Author : Timothy P. Layton
Product Details
Hardcover : 222 pages
Publisher : AUERBACH; 1 edition (July 20, 2006)
Language : English
ISBN-10 : 0849370876
ISBN-13 : 978-0849370878
Table of Contents
EVALUATING AND MEASURING AN INFORMATION SECURITY PROGRAM
INFORMATION SECURITY RISK ASSESSMENT MODEL (ISRAM�)
. Background
. Linkage
. Risk Assessment Types
. Relationship to Other Models and Standards
. Terminology
. Risk Assessment Relationship
. Information Security Risk Assessment Model (ISRAM)
. References
GLOBAL INFORMATION SECURITY ASSESSMENT METHODOLOGY (GISAM�)
. GISAM and ISRAM Relationship
. GISAM Design Criteria
. General Assessment Types
. GISAM Components
. References
DEVELOPING AN INFORMATION SECURITY EVALUATION (ISE�) PROCESS
. The Culmination of ISRAM and GISAM
. Business Process
A SECURITY BASELINE
. KRI Security Baseline Controls
. Security Baseline
. Information Security Policy Document
. Management Commitment to Information Security
. Allocation of Information Security Responsibilities
. Independent Review of Information Security
. Identification of Risks Related to External Parties
. Inventory of Assets
. Classification Guidelines
. Screening
. Information Security Awareness, Education, and Training
. Removal of Access Rights
. Physical Security Perimeter
. Protecting Against External and Environmental Threats
. Secure Disposal or Reuse of Equipment
. Documented Operating Procedures
. Change Management
. Segregation of Duties
. System Acceptance
. Controls against Malicious Code
. Management of Removable Media
. Information Handling Procedures
. Physical Media in Transit
. Electronic Commerce
. Access Control Policy
. User Registration
. Segregation in Networks
. Teleworking
. Security Requirements Analysis and Specification
. Policy on the Use of Cryptographic Controls
. Protection of System Test Data
. Control of Technical Vulnerabilities
. Reporting Information Security Events
. Including Information Security in the Business Continuity Process
. Identification of Applicable Legislation
. Data Protection and Privacy of Personal Information
. Technical Compliance Checking
. References
BACKGROUND OF THE ISO/IEC 17799 STANDARD
. History of the Standard
. Internals of the Standard
. Guidance for Use
. High-Level Objectives
. ISO/IEC Defined
. References
ISO/IEC 17799:2005 GAP ANALYSIS
. Overview
. Guidance for Use
. General Changes
. Security Policy
. Organization of Information Security
. Asset Management
. Human Resources Security
. Physical and Environmental Security
. Communications and Operations Management
. Access Control
. Information Systems Acquisition, Development, and Maintenance
. Information Security Incident Management
. Business Continuity Management
. Compliance
. References
ANALYSIS OF ISO/IEC 17799:2005 (27002) CONTROLS
SECURITY POLICY
. Information Security Policy
. Summary
. References
ORGANIZATION OF INFORMATION SECURITY
. Internal Organization
. External Parties
. Summary
. References
ASSET MANAGEMENT
. Responsibility for Assets
. Information Classification
. Summary
. References
HUMAN RESOURCES SECURITY
. Prior to Employment
. During Employment
. Termination or Change of Employment
. Summary
. References
PHYSICAL AND ENVIRONMENTAL SECURITY
. Secure Areas
. Equipment Security
. Summary
. References
COMMUNICATIONS AND OPERATIONS MANAGEMENT
. Operational Procedures and Responsibilities
. Third-Party Service Delivery Management
. System Planning and Acceptance
. Protection against Malicious and Mobile Code
. Backup
. Network Security Management
. Media Handling
. Exchange of Information
. Electronic Commerce Services
. Monitoring
. Summary
. References
ACCESS CONTROL
. Business Requirements for Access Control
. User Access Management
. User Responsibilities
. Network Access Control
. Operating System Access Control
. Application and Information Access Control
. Mobile Computing and Teleworking
. Summary
. References
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
. Security Requirements of Information Systems
. Correct Processing in Applications
. Cryptographic Controls
. Security of System Files
. Security in Development and Support Processes
. Technical Vulnerability Management
. Summary
. References
INFORMATION SECURITY INCIDENT MANAGEMENT
. Reporting Information Security Events and Weaknesses
. Management of Information Security Incidents and Improvements
. Summary
. References
BUSINESS CONTINUITY MANAGEMENT
. Information Security Aspects of Business Continuity Management
. Summary
. References
COMPLIANCE
. Compliance with Legal Requirements
. Compliance with Security Policies and Standards, and Technical Compliance
. Information Systems Audit Considerations
. Summary
. References
APPENDIX A: ISO STANDARDS CITED IN ISO/IEC 17799:2005 APPENDIX B: GENERAL REFERENCES INDEX
-------------------------------------------------------------
Editorial Reviews
I have had the pleasure of working with Tim on several large risk assessment projects and I have tremendous respect for his knowledge and experience as an information security practitioner. … Risk assessment is the cornerstone of an effective information security program. … striving to achieve compliance in the absence of a risk-based security strategy can only lead to failure. … Implement an effective risk assessment program and take control of the compliance monster. … This book will help you do just that. I know you will benefit from Tim's guidance on how to get the most from your risk assessment efforts. For today's information security leaders, there is not a topic more important.
