. If the organisation is 'high profile' one, connected to the Internet, and has something of value within its networks and systems; this threat is very real; both from external persons (unknown); or from disgruntled employees.
- Techno-Vandalism: These are opportunistic, random manipulation of data and / or systems. Again, the source may be external or internal.
- Negligence: Information Assets are placed at risk because the organisation's personnel fail to exercise appropriate care and safety . In any event, negligence is a genuine threat to organisations.
- Human Error: Accidents are a major source of information security incidents. Unlike negligence, human error is normally a signal for additional training and / or review of procedures.
- Systems Failure: The sudden failure of a system can have a disastrous impact, not only upon that specific system, but also upon systems which rely upon the failed system.
- Environmental: Natural disasters are a serious threat . The only way to prepare for this threat is to ensure that a Disaster Recovery Plan and a Business Continuity Plan are both in place and tested.
FRAMEWORK OF INFORMATION SECURITY ASSESSMENT
The Information Security Assessment Framework identifies five levels of IT security program effectiveness. The five levels measure specific management, operational and technical control objectives. Each of the five levels contains criteria to determine if the level is adequately implemented. For example, in Level 1 all written policy should contain the purpose and scope of the policy, who is responsible for implementing the policy, and the consequences and penalties for not following the policy. The policy for an individual control must be reviewed to ascertain that the criteria for level 1 are met. Assessing the effectiveness of the individual controls, not simply their existence, is key to achieving and maintaining adequate security.
The information asset owner, in partnership with those responsible for administering the information assets, which includes IT Systems, must determine whether the measurement criteria are being met at each level. Before making such a determination, the degree of sensitivity of information and systems must be determined by considering the requirements for confidentiality, integrity, and availability of both the information and systems -- the value of information and systems is one of the major factors in risk management.
The Framework describes an asset self-assessment and provides levels to guide and prioritize agency efforts as well as a basis to measure progress. In addition, a questionnaire has been developed that gives the implementation tools for the Framework. The questionnaire will contain specific control objectives that should be applied to secure a system.
Figure: Information Security Assessment Framework
LEVEL 1 DOCUMENTED POLICY
LEVEL 2 DOCUMENTED PROCEDURES
LEVEL 3 IMPLEMENTED PROCEDURES AND CONTROLS
LEVEL 4 TESTED AND REVIEWED PROCEDURES AND CONTROLS
LEVEL 5 FULLY INTEGRATED PROCEDURES AND CONTROLS
LEVEL - 1: DOCUMENTED POLICY
Level 1 of the Framework includes:
1. Formally documented and disseminated security policy covering agency headquarters and major components . The policy may be asset specific.
2. Policy that references most of the basic requirements and guidance issued.
An asset is at level 1 if there is a formally, up-to-date documented policy that establishes a continuing cycle of assessing risk, implements effective security policies including training, and uses monitoring for program effectiveness. Such a policy may include major agency components or specific assets. A documented security policy is necessary to ensure adequate and cost effective organizational and system security controls. A sound policy delineates the security management structure and clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress and compliance. The criteria listed below should be applied when assessing the policy developed for the controls.
Criteria
A) Purpose and scope. An up-to-date security policy is written that covers all major facilities and operations agency-wide or for the asset. The policy is approved by key affected parties and covers security planning, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The policy clearly identifies the purpose of the program and its scope within the organization.
B) Responsibilities. The security program comprises a security management structure with adequate authority, and expertise. IT security manager(s) are appointed at an overall level and at appropriate subordinate levels. Security responsibilities and expected behaviors are clearly defined for asset owners and users, information resources management and data processing personnel, senior management, and security administrators.
C) Compliance. General compliance and specified penalties and disciplinary actions are also identified in the policy.
LEVEL - 2: DOCUMENTED PROCEDURES
Level 2 of the Framework includes:
1. Formal, complete, well-documented procedures for implementing policies established at level one.
2. The basic requirements and guidance issued.
An asset is at level 2 when formally documented procedures are developed that focus on implementing specific security controls. Formal procedures promote the continuity of the security program. Formal procedures also provide the foundation for a clear, accurate, and complete understanding of the program implementation. An understanding of the risks and related results should guide the strength of the control and the corresponding procedures. The procedures document the implementation of and the rigor in which the control is applied. Level 2 requires procedures for a continuing cycle of assessing risk and vulnerabilities, implementing effective security policies, and monitoring effectiveness of the security controls. Approved system security plans are in place for all assets. Well-documented and current security procedures are necessary to ensure that adequate and cost effective security controls are implemented. The criteria listed below should be applied when assessing the quality of the procedures for controls.
