Search in ISMS Guides

Google
 

Monday, July 30, 2007

Security Policies

The following represents a template for a set of policies aligned with the standard. Note that these are headings, to assist with policy creation, rather than policy statements. However, similar policy sets are in use in a substantial number of organizations.

Chapter Title
ONE INFORMATION SECURITY ORGANIZATION

Information Security Policy

Information Security policy
Senior Management Support
Information Security Policy Review
Inter-departmental collaboration

Information Security Organization

Independent Review of Information Security Policy
Sharing Information with other Organizations

TWO CLASSIFYING INFORMATION AND DATA


Setting Classification Standards

Defining Information
Classifying Information
Accepting Ownership for Classified Information
Labeling Classified Information
Storing and Handling Classified Information
Isolating Top Secret Information
Managing Network Security

THREE CONTROLLING ACCESS TO INFORMATION AND SYSTEMS


Controlling Access to Information and Systems

Managing Access Control Standards
Managing User Access
Securing Unattended Workstations
Management Duties
Third Party Service Management
Managing Network Access Controls
Controlling Access to Operating System Software
Managing Passwords
Securing Against Unauthorized Physical Access
Access Control Framework
Access Policy
Restricting Access
Monitoring System Access and Use
Giving Access to Files and Documents
Managing Higher Risk System Access
Controlling Remote User Access
Types of Access Granted to Third Parties
Why access is granted to third parties
Controlled pathway
Node authentication
Diagnostic and Configuration Port Controls
Granting Access to Customers
Acceptable Usage of Information Assets
Monitoring Third Party Services
Third Party Service Changes

FOUR PROCESSING INFORMATION AND DOCUMENTS


Networks

Configuring Networks
Managing the Network
Network Segregation
Controlling Shared Networks
Routing Controls
Network Security
Accessing your Network Remotely
Defending your Network Information from Malicious Attack
Time-out Facility
Exploitation of Covert Channels
Authentication of Network Connecting Equipment

System Operations and Administration

Appointing System Administrators
Administrating Systems
Controlling Data Distribution
System Utilities
System Use Procedures
Internal Processing Controls
Permitting Third Party Access
Managing Electronic Keys
Managing System Operations and System Administration
Managing System Documentation
Synchronizing System Clocks
Monitoring Error Logs
Scheduling Systems Operations
Scheduling Changes to Routine Systems Operations
Monitoring Operational Audit Logs
Responding to System Faults
Managing or Using Transaction / Processing Reports
Commissioning Facilities Management - FM
Third Party Service Delivery
Log-on Procedures
Corruption of Data
Corrupt Data Controls
Controlling On-Line Transactions

E-mail and the Worldwide Web

Downloading Files and Information from the Internet
Electronic Business Communications
Policy on Electronic Business Communications
Using and Receiving Digital Signatures
Sending Electronic Mail (E-mail)
Receiving Electronic Mail (E-mail)
Retaining or Deleting Electronic Mail
Developing a Web Site
Receiving Misdirected Information by E-mail
Forwarding E-mail
Using Internet for Work Purposes
Giving Information when Ordering Goods on Internet
Setting up Intranet Access
Setting up Extranet Access
Setting up Internet Access
‘Out of the Box’ Web Browser Issues
Using Internet ‘Search Engines’
Maintaining your Web Site
Filtering Inappropriate Material from the Internet
Certainty of File Origin
Cryptographic Keys
Key Management Procedures
Controlling Mobile Code

Telephones & Fax

Making Conference Calls
Recording of Telephone Conversations
Receiving Misdirected Information by Fax
Giving Information when Ordering Goods on Telephone
Persons Giving Instructions over the Telephone
Using Video Conferencing Facilities
Persons Requesting Information over the Telephone
Receiving Unsolicited Faxes

Data Management

Transferring and Exchanging Data
Permitting Emergency Data Amendment
Receiving Information on Disks
Setting up a New Folder / Directory
Amending Directory Structures
Sharing Data on Project Management Systems
Archiving Documents
Information Retention Policy
Setting up New Spreadsheets
Setting up New Databases
Linking Information between Documents and Files
Updating Draft Reports
Deleting Draft Reports
Using Version Control Systems
Updating Customer Information
Using Meaningful File Names
Managing Data Storage
Managing Databases
Using Headers and Footers
Using and Deleting ‘Temp’ Files
Using Customer and Other Third Party Data Files
Saving Data / Information by Individual Users