-From the Foreword by Gary Geddes, CISSP, Strategic Security Advisor, Microsoft Corporation
-------------------------------------------------------------
Book Description
Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs. Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.
-------------------------------------------------------------
Showing posts with label Physical Security. Show all posts
Showing posts with label Physical Security. Show all posts
Tuesday, September 25, 2007
Sunday, September 23, 2007
Information Security Principles (ISO/IEC 17799)
Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies
Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts
Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection
Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy
Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism
Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse
Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job
Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled
Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters
Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts
Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies
Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts
Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection
Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy
Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism
Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse
Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job
Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled
Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters
Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts
Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm
Thursday, September 20, 2007
ISO 17799: Standard for Security
Nov/Dec 2006
by Myler Ellie, Broadbent George
by Myler Ellie, Broadbent George
Organizations can use ISO 17799 as a model for creating information security policies and procedures, assigning roles and responsibilities, documenting operational procedures, preparing for incident and business continuity management, and complying with legal requirements and audit controls.
Pretexting. Zero Day Attacks. SQL Injections. Bots and Botnets. Insider Infractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptops and Handhelds. According to Ted Humphreys, in a recent International Organization for Standardization (ISO) press release, "It is estimated that intentional attacks on information systems are costing businesses worldwide around $15 billion each year and the cost is rising."
Organizations need to address information security from legal, operational, and compliance perspectives. The risk of improper use and inadequate documentation abounds, and the penalties are greater than ever. By combining best practices outlined in the international standard ISO/IEC 17799 Information Technology - Security Techniques - Code of Practice for Information security Management (ISO 17799) with electronic records management processes and principles, organizations can address their legal and compliance objectives. This article explores the opportunity to bridge the gaps and bring together information security, intellectual property rights, protection and classification of organizational records, and audit controls.
ISO 17799 Components, Applications, Implications
ISO 17799 provides a framework to establish risk assessment methods; policies, controls, and countermeasures; and program documentation. The standard is an excellent model for organizations that need to:
* Create information security policies and procedures
* Assign roles and responsibilities
* Provide consistent asset management
* Establish human and physical security mechanisms
* Document communications and operational procedures
* Determine access control and associated systems
* Prepare for incident and business continuity management
* Comply with legal requirements and audit controls
Information security can be defined as a program that allows an organization to protect a continuously interconnected environment from emerging weaknesses, vulnerabilities, attacks, threats, and incidents. The program must address tangibles and intangibles. Information assets are captured in multiple and diverse formats, and policies, processes, and procedures must be created accordingly.
Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. The standard provides various terms and definitions that can be adopted as well as the rationale, the importance, and the reasons for establishing programs to protect an organization's information assets and resources. Figure 1 depicts the suggested steps and tasks associated with establishing and implementing an information security program.
This ISO framework is methodically organized into 11 security control clauses. Each clause contains 39 main security categories, each with a control objective and one or more controls to achieve that objective. The control descriptions have the definitions, implementation guidance, and other information to enable an organization to set up its program objectives according to the standard methodology.
Step 1: Conduct Risk Assessments
This component of the standard applies to activities that should be completed before security policies and procedures are formulated.