Criteria
A) Control areas listed and organization's position stated. Up-to-date procedures are written that covers all major facilities and operations within the asset. The procedures are approved by key responsible parties and cover security policies, security plans, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The procedures clearly identify management's position and whether there are further guidelines or exceptions.
B) Applicability of procedures documented. Procedures clarify where, how, when, to, whom, and about what a particular procedure applies.
C) Assignment of IT security responsibilities and expected behavior. Procedures clearly define security responsibilities and expected behaviors for (1) asset owners and users, (2) information resources management and data processing personnel, (3) management, and (4) security administrators.
D) Points of contact and supplementary information provided. Procedures contain appropriate individuals to be contacted for further information, guidance, and compliance.
LEVEL - 3: IMPLEMENTED PROCEDURES AND CONTROLS
Level 3 of the Framework includes:
1. Security procedures and controls that are implemented.
2. Procedures that are communicated and individuals who are required to follow them.
At level 3, the Information Security procedures and controls are implemented in a consistent manner and reinforced through training. Ad hoc approaches that tend to be applied on an individual or case-by-case basis are discouraged. Security controls for an asset could be implemented and not have procedures documented, but the addition of formal documented procedures at level 2 represents a significant step in the effectiveness of implementing procedures and controls at level 3. While testing the on-going effectiveness is not emphasized in level 3, some testing is needed when initially implementing controls to ensure they are operating as intended. The criteria listed below should be used to determine if the specific controls are being implemented.
Criteria
A) Owners and users are made aware of security policies and procedures. Security policies and procedures are distributed to all affected personnel, including system / application rules and expected behaviors. Requires users to periodically acknowledge their awareness and acceptance of responsibility for security.
B) Policies and procedures are formally adopted and technical controls installed. Automated and other tools routinely monitor security. Established policy governs review of system logs, penetration testing, and internal / external audits.
C) Security is managed throughout the life cycle of the system. Security is considered in each of the life-cycle phases: initiation, development / acquisition, implementation, operation, and disposal.
D) Procedures established for authorizing processing (certification and accreditation). Management officials must formally authorize system operations and manage risk.
E) Documented security position descriptions. Skill needs and security responsibilities in job descriptions are accurately identified.
F) Employees trained on security procedures. An effective training and awareness program tailored for varying job functions is planned, implemented, maintained, and evaluated.
LEVEL - 4: TESTED AND EVALUATED PROCEDURES AND CONTROLS
Level 4 of the Framework includes:
1. Routinely evaluating the adequacy and effectiveness of security policies, procedures, and controls.
2. Ensuring that effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual security incidents or through security alerts issued by vendors, and other trusted sources.
Routine evaluations and response to identified vulnerabilities are important elements of risk management, which includes identifying, acknowledging, and responding, as appropriate, to changes in risk factors (e.g., computing environment, data sensitivity) and ensuring that security policies and procedures are appropriate and are operating as intended on an ongoing basis. Routine self-assessments are an important means of identifying inappropriate or ineffective security procedures and controls, reminding employees of their security related responsibilities, and demonstrating management's commitment to security. Self assessments can be performed by agency staff or by contractors or others engaged by agency management. Independent audits are an important check on agency performance, but should not be viewed as a substitute for evaluations initiated by agency management. To be effective, routine evaluations must include tests and examinations of key controls. Reviews of documentation, walk-throughs of agency facilities, and interviews with agency personnel, while providing useful information, are not sufficient to ensure that controls, especially computer-based controls, are operating effectively. Examples of tests that should be conducted are network scans to identify known vulnerabilities, analyses of router and switch settings and firewall rules, reviews of other system software settings, and tests to see if unauthorized system access is possible (penetration testing). Tests performed should consider the risks of authorized users exceeding authorization as well as unauthorized users (e.g., external parties, hackers) gaining access. Similar to levels 1 through 3, to be meaningful, evaluations must include security controls of interconnected assets, e.g., network supporting applications being tested. When assets are first implemented or are modified, they should be tested and certified to ensure that controls are initially operating as intended. Requirements for subsequent testing and recertification should be integrated into an agency's ongoing test and evaluation program. In addition to test results, agency evaluations should consider information gleaned from records of potential and actual security incidents and from security alerts, such as those issued by software vendors. Such information can identify specific vulnerabilities and provide insights into the latest threats and resulting risks. The criteria listed below should be applied to each control area to determine if the asset is being effectively evaluated.