Backup, Recovery and Archiving

Restarting or Recovering your System
Archiving Information
Backing up Data on Portable Computers
Managing Backup and Recovery Procedures
Archiving Electronic Files
Recovery and Restoring of Data Files

Document Handling

Managing Hard Copy Printouts
The Countersigning of Documents
Checking Document Correctness
Approving Documents
Verifying Signatures
Receiving Unsolicited Mail
Style and Presentation of Reports
Photocopying Confidential Information
Filing of Documents and Information
Transporting Sensitive Documents
Shredding of Unwanted Hardcopy
Using Good Document Management Practice

Securing Data

Using Encryption Techniques
Sending Information to Third Parties
Maintaining Customer Information Confidentiality
Handling of Customer Credit Card Details
Fire Risks to Your Information
Sending Out Reports
Sharing Information
Dealing with Sensitive Financial Information
Deleting Data Created / Owned by Others
Protecting Documents with Passwords
Printing of Classified Documents

Other Information Handling and Processing

Using Dual Input Controls
Loading Personal Screen Savers
Speaking to the Media
Speaking to Customers
Need for Dual Control / Segregation of Duties
Using Clear Desk Policy
Misaddressing Communications to Third Parties
Using External Disposal Firms
Using Photocopier for Personal Use
Verifying Correctness of Information
Traveling on Business
Checking Customer Credit Limits

FIVE PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE


Purchasing and Installing Software

Specifying User Requirements for Software
Implementing New / Upgraded Software
Selecting Business Software Packages
Selecting Office Software Packages
Using Licensed Software
Technical Vulnerability Management

Software Maintenance & Upgrade

Applying ‘Patches’ to Software
Responding to Vendor Recommended Upgrades to Software
Interfacing Applications Software / Systems
Supporting Application Software
Operating System Software Upgrades
Upgrading Software
Support for Operating Systems
Recording and Reporting Software Faults

Other Software Issues

Disposing of Software

SIX SECURING HARDWARE, PERIPHERALS AND OTHER EQUIPMENT


Purchasing and Installing Hardware

Specifying Information Security Requirements for New Hardware
Specifying Detailed Functional Needs for New Hardware
Installing New Hardware
Testing Systems and Equipment

Cabling, UPS, Printers and Modems

Supplying Continuous Power to Critical Equipment
Using Centralized, Networked or Stand-Alone Printers
Managing and Maintaining Backup Power Generators
Using Fax Machines / Fax Modems
Using Modems / ISDN / DSL connections
Installing and Maintaining Network Cabling

Consumables

Controlling IT Consumables
Using Removable Storage Media including Diskettes and CDs

Working Off Premises or Using Outsourced Processing

Contracting or Using Outsourced Processing
Using Mobile Phones
Using Business Centre Facilities
Issuing Laptop / Portable Computers to Personnel
Using Laptop/Portable Computers
Working from Home or Other Off-Site Location (Tele-working)
Moving Hardware from One Location to Another
Day to Day Use of Laptop / Portable Computers

Using Secure Storage

Using Lockable Storage Cupboards
Using Lockable Filing Cabinets
Using Fire Protected Storage Cabinets
Using a Safe

Documenting Hardware

Managing and Using Hardware Documentation
Maintaining a Hardware Inventory or Register

Other Hardware Issues

Disposing of Obsolete Equipment
Recording and Reporting Hardware Faults
Clear Screen Policy
Logon and Logoff from your Computer
Dealing with Answering Machines / Voice Mail
Taking Equipment off the Premises
Maintaining Hardware (On-site or Off-site Support)
Using Speed Dialing Telephone Options
Cleaning of Keyboards and Screens
Damage to Equipment
Insuring Hardware
Insuring Laptops / Portables for use Domestically or Abroad