Risk is defined as anything that causes exposure to possible loss or injury. Risk analysis is defined as a process of identifying the risks to an organization and often involves an evaluation of the probabilities of a particular event or an assessment of potential hazards. Loss potentials should be understood to determine an organization's vulnerability to such loss potentials.
Risk categories are both internal and external and can include:
* Natural: Significant weather events such as hurricanes, flooding, and blizzards
* Human: Fire, chemical spills, vandalism, power outages, and virus/hackers
* Political: Terrorist attacks, bomb threats, strikes, and riots
Conduct risk assessments to understand, analyze, evaluate, and determine what risks organizations feel are likely to occur in their environment. Risk assessment activities involve information technology (IT) and information processing facilities, facilities management and building security, human resources (HR), records management (RM) and vital records protection, and compliance and risk management groups. These groups must collectively determine what the risks are, the level of acceptance or non-acceptance of that risk, and the controls selected to counteract or minimize these risks.
Risk analysis is conducted to isolate specific and typical events that would likely affect an organization; considering its geography and the nature of its business activities will help to identify risks. Loss potential from any of these events can result in prohibited access, disrupted power supplies, fires from gas or electricity interruptions, water damage, mildew or mold to paper collections, smoke damage, chemical damage, and total loss (with the destruction of the entire building).
Regularly monitor emerging threats and evaluate their impacts, as this is a constant, moving target. For example, according to an IMlogic article, "IM [instant messaging] worms are the most prevalent form of IM malware, representing 90 percent of all unique attacks in 2005. These attacks frequently utilized social engineering techniques to lure end users into clicking on suspicious links embedded inside IM messages, enabling the activation of malicious code that compromised the security of host operating systems or applications."
Although threats are increasingly sophisticated in the virtual sphere, the simple occurrence of employees stealing company information on paper is still very real and prevalent in today's work space.
Step 2: Establish a security Policy
These components of the standard provide the content that should be included as well as implementation guidance to set the foundation and authorization of the program.
To set its precedence, an information security policy should be developed, authorized by management, published, and communicated. It should apply to all information assets and must demonstrate management's commitment to the program. Explain implications on work processes and associated responsibilities and outline them in employee job descriptions.
The security policy should be administered, documented, and periodically evaluated and updated to reflect organizational goals and lines of business. This is captured under clause 6.0 for organizing information security. It reflects administrative and management activities to implement the security policy. All activities must identify authorities, responsibilities, agreements, and external security requirements. This has an impact on information processing facilities, external parties, access issues, and problem resolution measures. Keep a record of all policy administration activities to create historical relevance for the information security program.
Step 3: Compile an Asset Inventory
This component of the standard addresses asset management, controls, and the protection thereof. It applies to all assets in tangible and intangible form.
Identify the organization's intellectual property (IP), tools to create and manage IP, and physical assets with a detailed inventory so the organization knows what type of resources it has, where they are located, and who has responsibility for them. Identifying how assets are to be used, classified, labeled, and handled is necesk sary to establish an asset management inventory.
This inventory should also distinguish the types, formats, and ownership control issues. Implement associated rules for the use of assets including e-mail, Internet usage, and mobile devices. Classifying assets and establishing procedures for labeling and handling according to the classification scheme are also important. Documents in electronic form will lend themselves to being identified through metadata and document properties completion. However, these processes must all be completed by resources. Although automation of these processes is a possibility, an organization still faces extensive costs and resource coordination to address this piece.
Step 4: Define Accountability
This component of the standard addresses the human aspect of security; it applies to the level of accountability that employees, contractors, and third-party users have to use to protect an organization's information assets.
An information security program will not be implemented unless roles and responsibilities are clearly articulated and understood by those having ownership in the program. Ideally, these roles and responsibilities should be outlined in job descriptions and documented in terms and conditions of employment.
Employees are part of the overall information security landscape and often they are the closest and best able to prevent certain incidents from occurring. HR is typically in charge of these issues, but they must collaborate with IT and RM to ensure that all information assets are addressed accordingly.
Define roles and responsibilities during pre-employment and screening processes, and perform background checks to support the hiring process. If the job mandates working with highly sensitive information, an organization must be on guard to hire the most qualified person to perform these tasks. These employees must possess a great deal of integrity, pay attention to detail, and take their responsibilities seriously.
