Search in ISMS Guides

Google
 

Sunday, September 2, 2007

PREPARING FOR AN INFORMATION SECURITY AUDIT

For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.

At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.

Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.

As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are:

• Insurance documents.

• Hardware register.

• Software register.

• User Profile.

• Network Profile.

• Issue form.

• General terms of use.

• Removal of equipment authorization.

The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited:

• The issuers of portable computers.

• A sample of the user population who use portable computers.

• Ancillary staff.

As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is temptation to shortcut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit.


Source : http://www.17799central.com/news.htm


INTRODUCING AN EFFECTIVE EMAIL SECURITY POLICY

Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.

Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.

Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.

The following high level best practice statements should be adhered to as a basic minimum

• Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization’s systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

• Confidential and sensitive information should not be transmitted by e-mail - unless it is secured through encryption or other secure means.

• Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.

• Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

From these, it is recommended that more specific corporate requirements are produced and implemented.


Source : http://www.17799central.com/news.htm

IMPLEMENTING ISO 17799

It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now totally dependent upon their information and business systems, so much so that serious disruption to those systems and the business information they contain can mean disaster or critical loss.

ISO17799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues. Purchasing this standard is a good first step, but as the standard is by necessity a comprehensive and therefore a fairly complex document, guidance is often necessary to help organizations decide where to start and what priorities should be applied to the implementation process.

The ISO17799 Toolkit was of course introduced to solve many of these issues in one step. As well as containing both parts of the standard, it also includes a full set of compliant policies ready for implementation, a road map for potential certification of the organization, an audit kit for network based systems, a business impact analysis questionnaire together with many other supportive items (eg: a disaster recovery kit, a management presentation and an IS glossary). This toolkit represents extremely good value as it can enable organizations to commence work with the introduction of vital security aids without reference to expensive external consulting resources.

However, even armed with a support kit like this, it is important to understand that the key to the standard is PROCESS... the creation and maintenance of a robust ISMS. This is occasionally overlooked, as some organizations simply adopt a tick list from the first part of the standard (ISO 17799). This is certainly a good stride forward, but is by no means the end of the journey.

When first considering the standard, therefore, it should be understood that the path forward will certainly include enhancement and improvement of security, but it will largely be driven via the creation and maintenance of information security management systems and supporting procedures.

Source : http://www.17799central.com/news.htm

The Risks to Data Security

here are many, diverse threats to data which a manager of the typical mid-size business must overcome. For his information systems, five key threats should be top of mind:

1. User error – A simple mistake on behalf of an employee could lead to the loss of megabytes of critical company data. From the deletion of a critical file to the accidental deletion of database records, your customers could face large expenses and significant down time recovering the disaster created by a simple mistake.

2. Employee theft – Employees need access to sensitive data in order to perform their jobs. Your customers have to limit the information to which employees have access, ensure that terminated employees no longer have access to sensitive data, and be able to track who's touching what, when and how.

3. Privacy violation – How do your customers protect the personal information with which their customers entrust them? Security breaches can mean that personal data can fall into the hands of the wrong people. In order to maintain your customers' trust, you must ensure that their data is safe and sound. In addition, many governments are now legislating privacy, which can mean fines or imprisonment if sensitive customer data is not secured.

4. Disaster – What natural disasters or unfortunate accidents might affect business? Magazines daily contain news of organizations that have faced unbelievable catastrophes. In the event that your or your customers' organizations are hit with a fire, flood or other disaster, how will the data be protected?

5. External attack – While less common for small business than the Fortune 1000, preparedness against external attacks is crucial. These attacks may take many different forms, from viruses to intrusion by hackers. Proper security measures must be taken to prevent disruption from these adversaries.

These five key vulnerabilities can lead to critical data loss and may ultimately lead to business failure. Additional information can be found at the following links.

EMPLOYEES, NOT HACKERS, GREATEST COMPUTER THREAT

The greatest security threat to companies' computer systems comes from disgruntled employees stealing confidential information and trade secrets, according to a new study on cybersecurity. The survey, conducted by Michael G. Kessler & Associates Ltd., a New York security firm, found that 35 percent of the theft of proprietary information is perpetrated by discontented employees. Outside hackers steal secrets 28 percent of the time; other U.S. companies 18 percent; foreign corporations 11 percent and foreign governments, 8 percent. The remaining 10 percent, according to the study, are listed as miscellaneous crimes. The financial losses caused by these cyber break-ins totaled $42 million last year, which is up more than 100 percent from the 1997 figure of $20 million.