SEVEN COMBATING CYBER CRIME


Combating Cyber Crime

Defending Against Premeditated Cyber Crime Attacks
Minimizing the Impact of Cyber Attacks
Collecting Evidence for Cyber Crime Prosecution
Defending Against Premeditated Internal Attacks
Defending Against Opportunistic Cyber Crime Attacks
Safeguarding Against Malicious Denial of Service Attack
Defending Against Hackers, Stealth-and Techno-Vandalism
Handling Hoax Virus Warnings
Defending Against Virus Attacks
Responding to Virus Incidents
Collecting Evidence for Cyber Crime Prosecution
Installing Virus Scanning Software

EIGHT CONTROLLING E-COMMERCE INFORMATION SECURITY


E-Commerce Issues

Structuring E-Commerce Systems including Web Sites
Securing E-Commerce Networks
Configuring E-Commerce Web Sites
Using External Service Providers for E-Commerce

NINE DEVELOPING AND MAINTAINING IN-HOUSE SOFTWARE


Controlling Software Code

Managing Operational Program Libraries
Controlling Software Code during Software Development
Controlling Program Listings
Controlling Program Source Libraries
Controlling Old Versions of Programs
Managing Program Source Libraries

Software Development

Software Development
Establishing ownership for System Enhancements
Justifying New System Development
Managing Change Control Procedures
Making Emergency Amendments to Software
Separating Systems Development and Operations

Testing & Training

Controlling Test Environments
Using Live Data for Testing
Testing Software before Transferring to a Live Environment
Capacity Planning and Testing of New Systems
Parallel Running
Training in New Systems

Documentation

Documenting New and Enhanced Systems

Other Software Development

Acquiring Vendor Developed Software

TEN DEALING WITH PREMISES RELATED CONSIDERATIONS


Premises Security

Preparing Premises to Site Computers
Securing Physical Protection of Computer Premises
Challenging Strangers on the Premises
High Security Locations
Delivery and loading areas
Duress Alarm
Ensuring Suitable Environmental Conditions
Physical Access Control to Secure Areas
Environmental and other external threats

Data Stores

Managing On-Site Data Stores
Managing Remote Data Stores

Other Premises Issues

Electronic Eavesdropping
Cabling Security
Disaster Recovery Plan

ELEVEN ADDRESSING PERSONNEL ISSUES RELATING TO SECURITY


Contractual Documentation

Preparing Terms and Conditions of Employment
Using Non Disclosure Agreements (Staff and Third Party)
Misuse of Organization Stationery
Lending Keys to Secure Areas to Others
Lending Money to Work Colleagues
Complying with Information Security Policy
Establishing Ownership of Intellectual Property Rights
Employing / Contracting New Staff
Contracting with External Suppliers / other Service Providers
Employees' Responsibility to Protect Confidentiality of Data

Confidential Personnel Data

Respecting Privacy in the Workplace
Handling Confidential Employee Information
Giving References on Staff
Checking Staff Security Clearance
Sharing Employee Information with Other Employees
Sharing Personal Salary Information

Personnel Information Security Responsibilities

Using the Internet in an Acceptable Way
Keeping Passwords / PIN Numbers Confidential
Sharing Organization Information with Other Employees
Signing for the Delivery of Goods
Signing for Work done by Third Parties
Ordering Goods and Services
Verifying Financial Claims and Invoices
Approving and Authorization of Expenditure
Responding to Telephone Enquiries
Sharing Confidential Information with Family Members
Gossiping and Disclosing Information
Spreading Information through the Office ‘Grape Vine’
Using E-Mail and Postal Mail Facilities for Personal Reasons
Using Telephone Systems for Personal Reasons
Using the Organization’s Mobile Phones for Personal Use
Using Organization Credit Cards
Playing Games on Office Computers
Using Office Computers for Personal Use

HR Management

Dealing with Disaffected Staff
Taking Official Notes of Employee Meetings

Staff Leaving Employment

Handling Staff Resignations
Completing Procedures for Terminating Staff or Contractors
Obligations of Staff Transferring to Competitors

HR Issues Other

Recommending Professional Advisors

TWELVE DELIVERING TRAINING AND STAFF AWARENESS


Awareness

Delivering Awareness Programmes to Permanent Staff
Drafting Top Management Security Communications to Staff
Third Party Contractor : Awareness Programmes
Delivering Awareness Programmes to Temporary Staff
Providing Regular Information Updates to Staff

