Search in ISMS Guides


Thursday, September 6, 2007

White Paper on Information Security Auditing / Implementation Procedures

Today, information is the lifeblood of most organizations. With the increase in global Internet access, the possibility of security risks has increased significantly. With the advent of the Gramm-Leach-Bliley Act ("GLB") in 1999, safeguarding client and consumer information has become the primary focus of many regulatory commissions like the FTC, FDIC/OCC, SEC, NCUA, and HIPPA.
Information security is an ever-evolving challenge, requiring proper attention and due
diligence to maintain. Within this white paper, we will discuss Information Technology
(IT) auditing techniques and secure network implementation methodologies.

View This White Paper : Information_Security_Auditing_White_Paper_v3
Source :


1. The Auditing Process Page 3
· Black Hat Method
· White Hat Method

2. Post Audit Page 5
· Costs Associated with Security

3. Designing a Security Policy Page 6

4. Designing a Secure Architecture Page 7

5. Remediations & Migrations Page 8

6. Final Audit Page 8

7. Staying Secure Page 9

8. Credentials Page 10

Information Security Plan (Example)

.010 Introduction

This Information Security Plan ("Plan") describes Kansas State University's safeguards to protect covered data and information. Covered data and Information for the purpose of this policy includes student financial information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required under federal law, KSU chooses as a matter of policy to also include in this definition any credit card information received in the course of business by the University, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information that KSU has obtained from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

These safeguards are provided to:

  • Ensure the security and confidentiality of covered data and information;

  • Protect against anticipated threats or hazards to the security or integrity of such information; and

  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

  • Identify and assess the risks that may threaten covered data and information maintained by KSU;

  • Develop written policies and procedures to manage and control these risks;

  • Implement and review the plan; and

  • Adjust the plan to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.

.020 Identification and Assessment of Risk to Customer Information

KSU recognizes that it has both internal and external risks. These risks include, but are not limited to:

  • Unauthorized access of covered data and information by someone other than the owner of the covered data and information

  • Compromised system security as a result of system access by an unauthorized person

  • Interception of data during transmission

  • Loss of data integrity

  • Physical loss of data in a disaster

  • Errors introduced into the system

  • Corruption of data or systems

  • Unauthorized access of covered data and information by employees

  • Unauthorized requests for covered data and information

  • Unauthorized access through hardcopy files or reports

  • Unauthorized transfer of covered data and information through third parties

KSU recognizes that this may not be a complete list of the risks associated with the protection of covered data and information. Since technology growth is not static, new risks are created regularly. Accordingly, the Security Incident Response Team will actively participate and monitor advisory groups for identification of new risks.

KSU believes current information technology safeguards are reasonable and, in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information described above maintained by the central University units. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

.030 Information Security Plan Coordinator

The Chair of the Security Information Response Team (SIRT) has been appointed as the coordinator of this Plan. The Chair is responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to KSU. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that KSU departments comply with the requirements of this policy.

.040 Design and Implementation of Safeguards Program

Employee Management and Training

References of new employees working in areas that regularly work with covered data and information (Cashier's Office, Registrar, and Student Financial Assistance) are checked. During employee orientation, each new employee in these departments will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Each new employee is also trained in the proper use of computer information and passwords.

Training also includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including "pretext calling" and how to properly dispose of documents that contain covered data and information. "Pretext calling" occurs when an individual improperly obtains personal information of university customers so as to be able to commit identity theft. It is accomplished by contacting the University, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit, convincing as employee of the University to release customer identifying information.

Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information should ensure, on an annual basis, the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.

Physical Security

KSU has addressed the physical security of covered data and information by limiting access to only those employees who have a business reason to know such information. For example, personal customer information, accounts, balances and transactional information are available only to KSU employees with an appropriate business need for such information.

Loan files, account information and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Paper documents that contain covered data and information are shredded at time of disposal.

Information Systems

Access to covered data and information via KSU's computer information system is limited to those employees who have a business reason to know such information. Each employee selects an eID and password. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to KSU employees in appropriate departments and positions.

Systems requiring passwords will specify that they must be changed twice annually, on the first of September and February. Passwords must conform to edits specified in the CNS Policy on User ID & Passwords. Systems that allow remote log-ins over the campus network must have passwords on all accounts. Checking passwords for conformance is the responsibility of the IT Security Coordinator.

KSU will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. The Vice Provost for Academic Services and Technology (VPAST) requires that all servers must be registered before being allowed through KSU's firewall, thereby allowing SIRT to verify that the system meets necessary security requirements as defined by information technology policies. These requirements include maintaining the operating system and applications, including application of appropriate patches and updates in a timely fashion. User and system passwords are also required to comply with the KSU IT Policy.

In addition, an intrusion detection system has been implemented to detect and stop certain external threats, along with incident response procedures defined by SIRT for occasions where intrusions do occur.