Criteria
A) Effective program for evaluating adequacy and effectiveness of security policies, procedures, and controls. Evaluation requirements, including requirements regarding the type and frequency of testing, should be documented, approved, and effectively implemented. The frequency and rigor with which individual controls are tested should depend on the risks that will be posed if the controls are not operating effectively. At a minimum, controls should be evaluated whenever significant system changes are made or when other risk factors, such as the sensitivity of data processed, change. Even controls for inherently low-risk operations should be tested at a minimum of every 3 years.
B) Mechanisms for identifying vulnerabilities revealed by security incidents or security alerts. Agencies should routinely analyze security incident records, including any records of anomalous or suspicious activity that may reveal security vulnerabilities. In addition, they should review security alerts issued by vendors and others.
C) Process for reporting significant security weaknesses and ensuring effective remedial action. Such a process should provide for routine reports to senior management on weaknesses identified through testing or other means, development of action plans, allocation of needed resources, and follow-up reviews to ensure that remedial actions have been effective. Expedited processes should be implemented for especially significant weaknesses that may present undue risk if not addressed immediately.
LEVEL - 5: FULLY INTEGRATED PROCEDURES AND CONTROLS
Level 5 of the Framework includes:
1. A comprehensive security program that is an integral part of an agency's organizational culture.
2. Decision-making based on cost, risk, and mission impact.
The consideration of IT security is pervasive in the culture of a level 5 asset. A proven life cycle methodology is implemented and enforced and an ongoing program to identify and institutionalize best practices has been implemented. There is active support from senior management. Decisions and actions that are part of the IT life cycle include:
- Improving security program
- Improving security program procedures
- Improving or refining security controls
- Adding security controls
- Integrating security within existing and evolving IT architecture
- Improving mission processes and risk management activities
Each of these decisions result from a continuous improvement and refinement program instilled within the organization. At level 5, the understanding of mission-related risks and the associated costs of reducing these risks is considered with a full range of implementation options to achieve maximum mission cost-effectiveness of security measures. Entities should apply the principle of selecting controls that offer the lowest cost implementation while offering adequate risk mitigation, versus high cost implementation and low risk mitigation. The criteria listed below should be used to assess whether a specific control has been fully implemented.
Criteria
A) There is an active enterprise-wide security program that achieves cost-effective security.
B) IT security is an integrated practice within the asset.
C) Security vulnerabilities are understood and managed.
D) Threats are continually re-evaluated, and controls adapted to changing security environment.
E) Additional or more cost-effective security alternatives are identified as the need arises.
F) Costs and benefits of security are measured as precisely as practicable.
G) Status metrics for the security program are established and met.
AUDIT OF IMPLEMENTATION OF INFORMATION SECURITY POLICY INITIATIVES
The risk an organisation carries with regard to the threat to its information is the result of a combination of factors, changes to any one of which will alter the risk profile just as the risk of a car accident will change, dependent on factors such as the area, the driver, the car, the weather, the traffic conditions etc.
Information Security is concerned with the active management of, on the one hand, the exposure to the threats of (electronic) attack and, on the other hand, the threats of 'accidents' and opportunistic vandalism . Reviewing the Information Security structure of an organisation on a regular basis will ensure that the safeguards employed continue to offer the appropriate level of protection.
As per the standard Of Best Practices , there are 10 controls for the information security review and risk assessment.
1. Security Policy control
2. Organizational Security control
3. Asset Classification and Control
4. Personnel Security control
5. Physical and Environmental Security control
6. Communication and Operations Management control
7. Access Control
8. System Development and Maintenance control
9. Business Continuity Management control
10. Compliance control
Security policy control:
Objective: develop and implement information security
Organizational Security audit:
Objective: Maintain appropriate protection of organizational assets.