Training

Information Security Training on New Systems
Information Security Officer : Training
User : Information Security Training
Technical Staff : Information Security Training
Training New Recruits in Information Security

THIRTEEN COMPLYING WITH LEGAL AND POLICY REQUIREMENTS


Complying with Legal Obligations

Being Aware of Legal Obligations
Complying with Copyright and Software Licensing Legislation
Complying with the Data Protection Act or Equivalent
Complying with General Copyright Legislation
Complying with Database Copyright Legislation
Legal Safeguards against Computer Misuse

Complying with Policies

Managing Media Storage and Record Retention
Complying with Information Security Policy

Avoiding Litigation

Safeguarding against Libel and Slander
Using Copyrighted Information from the Internet
Sending Copyrighted Information Electronically
Using Text directly from Reports, Books or Documents
Infringement of Copyright

Other Legal Issues

Recording Evidence of Incidents (Information Security)
Reviewing System Compliance Levels
Renewing Domain Name Licenses – Web Sites
Insuring Risks
Recording Telephone Conversations
Admissibility of Evidence
Adequacy of Evidence
Collection of Evidence

FOURTEEN DETECTING AND RESPONDING TO IS INCIDENTS


Reporting Information Security Incidents

Reporting Information Security Incidents
Reporting IS Incidents to Outside Authorities
Reporting Information Security Breaches
Software Errors and Weaknesses
Notifying Information Security Weaknesses
Witnessing an Information Security Breach
Being Alert for Fraudulent Activities
When and How to Notify Authorities

Investigating Information Security Incidents

Investigating the Cause and Impact of IS Incidents
Collecting Evidence of an Information Security Breach
Recording Information Security Breaches
Responding to Information Security Incidents

Corrective Activity

Establishing Remedies to Information Security Breaches

Other Information Security Incident Issues

Ensuring the Integrity of IS Incident Investigations
Analyzing IS Incidents Resulting from System Failures
Monitoring Confidentiality of Information Security Incidents
Breaching Confidentiality
Establishing Dual Control / Segregation of Duties
Using Information Security Incident Check Lists
Detecting Electronic Eavesdropping and Espionage Activities
Risks in System Usage
Reviewing System Usage

FIFTEEN PLANNING FOR BUSINESS CONTINUITY


Business Continuity Management

Initiating the Business Continuity Project
Assessing the Business Continuity Security Risk
Developing the Business Continuity Plan
Testing the Business Continuity Plan
Training and Staff Awareness on Business Continuity
Maintaining and Updating the Business Continuity Plan
Realistic Testing Environment for Business Continuity Plans
Impact of the Pace of change on the Business Continuity Plan


From : www.27001-online.com

ISO 27001 CERTIFICATION EXPLAINED

Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.

Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.

To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.

A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).

The following diagram may clarify this process:



Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:

1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits


From : www.27001-online.com

Risk Assessment

The risk assessment is a very significant and time consuming element of the ISMS implementation programme. A slight error in the risk assessment strategy may delay a critical implementation programme by many months. The structure provided in ISO27001 is rather prescriptive, and if a certification/ registration assessment is to be conducted against this standard, it is crucial that the process of risk assessment can be evidenced as closely following these requirements. The steps are outlined as follows:-

1) Identify the information assets and information handling assets within the scope of the ISMS and identify the asset owner of each of these assets. A good way of identifying the assets is to map the business processes which fall within scope and list the assets required for the input, execution and output of these processes.

2) Identify the impacts of loss of confidentiality, availability or integrity of these assets. This impact could be financial, loss of reputation or loss of material ability to perform some aspect of business operations.

3) Identify the threats to those assets which could lead to the loss in confidentiality, availability or integrity of the asset.

4) For each of the identified threats, identify the vulnerabilities which can be exploited by the threat. It is very important that everyone involved in the risk assessment (which may well be all asset owners) is very clear of the definition of a threat (e.g. malicious code) as opposed to the vulnerability (e.g. lack of regularly updated virus protection software).

5) Assess the levels of business impact whch could potentially arise from the loss of confidentiality, availability or integrity of the assets as defined in point 2 above.

6) Assess the likelihood of occurrence of the threat, and the level of vulnerability. This will yield the likelihood of a particular threat exploiting a particular vulnerability and impacting the confidentiality, availability or integrity of a particular asset, known as the Risk of Exposure.