Information security awareness, education, and training must be a routine activity to keep employees informed, to communicate expectations, and to provide updates on their responsibilities. Standardize a disciplinary process for security breaches.
When employees leave or change jobs, it is essential that HR, in collaboration with other stakeholders, follows through with a return of assets process and removal of access rights, which can be captured in HR exit processes and procedures. This often is not a coordinated process, which allows employees to walk off with information or leave behind on servers and in physical work spaces masses of orphaned and unidentified information. Redesign the HR exit interview to ensure that information return or transfer is a coordinated process.
Step 5: Address Physical security
This component of the standard outlines all the requirements for physical security perimeters and authorized entry controls; measures for protecting against external and environmental threats; equipment security, utilities, and cabling considerations; and secure disposal or removal of storage equipment media.
An organization's building and premises, equipment, and informationprocessing facilities must be fail proof to prevent unauthorized intrusions and access, and possible theft issues. This applies mostly to facilities management and IT, although risk management should also participate to provide environmental risk protection measures.
Include guidelines for physical security perimeters, entry controls, environmental threats, and access patterns in this section. Also address supporting utilities, power, and telecommunication networks. Finally, secure the disposal and removal of equipment that holds information so that information is truly deleted or "wiped" clean from the slate.
Step 6: Document Operating Procedures
Procedures for system activities, change management controls, and segregation of duties are included in this component.
Any organizational program will be more established when program administration, policies, procedures, and related processes are formally documented. This component sets out to define operating procedures, instructions for the detailed execution thereof, and the management of audit trail and system log information. It applies to all facets of an information security program.
Formally documenting program activities will allow an organization to keep track of the development, implementation, and associated documentation for the program. Keep in mind that documentation does not magically appear through word processing programs. It takes resources, good writing skills, and an ability to change documentation when necessary.
Address the separation of development, test, and operational facilities to reduce the risk of unauthorized actions. Monitor and review thirdparty service delivery requirements to ensure that actions are carried out as mandated. Plan for, monitor, and update system resources, capacity management, and acceptance criteria, as necessary.
Constantly monitor and prepare to protect against malicious and mobile code to guard the integrity of system software and information. This especially pertains to intelligent cybercrime activities such as structured query language injections and application to mobile devices, which are increasingly becoming more sophisticated. This should also focus on incoming e-mails and downloadable attachments, as well as a review of webpages.
Backup and restoration procedures must provide for the replication of information and methods for dispersal and testing, meeting business continuity requirements. This should also address retention periods for archival information or those with long-term retention requirements. Address media preservation issues to ensure the longevity of media that have long-term retention requirements.
Address network infrastructure through network controls and management. This includes:
* Remote equipment and connections
* Public and wireless networks
* Authentication and encryption controls
* Firewalls and intrusion detection systems
* Media handling and transit methods
* Information classification, retention, and distribution policies and proceduresAlthough mobile devices have helped organizations stay better connected, employees must use more discretion when using them. Alert employees to proper etiquette for relaying information so they will not be overheard in elevators, airports, or on other public transportation.
Address electronic data interchange, e-commerce, online transactions, electronic signatures, electronic publishing systems, and electronic communication methods such as e-mail and IM. Their secure use and associated procedures must demonstrate accuracy, integrity, and reliability. For organizations using e-commerce, this is not an option, as current regulations are pushing this into the forefront of IT agendas. Organizations should also monitor their systems and record security events through audit logs. Also address records retention policies for archival or evidence requirements.
Step 7: Determine Access Controls
This component of the standard includes guidelines for establishing policies and rules for information and system access.
Practice standard methods for all users and system administrators to control access to and distribution of information. Policies should apply to users, equipment, and network services. Newer technologies, such as those that have passwords connected to fingerprint digital touch pads, come at a cost, but they should be evaluated as a password management tool.
Access control measures should include:
* Setting up user registration and deregistration procedures
* Allocating privileges and passwords
* Implementing a "clear desk and clear screen policy"
* Managing:
- Unattended equipment
- Virtual private network solutions
- Wireless networks and authentications
- Network service issues such as routing and connections
- Telecommuting virtual spaces and intellectual property rights
- Cryptographic keys and procedures
- Software development, testing, and production environments
- Program source code and libraries
- Change control procedures and documentation
- Patches, updates, and service packs
Any information system that an organization procures or develops must also include security requirements for valid data input, internal processing controls, and encryption protection methods. Document the integrity, authenticity, and completeness of transactions through checks and balances. Retain and archive system documentation for configurations, implementations, audits, and older versions. This is further detailed in clause 12 of the standard.