'No such thing as a hacker's holiday'

"Computer crime is much more complex than bugs and viruses," said President and CEO Michael G. Kessler. "Y2K enlightened business owners to pitfalls in their systems, but there must also be heightened awareness of the growing number and variety of computer security breaches that can weaken a company's balance sheet."

The survey was done over the past six months, and written questions were given to 300 of Kessler's clients and other companies. He said that disgruntled employees could be capable of taking business records, trade secrets and payroll information. "It doesn't take a new millennium for corporate computer piracy to occur," said Kessler. "There's no such thing as a hacker's holiday. Internet invasions increase with growing computer and Internet popularity. Codes can be cracked; systems will be sabotaged. Hacking is a reality, and CEOs who have turned a deaf ear to its existence will be shocked when it happens to their allegedly fail-safe network." Kessler cautioned that now that Y2K is over, corporations shouldn't be lulled into a false sense of security.

Hacker attacks not often reported

"Problems could just as easily occur on Jan. 30 as Jan. 1. Businesses should brace for outbreaks of sophisticated viruses and hackings from outside and in. Once a breach in computer security has occurred, our research historically reveals much more -- a 'subplot' that can alert corporations to the real root of some serious trouble," said Kessler. He said companies fail to report computer break-ins for fear of bad publicity, and that for every break-in reported, 400 do not. The Kessler study mirrors previous reports showing that computer security is one of the biggest challenges facing corporate America. Computer-crime rates and information-security breaches continue to increase, according to a joint study conducted last year by the Computer Science Institute and the FBI.

Losses greater than $100 million

The 1999 Computer Crime and Security Survey, based in San Francisco, polled 521 security professionals at U.S. corporations, government agencies and universities. The findings revealed that financial losses among 163 respondents totaled $124 million, which was the third straight year the survey had recorded losses greater than $100 million. "It is clear that computer crime and other information security breaches pose a growing threat to U.S. economic competitiveness and the rule of law in cyberspace," said Richard Power, editorial director of the institute. "It is also clear that the financial cost is tangible and alarming." System break-ins by outsiders were reported by 30 percent of respondents, and unauthorized access by insiders was reported by 55 percent.

Technology not enough

Even though security measures such as digital identification, encryption and intrusion-detection systems are being used more frequently, technology itself is not enough to stymie hackers. The study also found that 98 percent of respondents said they use anti-virus software, 90 percent reported incidents of virus contamination. Also, system penetration from outside grew for the third straight year despite 91 percent of respondents saying they used firewalls. "The lesson to be learned is simple security technology does not equal a security program," said Power, suggesting that well-trained, motivated staff and smart procedures are just as important for security as technology.

Justice Department stepping in

The problem of proprietary information being breached on computer systems has prompted the Justice Department to devote an entire section to computer crimes, called the Computer Crime and Intellectual Property section. In addition, the Economic Espionage Act of 1996 is expected to be used to prosecute foreign sources of computer crime. Michael A. Vatis, director of the FBI's National Infrastructure Protection Center, agrees that a "disgruntled insider" is the principal source of computer crimes. "Insiders do not need a great deal of knowledge about computer intrusions, because their knowledge of victim systems often allows them to gain unrestricted access to cause damage to the system or to steal system data. The 1999 Computer Security Institute/FBI report notes that 55 percent of respondents reported malicious activity by insiders," Vatis told a congressional committee last year.

Coast Guard lost data

Recent cases of white-collar computer crimes: Shakuntla Devi Singla used her insider knowledge and another employee's password and log-on identification to delete data from a U.S. Coast Guard personnel database system. It took 115 agency employees over 1,800 hours to recover and re-enter the lost data. Singla was convicted and sentenced to five months in prison and five months' home detention and ordered to pay $35,000 in restitution. Software engineer William Gaed, working for a subcontractor to Intel Corp., was convicted of illegally downloading secret data on the computer giant's plans for a Pentium processor worth between $10 million and $20 million. Authorities said Gaed also videotaped information on his computer screen and planned to sell the tapes to a competitor. Gaed was sentenced to 33 months in prison. And, according to a General Accounting Office [GAO] report issued in October, the federal government has been lax in protecting computer networks used by government and businesses. "At the federal level, these risks are not being adequately addressed," the report said.

U.S. unprepared for information threat

The report showcased concerns of some experts about threats to private-sector systems that control energy, telecommunications, financial services, transportation and other critical services. "Few reports are publicly available about the effectiveness of controls over privately controlled systems," GAO said.

Currently, there is no strategy to improve government information security, the GAO report found. If the United States is faced with a threat, the response could be "unfocused, inefficient and ineffective," wrote Jeffrey Steinhoff, the acting assistant comptroller general.

Author : David Noack
Article Source : www.investigation.com