7) Estimate the level of risk based on the level of business impact and the risk of exposure.

8) Identify those risks which fall outside the criteria stipulated by management as input into the risk treatment plan

risk treatment plan

The risk treatment plan is the immediate output of the RiskAssessment. It defines how, based on the criteria established by senior management, each risk is to be handled. The options are to:

1) Knowingly accept the risk as it falls within the organisation's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it;

2) Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Controls may be selected from the best practices defined in ISO 17799 and/or from other sources;

3) Avoid the risk i.e. do not undertake the associated business activity;

4) Transfer the risk to another organisation (e.g. through insurance or by contractual arrangements with a business partner).

asset owner

The asset owner is the person or group of people who have been identified by management as havng responsibility for the maintenance of the confidentiality, availability and integrity of that asset. The asset owner may change during the lifecycle of the asset.

The owner does not normally or necessarily personally own the asset. In most cases the employing organisation, its customers or suppliers will be the entity with property rights to the asset.

ISO 17799 and information security awareness


by Gary Hinson.

Security awareness is very much an integral part of an ISO 17799-compliant information security management system. A recurring theme throughout the standard is that people in an organization must be made aware of the security policies, procedures and control requirements that they are expected to uphold.

ISO 17799:2005 section 8.2.2 (Information security awareness, education and training) is the most directly relevant section, recommending that ?All employees of the organization and, where relevant, contractors and third parties should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function? It goes on to recommend ?a formal induction process?and ?ongoing training? It suggests the need to educate employees on known threats and who to contact in the event of a security incident.

As with many other important topics, ISO 17799?s coverage of security awareness is not limited to this one section but is distributed throughout the text:
-Information security awareness, training and education is one of seven common practice controls listed in section 0.6 (Information security starting point);
-In section 0.7 (Critical success factors), ?Effective marketing of information security to all managers, employees, and other parties to achieve awareness?and ?providing appropriate awareness, training, and education?are two of the ten critical success factors;
-Section 5.1.1 (Information security policy document) acknowledges that raising security awareness and informing employees about management requirements is an important function of policies;
-Section 6.1.1 (Management commitment to information security) tells management to ?initiate plans and programs to maintain information security awareness?
-Section 6.1.2 (Information security co-ordination) says one of the duties of the information security management/co-ordination function is to ?effectively promote information security education, training and awareness throughout the organization?
-Section 6.2.1 (Identification of risks related to external parties) notes ?It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization?s information and information processing facilities?
-Section 6.2.3 (Addressing security in third party agreements) recommends ?ensuring user awareness for information security responsibilities and issues? It further recommends ?user and administrator training in methods, procedures, and security?
-The control objective stated in section 8.2 ([Human resources security] during employment) is ?To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error? It continues ?An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks.?
-Section 8.2.1 (Management responsibilities) advises management to ensure that employees, contractors and third party users ?achieve a level of awareness on security relevant to their roles and responsibilities within the organization?[because] ?If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause less information security incidents?
-Section 9.2.7 (Removal of property) says ?Individuals should be made aware if spot checks are carried out?
-Section 10.4 (Protection against malicious and mobile code) says very directly that ?Users should be made aware of the dangers of malicious code. Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented?
-Section 10.8.1 (Information exchange policies and procedures) warns ?Information could be compromised due to lack of awareness, policy or procedures on the use of information exchange facilities?
-Section 11.3 (User responsibilities) states that ?The co-operation of authorized users is essential for effective security. Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment?
-Section 11.3.2 (Unattended user equipment) recommends ?All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection?
-Section 11.7.1 (Mobile computing and communications) says ?Training should be arranged for personnel using mobile computing to raise their awareness on the additional risks resulting from this way of working and the controls that should be implemented?
-Section 12.6.1 (Control of technical vulnerabilities) states ?if no patch is available, other controls should be considered, such as ... raising awareness of the vulnerability?
-The control objective in section 13.1 (Reporting information security events and weaknesses) mentions that ?All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets?
-Section 13.1.1 (Reporting information security events) continues ?All employees, contractors and third party users should be made aware of their responsibility to report any information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact? It also notes that ?information security incidents can be used in user awareness training?
-?Appropriate education of staff in the agreed procedures and processes, including crisis management?is one of the purposes of continuity plans listed in section 14.1.3 (Developing and implementing continuity plans including information security);
-Section 14.1.4 (Business continuity planning framework) advises that a BCP framework should include, amongst other things, ?awareness, education, and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective?
-Section 15.1.2 (Intellectual property rights) includes the guideline ?maintaining awareness of policies to protect intellectual property rights?
-Section 15.1.4 (Data protection and privacy of personal information) notes ?Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations?
-Section 15.1.5 (Prevention of misuse of information processing facilities) advises that ?All users should be aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use?