Step 8: Coordinate Business Continuity
This component of the standard includes reporting requirements, response and escalation procedures, and business continuity management.
As organizations increasingly come under attack and suffer security breaches, they must have some formalized manner of responding to these events.
Business continuity management addresses unexpected interruptions in business activities or counters those events that impede an organization's critical business functions. This process should include:
* Identifying risks and possible occurrences
* Conducting business impact analyses
* Prioritizing critical business functions
* Developing countermeasures to mitigate and minimize the impact of occurrences
* Compiling business continuity plans and setting up regular testing methods for plan evaluation and update
A business continuity management framework also includes emergency or crisis management tasks, resumption plans, recovery and restoration procedures, and training programs. Testing the plan is an absolute must to determine its validity. Tests can include a variety of methods to simulate and rehearse real-life situations. Develop calling trees, hot- and cold-site configurations, and third-party contractors, depending on the organization's priority of critical business functions.
Report information security incidents or breaches as soon as possible to ensure that all relevant information can be remembered. This requires having feedback processes in place as well as establishing a list of contacts that are available around the clock to manage this process. Procedures should be consistent and effective to ensure orderly responses to not only manage the immediate process but also to collect evidence for legal proceedings.
Step 9: Demonstrate Compliance
This component of the standard provides standards for intellectual property rights, RM requirements, and compliance measures. These apply to everything from an organization's information processing systems to the granular data and transactional records contained within those systems.
There is an increased scrutiny on organizations to demonstrate compliance with applicable laws, regulations, and legislative requirements for all aspects of their business transactions. Adherence to rules and regulations are an integral part of the information security program and will contribute to demonstrating corporate accountability.
Address identification, categorization, retention, and stability of media for long-term retention requirements according to business and regulatory requirements. Document retention periods and associated storage media as part of managing the organization's records. Address privacy and personal data requirements, which can vary from one country to the next. Address transborder data flow and movement, and associated encryption methods as related to import and export issues depending on federal laws and regulations.
Follow up on and evaluate compliance with established policies and procedures to determine implementation effectiveness and possible shortcomings. Clearly delineate audit controls and tools to determine areas for improvement. Again, it is critical to take time to document all information related to the development and establishment of compliance and audit, including decisions made, resources involved, and other source documentation cited.
Data Breach Reporting Issues
New information security requirements are emerging as a result of organizations' negligence to protect sensitive data and impose adequate controls on employees using mobile technology to house such data. Information security issues are constantly in the media, as with the recent case when the U.S. Department of Veterans Affairs (VA) lost control of the personal information of 28 million veterans when a laptop containing the information was stolen from an employee's home. The VA was criticized for its delay in disclosing the loss and notifying those affected.
California Senate Bill (SB) 1386 is setting the precedent for reporting and disclosing data security breaches and declarations for privacy and financial security. (See Figure 2 "California SB 1386 Excerpts, Source and Language Summary.") Other states are now adopting laws allowing consumers to "freeze" their credit files, even if they have not been a victim of identity theft. If passed, pending bills in the U.S. Congress, including S.1408: Identity Theft Protec-tion Act and H.R. 4127: The Data Accountability and Trust Act, would also force organizations to be more accountable for the vast amount of personal information that they may have.
Organizations should take heed of these legislative efforts and proactively plan for them by updating their information security practices. Any organization that uses e-commerce in its business practices must align its systems and databases for the protection of information content. Organizations that are subject to these laws should structure their reporting measures according to the following components of the ISO 17799 standard:
* Clause 10.9 establishes electronic commerce countermeasures and cryptographic controls to protect sensitive customer information and all associated electronic records databases.
* Clause 13.1 provides a methodology for reporting incidents supported by timely procedures with appropriate behavior mechanisms and disciplinary processes.
Information Security Objectives and Records Management Components
Although information security is now in the limelight and is being brought to the attention of the executive-level audience, RM is still the basic foundation that branches out into all the various new compliance areas. Records managers need to work with IT to ensure that retention and vital records requirements are addressed and are part of the many inventories that the ISO standard suggests. They must also update their programs to be in line with an information security program's objectives as outlined in the controls and implementation guidance of the ISO 17799 standard.