When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind KSU's firewall. All firewall software and hardware maintained by Computing and Network Services will be kept current. The University has a number of policies and procedures in place to provide security to KSU's information systems. These policies are available in the University's Policy and Procedures Manual at

The University presently maintains a secure firewall for protecting the social security numbers of its students and employees. The University expects by the end of 2007 to have in place information systems for student records and employee records which will identify its students and employees without use of social security numbers.

Management of System Failures

The Security Incident Response Team is developing written plans and procedures to detect any actual or attempted attacks on KSU systems and has defined procedures for responding to an actual or attempted unauthorized access to covered data and information.

.050 Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that KSU determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard confidential financial information. Contracts with service providers may include the following provisions:

  • An explicit acknowledgment that the contract allows the contract partner access to confidential information;

  • A specific definition or description of the confidential information being provided;

  • A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;

  • An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information;

  • A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;

  • An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles KSU to terminate the contract without penalty; and

  • A provision ensuring that the contract's confidentiality requirements shall survive any termination of the agreement.

.060 Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment. The most frequent of these reviews will occur within the SIRT, where constantly changing technology and evolving risks mandate increased vigilance. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Plan Coordinator who will assign specific responsibility for implementation and administration as appropriate. The Coordinator, in consultation with the University Attorney's Office and VPAST, will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.

.070 Questions

Questions regarding this policy should be sent to the Director of Academic Services at

Source :

Information Security Policy - The University of Illinois (Example)


Storage of university data on computers and transfer across the network eases use and expands our functionality. Commensurate with that expansion is the need for the appropriate security measures. Security is not distinct from the functionality. The Information Security Policy (Policy) recognizes that not all communities within the University are the same and that data are used differently by various units within the University. The principles of academic freedom and free exchange of ideas apply to this policy, and this policy is not intended to limit or restrict those principles. These policies apply to all units within the University. Each unit within the University should apply this policy to meet their information security needs. The Policy is written to incorporate current technological advances. The technology installed at some units may limit immediate compliance with the Policy. Instances of non-compliance must be reviewed and approved by the chief information officer or the equivalent officer(s). Throughout the document the term must and should are used carefully. "Musts" are not negotiable; "shoulds" are goals for the university. The terms data and information are used interchangeably in the document. The terms system and network administrator are used in this document. These terms are generic and pertain to any person who performs those duties, not just those with that title or primary job duty. Many students, faculty and staff member are the system administrators for their own machines.


By information security we mean protection of the University's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.

The purpose of the information security policy is:
  • To establish a University-wide approach to information security.
  • To prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of University data, applications, networks and computer systems.
  • To define mechanisms that protect the reputation of the University and allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to worldwide networks.
  • To prescribe an effective mechanism for responding to external complaints and queries about real or perceived non-compliance with this policy.


The chair of the University Technology Management Team (UTMT) is responsible for implementing the policy. UTMT, chaired by the Vice President for Administration, is a coordinating group comprised of chief information officers from the three campuses, the university administration, and the hospital. UTMT must see to it that:
  • The information security policy is updated on a regular basis and published as appropriate.
  • Appropriate training is provided to data owners, data custodians, network and system administrators, and users.
  • Each unit appoints a person to be responsible for security implementation, incident response, periodic user access reviews, and education of information security policies including, for example, information about virus infection risks.
Members of UTMT are each responsible for establishing procedures to implement these policies within their areas of responsibility, and for monitoring compliance.


Required Policies
  • The University will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the University's data, network and system resources.
  • Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed.
Recommended Practices
  • Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. At a minimum, testing should be performed annually, but the sensitivity of the information secured may require that these tests be done more often.
  • Education should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual, network administrator, system administrator, data custodian, and users.
  • Violation of the Information Security Policy may result in disciplinary actions as authorized by the University in accordance with University and campus disciplinary policies, procedures, and codes of conduct.


It is essential that all University data be protected. There are however gradations that require different levels of security. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. We have specified three classes below:

High Risk - Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Data covered by federal and state legislation, such as FERPA, HIPAA or the Data Protection Act, are in this class. Payroll, personnel, and financial information are also in this class because of privacy requirements. This policy recognizes that other data may need to be treated as high risk because it would cause severe damage to the University if disclosed or modified. The data owner should make this determination. It is the data owner's responsibility to implement the necessary security requirements. Confidential - Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. It is the data owner's responsibility to implement the necessary security requirements. Public - Information that may be freely disseminated All information resources should be categorized and protected according to the requirements set for each classification. The data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the University.
  • Data owners must determine the data classification and must ensure that the data custodian is protecting the data in a manner appropriate to its classification.
  • No University-owned system or network subnet can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification.
  • Data custodians are responsible for creating data repositories and data transfer procedures which protect data in the manner appropriate to its classification.
  • High risk data must be encrypted during transmission over insecure channels.
  • Confidential data should be encrypted during transmission over insecure channels.
  • All appropriate data should be backed up, and the backups tested periodically, as part of a documented, regular process.
  • Backups of data must be handled with the same security precautions as the data itself. When systems are disposed of, or repurposed, data must be certified deleted or disks destroyed consistent with industry best practices for the security level of the data.