Conclusions
However you look at it, information security awareness is an essential component of an ISO 17799-compliance information security management system.

SIMPLE PASSWORD RULES

Choosing a secure password is an important element of effective information security within an organization, but good password management is of equal importance... this is another straight forward issue that is too often overlooked.

The following guidelines will enable you to protect your own passwords and maintain its confidentiality.

  • Never give your password to anyone, even if that person claims to have authorization. (In the latter case, report such requests to your Information Security Officer immediately.)
  • If you believe your password may have been compromised, change it immediately
  • Never write down your password
  • When receiving technical assistance, do not divulge or expose your password to the IT specialist, but stay with your computer and enter the password yourself when required. (If this is not possible, your Systems Administrator should have permission to log on your behalf.)
  • Never store it on a computer file
  • Change your password regularly. (Your system should prompt a change on, say, a monthly basis.)

Obvious? Maybe - but is surprising how many security breaches stem from employees and others NOT following these simple steps.

WHEN A VIRUS ATTACKS

Despite employing regularly updated anti-virus software and maintaining a constant awareness of the risks of virus infection, some viruses nevertheless can still enter and infect an organization's computer system. For example, a high profile case was reported earlier this year where a senior businessman was sent a price list infected with a virus by another company known to him, albeit a competitor.... he should of course have known better. But what steps can be taken to help mitigate this sort of situation?

Dealing with a virus in a professional and planned way reduces both its impact and its spread throughout the organization and beyond. A failure to respond appropriately to a virus incident can rapidly result in multiple system failures and continued infection.

We offer the following best practice guidelines on how to respond to virus incidents:

  • If possible, appoint a Virus Control Officer who would be the first point of contact for all virus alerts and who co-ordinates follow-up actions.
  • Consider regularly reviewing software and files used for critical business processes to identify and investigate unauthorized and/or suspicious changes.
  • Ensure that your organization has a Virus Incident Response Plan, drawn up jointly by the Information Security Officer, Virus Control Officer and System Administrator. Where no agreed response plan is in place, the reaction of users, IT and management are likely to be ad-hoc and inadequate, possibly turning a containable incident into a significant problem.
  • When a virus is detected:
    1. immediately locate and scan the relevant file(s) with your anti-virus software to determine if the virus has been immunized.
    2. communicate a virus alert to warn staff of the incident and the appropriate response
    3. establish whether the virus might have infected others and, if so, respond accordingly - if necessary close down workstations and possibly parts of the network.
    4. following the virus attack, review the measures taken to minimize damage and prevent a recurrence, and question whether procedures and safeguards remain adequate. Consider updating your anti-virus file definitions on a more frequent, possibly daily, basis.
  • Ensure that your server anti-virus software is configured to proactively scan all incoming and outgoing files. (Also investigate the source of any virus detected on OUTBOUND e-mail as this may indicate a failure to scan files on a workstation or the use of unscanned floppy disks or CD-Roms.)
  • Update your anti-virus file definition files on a regular basis
  • Promote awareness among users of the risks associated with e-mail, and train them to be aware of this type of cyber crime and their responsibilities for its prevention.

ISO 27001 PDCA Approach

ISO 27001 (formerly BS7799) describes an approach known as PDCA:

'Plan Do Check Act' is a broad stage by stage approach which covers a range of standards.

The Six Stage Process

ISO 27001 (formerly BS7799) desribes a 6 stage process

1) Define an information security policy

2) Define scope of the information security management system

3) Perform a security risk assessment

4) Manage the identified risk

5) Select controls to be implemented and applied

6) Prepare an SoA (a "statement of applicability").