Maintenance, retention, and protection requirements of data, information, and IP are addressed in the ISO clauses in Figure 3.
Vital records are those records that are needed to resume and continue business operations after a disaster and are necessary to recreate an organization's legal and financial position in preserving the rights of an organization's employees, customers, and stockholders. If vital records protection methods exist before an information security program is established, they should be integrated or referred to as part of the larger information security scheme. IP and the management and protection thereof have long been addressed by organizations through a vital records program. When electronic records were not prevalent, vital records protection methods included the same premises, such as:
* Appraisal and identification of those records that are deemed vital
* Duplication and dispersal processes
These methods can apply to any electronic environment but the inventories of such records must include not only the paper versions but also their electronic counterparts captured in other media or systems within the organization.
The objective to protect electronic vital records must focus on:* Newly created records
* Work in progress
* Other information that is not stored on servers and is typically found on users' desktops
Although it can be argued that many electronic records are captured in enterprise resource planning systems, routine backups of this data may be re-circulated so that long-term retention and protection requirements are not addressed.
Initially, allowing employees to transport laptops and other devices with large amounts of data away from the corporate environment was seen as a way to increase productivity. That is still the case, but controls in the form of policies as to what can and cannot be taken must be established and consistently enforced. As technology offers more ways to compact large amounts of data on very small devices, it is crucial to monitor and correct employees to prevent their actions from compromising the organization's responsibilities for keeping information safe. Establish, fund, and monitor training, support, and compliance to ensure that employees receive appropriate training before turning them loose with the tools.
Compliance also applies to information systems and their audit considerations. Administrators running an organization's information systems must be just as closely scrutinized as the employees within the organization and in virtual spaces.
Stay Ahead of the Curve to Stay Secure
While information security is the newest flavor of the month, chances are that many organizations have no program in place and, therefore, no control over how their employees manage information.
Organizations cannot continue to practice their business in an irresponsible manner. Using the ISO standard to structure their programs is the foundation, but they must also stay ahead of the curve, outguessing and outsmarting potential incidents and occurrences. Websites for information security are pervasive and provide both written materials and podcasts to help keep information professionals informed. Records managers and IT professionals can also help each other achieve a best practices program for information security.
However, any program that an organization initiates will need management support and resources to accomplish it. Collaboration by all parties, including senior management, is essential to achieve compliance in the space of information security.
References
ARMA International. "VA IG Slams Top Officials in VA Data Theft Incident." Washington Policy Brief, July 2006. Available at www.arma.org/news/policybrief/index.cfm?BriefID=1335 (accessed 26 September 2006).
Bartholomew, Doug. "Responding to Risk: Invisible Enemies." Industry Week, 1 March 2006. Available at www.industryweek.com/ReadArticle.aspx?ArticleID=11440 (accessed 26 September 2006).
Greenemeier, Larry. "The Next Data Breach Could Mean Your IT Job." Information Week 17 July 2006. Available at www.informationweek.com/security/showArticle.jhtml?artideID= 190400266. (accessed 26 September 2006).
IMlogic. IMlogic Threat Center - 2005 Real-Time Communication Security: The Year in Review. Accessed 12 July, 2006 at www.imlogic.com/pdf/2005ThreatCenter_report.pdg. No longer available.
International Organization for Standardization. ISO/IEC 17799: 2005, Information Technology - Security Techniques - Code of Practice for Information Security Management, Geneva, Switzerland: International Organization for Standardization, 2005.
_____. ISO/IEC 18043:2006, Information Technology - Security Techniques Selection, Deployment and Operations of Intrusion Detection System, Geneva, Switzerland: International Organization for Standardization, 2006.
_____. "New ISO/IEC Standard to Help Detect IT Intruders." Available at www.iso.org/iso/en/commcentre/pressreleases/2006/Ref1017.html (accessed 26 September 2006).
U.S. House. Data Accountability and Trust Act, 109th Congress, H.R. 4127. Available at www.govtrack.us/congress/bill.xpd?bill=h109-4127 (accessed 26 September 2006).