Reason for review: It is necessary to ensure that software license and hard ware appliance are up to date to secure ever ready to secure organizational assets.
Steps for audit:
1. Get Inventory list from the Manager
2. Remotely select some device (around 10% of the list)
3. Verify currency of the list by physical sighting the devices.
Frequency: It must be conducted Bi-annually.
Personnel security audit:
Objective:
- To reduce the risks of human error theft fraud or misuse of facilities.
- To ensure that users are aware of information security threats and concerns and are equipped to support organizational security policy in the course of their normal work
- To minimize the damage from security incident and malfunctions and to such incidents
Reason:
- The internet gateway operations involve sensitive information such as firewall rules, e-mails in transit staffs are properly screened and confidentiality agreement is signed.
- The support personnel should be aware of sensitivity of information. Steps to be taken when an incident takes place etc.
Steps:
- Get the list of support staff.
- Verify staffs screening results are filed for all relevant staff.
- Sight executed "Confidentiality Agreement "between the staff and ABC organisation.
- Sight staff's signed acknowledgment of receiving the "security brief" and annual refresher.
Frequency: It must be conducted annually.
Physical Security Audit
Objective:
- To prevent unauthorized physical access damage and interference to business premises and information.
- To prevent loss damage or compromise of assets and interruption to business activities.
Reason: The Internet gateway is housed in a secure room and security enforcing device are installed in locked up racks .It is important that implement physical security mechanism is enforced all the time.
Steps for audit:
- Access logs of electronic access control system.
- Verify percentage of failed access is not unusual.
- Audit physical visitor log-back is up to date by random entry checking.
- Audit equipment rack access physical log is up to date by random entry checking.
Frequency: it must be conducted quarterly.
Operational procedures audit - change management plan incident management plan
Objective: To ensure the correct and secure operation of information processing facilities.
Reason: It is important for the internet Gateway to have documented operational procedures. It is even more important to make sure that those procedures are followed.
Steps:
- Acquire change control record s. verify they are recorded as per plan.
- Acquire incident response records and verify they are filled up as per plan.
Frequency: It must be conducted bi-annually.
Antivirus application log and signature file audit:
Objective: To protect the integrity and information from damage by malicious software.
Reason: The threat of malicious software is real .it is very relevant to the gateway operations. There are virus scanning solutions implemented to detect malicious code .It is important to verify and when an event of malicious soft ware is detected .it does not go unnoticed.
Steps:
- Execute command to check the virus signature version.
- Verify that the version is up to date.
- Access virus scanner logs and verify detected viruses are cleaned appropriately quarantined and alter sent to monitors.
Frequency: It must be conducted daily.
Backup and Restore Audit:
Objective: To maintain the integrity and availability of information processing and communication service.
Reason: Backup system is integral to secure operation of the internet gateway .it is important and necessary that back up system operate regularly and backed up media is usable .
Steps:
- Access backup system logs and verify that backup takes place regularly and successfully.
- Verify backup tapes are labeled properly by random checking.
- Verify tapes are usable by executing a restore function.
Frequency: It must be conducted bi-Annually
User system access audit
Objective: To ensure that access rights to information system are appropriately authorized, allocated and maintained and maintained.
Reason: It is important for the secure operations of the internet gateway that access to any system is controlled. A formal authorization process should be in place many times former employee user accounts remain in the system.
Steps:
- Acquire list of authorized user from the formal record of authorization process.
- Verify users in the system and their access levels are as per documentation.
- This test shall be repeated for all multi-user systems in the gateway environment.
Frequency: It must be conducted Bi-annual.
Intrusion Detection System log Audit / Firewall log audit / system log audit
Objective: To detect unauthorized activities.
Reasons:
- Network Ids is the key monitoring tool implements in the Internet gateway. It is important that the logs are analyzed regular basis.
- Firewall is the main network traffic filtering device in the internet gateway. It is important to check the logs regularly to fid out about permitted or blocked traffic to ensure that the gateway access policy is enforced.
Steps:
- Access online IDS log.
- Check for interesting events. (Successful or unsuccessful event intrusions).
- Access online firewall log.
- Check for blocked traffic and analyses the traffic pattern
- Check for permitted traffic and randomly verify that they are as per documented access policy.