  • Data must have sufficient granularity to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized.
  • Where possible and financially feasible, more than one person must have full rights to any university owned server storing or transmitting high risk data. The campuses and University Administration (UA) must have a standard policy that applies to user access rights. This will suffice for most instances. Data owners or custodians may enact more restrictive policies for end-user access to their data.
  • Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication.
  • As stated in the current campus policies on appropriate and acceptable use, users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. When limited access to university-related documents or files is required specifically and solely for the proper operation of University units and where available technical alternatives are not feasible, exceptions are allowed under an articulated unit policy that is available to all affected unit personnel. Each such policy must be reviewed by the unit executive officer and submitted to the CIO for approval. All users must secure their username or account, password, and system access from unauthorized use.
  • All users of systems that contain high risk or confidential data must have a strong password- the definition of which will be established and documented by UTMT after consultation with the community. Empowered accounts, such as administrator, root or supervisor accounts, must be changed frequently, consistent with guidelines established by UTMT.
  • Passwords must not be placed in emails unless they have been encrypted.
  • Default passwords on all systems must be changed after installation. All administrator or root accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured.
  • Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
  • Users are responsible for safe handling and storage of all University authentication devices. Authentication tokens (such as a SecureID card) should not be stored with a computer that will be used to access the University's network or system resources. If an authentication device is lost or stolen, the loss must be immediately reported to the appropriate individual in the issuing unit so that the device can be disabled.
  • Terminated employee access must be reviewed and adjusted as found necessary. Terminated employees should have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted by the unit security person.
  • Transferred employee access must be reviewed and adjusted as found necessary.
  • Monitoring must be implemented on all systems including recording logon attempts and failures, successful logons and date and time of logon and logoff.
  • Activities performed as administrator or superuser must be logged where it is feasible to do so.
  • Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks. There should be a documented procedure for reviewing system logs.


  • The willful introduction of computer viruses or disruptive/destructive programs into the University environment is prohibited, and violators may be subject to prosecution.
  • All desktop systems that connect to the network must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations.
  • All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations.
  • Headers of all incoming data including electronic mail must be scanned for viruses by the email server where such products exist and are financially feasible to implement. Outgoing electronic mail should be scanned where such capabilities exist.
  • Where feasible, system or network administrators should inform users when a virus has been detected.
  • Virus scanning logs must be maintained whenever email is centrally scanned for viruses.


  • Intruder detection must be implemented on all servers and workstations containing data classified as high risk.
  • Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled.
  • Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected.
  • Intrusion tools should be installed where appropriate and checked on a regular basis.


  • All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high risk.
  • All connections to the Internet should go through a properly secured connection point to ensure the network is protected when the data is classified confidential.


  • All systems connected to the Internet should have a vendor supported version of the operating system installed.
  • All systems connected to the Internet must be current with security patches.
  • System integrity checks of host and server systems housing high risk University data should be performed.


Each Campus and UA must have a policy on appropriate and acceptable use that includes these requirements:
  • University computer resources must be used in a manner that complies with University policies and State and Federal laws and regulations. It is against University policy to install or run software requiring a license on any University computer without a valid license.
  • Use of the University's computing and networking infrastructure by University employees unrelated to their University positions must be limited in both time and resources and must not interfere in any way with University functions or the employee's duties. It is the responsibility of employees to consult their supervisors, if they have any questions in this respect.
  • Uses that interfere with the proper functioning or the ability of others to make use of the University's networks, computer systems, applications and data resources are not permitted.
  • Use of University computer resources for personal profit is not permitted except as addressed under other University policies.
  • Decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. Use of network sniffers shall be restricted to system administrators who must use such tools to solve network problems. Auditors or security officers in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization as defined by campus policy that protects the privacy of information in electronic form.


In certain cases, compliance with specific policy requirements may not be immediately possible. Reasons include, but are not limited to, the following:
  • Required commercial or other software in use is not currently able to support the required features;
  • Legacy systems are in use which do not comply, but near-term future systems will, and are planned for;
  • Costs for reasonable compliance are disproportionate relative to the potential damage.
In such cases, units must develop a written explanation of the compliance issue and a plan for coming into compliance with the University's Information Security Policy in a reasonable amount of time. Explanations and plans must be submitted to the campus CIO or the equivalent officer(s).

Source :