U.S. Senate. Identity Theft Protection Act, 109th Congress, S.1408. Available at www.govtrack.us/congress/bill.xpd?bill=s109-1408 (accessed 26 September 2006).
Ellie Myler, CRM, and George Broadbent
Elite Myler is a Certified Records Manager and Certified Business Continuity Professional and a 17-year veteran of the records management industry. A Senior Records Management Analyst with Entium Technology Partners LLC, Myler has previously served as a consultant to Fortune 500 companies in a wide spectrum of industries. She designs and customizes corporate governance programs for records management and business continuity program initiatives and writes and lectures frequently on information management and technology topics. She may be reached at emyler@entium.com.
George Broadbent has more than 17 years of diversified system architecture, network design and implementation, and application development experience, including network management of Novell NetWare and Microsoft Windows 2000/2003 networks. He has designed and built local and wide area networks (LANs/WANs) that include the use of high-availability systems, real-time data replication and hierarchical storage solutions for large multi-site organizations. He has performed the architecture, design, implementation, deployment, and/or support of enterprise electronic mail systems with integrated electronic archiving solutions for Microsoft Exchange-based systems. He can be reached at gbroadbent@entium.com.
Copyright ARMA International Nov/Dec 2006
Provided by ProQuest Information and Learning Company. All rights Reserved
Source : http://findarticles.com/p/articles/mi_qa3937/is_200611/ai_n16871475
Saturday, September 1, 2007
Physical Security Primer
In this article we will continue with our detailed look at applying physical security whenever and wherever possible. In this article we will cover Backup Power. Let’s take a look at what you can do to make sure that power remains a reality at your facility, home or office.
If you missed the first article in this series please go read Windows 2000 and 2003 Server Physical/Logical Security Primer (Part 1).
Power is essential to running computer systems. Without electrical power, there would be no 1s and 0s. Therefore, as administrators, we need to assess our physical security when it comes to unfavorable environmental conditions which inevitably lead to ‘power failures’. Power failures can not only put your company out of business if you don’t have a back up source of power, but even worse, if you don’t have conditioners on your line, you will ‘ruin’ your equipment. Power supplies, when taking a massive surge, usually don’t fare too well afterwards.
If you missed the first article in this series please go read Windows 2000 and 2003 Server Physical/Logical Security Primer (Part 1).
Power is essential to running computer systems. Without electrical power, there would be no 1s and 0s. Therefore, as administrators, we need to assess our physical security when it comes to unfavorable environmental conditions which inevitably lead to ‘power failures’. Power failures can not only put your company out of business if you don’t have a back up source of power, but even worse, if you don’t have conditioners on your line, you will ‘ruin’ your equipment. Power supplies, when taking a massive surge, usually don’t fare too well afterwards.
Physical Security Primer (Part 2)
In Part 1, we entered the mind of the villain. We covered ‘very generally’ what you should be looking at a very high level. In part 2, we look at other things you can do to implement physical security to better defend against attack. For one, you can consider backup power.
Backup Power Systems
There are several types of power backup capabilities and choosing the right one should be done after the total cost of anticipated downtime and its effects are calculated.
- You have to assume you will have a power outage at some point. If so, assess how you would recover from it. A UPS (Uninterruptible Power Source/Supply is a battery powered backup system for an AC line supply like that commonly used with personal computers) may not be enough to sustain long term operations. Then you would need a generator.
- Amazingly enough, deriving the total cost per hour for backup power is nothing more than dividing the annual expenditures by the annual standard hours of use.
- There are large and small issues that can cause power failure or fluctuations so don’t think it's all major power blackouts that create a problem. A small power surge from ESD (Electrostatic Discharge) would be enough to damage a computer motherboard rendering it useless.
- A low cost non-expensive mechanism to generate power in time of need is to have generators in place. An example can be seen here:
- I mentioned generators earlier, they are a great source of backup power that can be kept running longer than UPS power. UPS power is very short term, its only really meant to give your Servers time to log users out and shut down properly so the operating system doesn’t crash and data get corrupted or lost. UPS systems are glorified line conditioners to keep the hardware from getting damaged from power surges and in time of power failure, UPS power is used to get the server shut down quickly and properly. A generator is used for the ongoing period – full power should be restored to all your systems.
- Some generators have sensors to detect power failure and will start automatically which is a huge plus for off hour’s power failures.