- Access logs in central syslog server
- Execute scripts from the log analysis tool to detect anomalies.
Frequency: It must be conducted daily.
THE PDCA MODEL
The PDCA Model depict the Plan, Do, Check and Act stages of the implementation, development, maintenance and improvement life - cycle of the Information Security management System in an organisation.
Plan
- Establish the ISMS
- Define the Scope of the ISMS
- Define the ISMS Policy
- Define a Systematic Approach to Risk Assessment
- Identify Risks
- Assess the Risks
- Identify and Evaluate options for the treatment of the Risks
- Select Control Objectives and Controls for the treatment of the Risks
- Prepare a Statement of Applicability
Do
- Formulate a Risk Treatment Plan
- Implement the Risk Treatment Plan
- Implement Controls
- Implement Training and Awareness Programmes
- Manage Operations and Resources
- Implement Procedures and other Controls for Incident Handling
Check
- Monitor and Review the ISMS
- Undertake Regular reviews
- Conduct Internal ISMS Audits
- Record actions and events that could have an effect on the effectiveness or performance of the ISMS
Act
- Maintain and Improve the ISMS
- Implement the Identified Improvements
- Take Appropriate preventive and corrective actions
- Communicate the results and actions and agree with all interested parties
- Ensure that the improvements achieve their intended objectives
Related Tags: information security, sox, controls, iso 17799, bs 7799, pdca model, isms
Your Article Search Directory : Find in Articles
Recent articles in this category:
- Work Cover Lawyers Help Workers Favored In New Contingency Agreement
Were you ever given a small amount of compensation after having been injured on your job? Have exper - Florida Last Will And Testament Information
A person who is at least 18 years of age can complete a Florida Last Will and Testament and is refer - Florida Durable Power Of Attorney Information
A Florida durable power of attorney is a legal document that designates a person to act on behalf of - California Power Of Attorney Information
In California any adult person who has the ability to enter into an agreement can complete and sign - Criminal Lawyer
Sexual assaults are increasing with alarming frequency and everyday there are news reports about var - Fort Lauderdale Foreclosure Lawyer Explains, Foreclosure Is Not Your Only Option, You Have A Choice
Foreclosure has been one of the foremost topics within the real estate world in recent years, as eac - Should You Make A Personal Injury Claim?
Personal injury claims now gain wider exposure than ever before, yet many people are still unaware o - Mesa Bankruptcy- Regain Financial Stability
Are you drowning in overwhelming debt? Is it causing you mental, emotional and physical distress? Ta - How Bankruptcy Can Help You Financially Start Over With A Clean Slate
Fed up with debt? Desperately want to be free from the unbearable problem? If yes, then you should n - Major Yasmin Birth Control Side Effects
Yasmin is a popular form of hormonal birth control that has been heavily marketed, especially to you
Most viewed articles in this category:
- Be Aware of Single Owner LLC Tax Problems
One of the more popular business entity choices these days is the limited liability company. If - 14 Tips on How Parents Who Have a Child with a Disability Can Organize Their Estate
Copyright © 2007 L. Mark Russell As a general rule, parents should keep their original document - IF OUR PETS WERE REALY OUR "MINOR CHILDREN" MOST OF US "PARENTS" WOULD BE IN JAIL FOR CHILD NEGLECT
As a pet owner, do you need to have a pet trust or will in your estate plan? Well, maybe so, given - The Last Will And Testament - A Model NOT To Live By
The death of Anna Nicole Smith has at least one valuable outcome, even if it is simply serving as a - The British Constitutional Reform Act
The Constitutional Reform Act of 2005 changed the British hitherto unwritten constitution by in - Patented Drugs
While a drug or process is under patent, other companies are wary of working anything even remote - Divorce and Debt
As common sense and statistics tell us, the leading cause of marital discord is money. Therefore - The Misunderstood World of Corporate Minutes
The corporation is the most used form of business entity in the United States. While many people - Attorney for Legal Services
All of us hire lawyers at one point or the other. People get sued, arrested, charged for a crime, - Should Parents EVER Leave an Inheritance Outright to a Child who has a Disability?
Copyright © 2007 L. Mark Russell There are few absolutes in estate planning, but this is one. I