- Thresholds can be calibrated to best serve an environment, depending on the type and size of the generator; it might provide power for minutes or days.
- Now that we have discussed the differences between UPS systems and Generators, let’s wrap this up with some considerations for both.
- Generators are used for long term, you should consider having one onsite so that if you sustain a long term power hit, you can run gas tanks back and forth to the generator, but at least your systems will have power.
- Issues to consider with UPS systems
- Size of load UPS can support. The battery can only support so much ‘pull’ from the devices plugged into it. Most UPS systems come with indicator lights (and buzzers) that let you know when you are exceeding the UPS’s power capacity.
- How long it can support the load, which is all the plugged in devices requesting its power (the battery duration needs to be considered for purchase)
- Even UPS’s fail so for complete redundancy, they sell UPS Transfer switches that also make the UPS redundant, I highly recommend those too.
- You want your UPS to have a certain battery life before its tapped out. I suggest getting ones with long battery life. Sometimes you need to log users out of a server and shut down a million applications and processes, who knows – every second counts when there is a failure so give yourself as much of a chance as possible.
- UPS’s naturally offer surge protection and line conditioning.
- UPS’s also offer filtering of EMI and RFI filtering. This is Electromagnetic and Radio Interference filtering.
- Consider using devices with high MTBF values. MTBF (Mean Time between Failures) is nothing more than the actual service life of the drive before it starts to fail from wear and tear.
- Consider getting a device that will allow for automatic shutdown of systems when power is running out. This is ideal for when you don’t have anyone on staff off hours and your power goes out. The UPS can tell the server that it’s in trouble and then through a process of commands, shut itself down to avoid being damaged.
- When the computer must keep running, or when it is convenient to allow a soft shutdown, some self-contained power supply units can save a lot of trouble - they will detect the eventual loss of power due to their battery exhaustion and shut down the computer in an orderly manner.
- There are two main methods of protecting against power issues:
- Uninterrupted power supply (UPS):
- A UPS uses batteries that range in size and capacity
- The UPS can either be standby or online
- Online systems use AC line voltage to charge a bank of batteries.
- When in use, the UPS has an inverter that changes the DC output from the batteries into the required AC form and regulates the voltage as it powers computer devices
- Other than a UPS, a generator is also a form of a backup power source.
- Power line conditioners: Power line conditioners are nothing more than a device that offers a steady flow of regulated power at an exact level. In other words, the UPS draws power from the source and stores it in an internal battery. Any devices plugged into the UPS will draw power until a failure, and then rely on the UPS battery give them power. IF they never fail (and even when they do), the UPS will give a ‘steady and conditioned’ flow of power to the requestors. This is line conditioning.
- Uninterrupted power supply (UPS):
Problems with Power Current
Never thought there would be so many problems huh? Well, for a long time I personally worked in a manufacturing plant that was prone to them. Our location was in a place where the power just plain stunk. (It still does). Anyway, these things do happen and it’s important to consider when considering physical security. If you have no power, you have no business. If that’s not a disaster I don’t know what is!
Excessive Power
- Spike: Momentary high voltage
- Surge: Prolonged high voltage
Loss of Power
- Fault: Momentary power out
- Blackout: Prolonged loss of power
Degradation of Power
- Sag: Momentary low voltage
- Brownout: Prolonged power supply that is below normal voltage
Interference Issues:
- Electromagnetic Interference (EMI): EMI can be created by the difference between three wires: (hot- neutral- ground). Lightning and electrical motors create EMI.
- Radio Frequency Interference (RFI): Caused by fluorescent lighting, electric cables, components within electrical systems, radio signals. RFI is created by components of an electrical system. Fluorescent lighting usually cause RFI
Power Preventative Measures
- Use a surge protector
- Try to make sure a steady electrical current is maintained to any device
- Use a Voltage regulator
- Proper Earth grounding needs to take place
- EMI should be avoided with shielding
- RFI should be avoided with proper design (don’t run power lines over fluorescent lighting, etc)
- Use three-prong connections with a ground plug, instead of the ungrounded two-prong plugs
- Do not plug outlet strips and extension cords into each other
Summary
In this article we covered the basics of Physical Security and backup power. I hope you enjoyed this article, looking at physical security and getting a different perspective on disaster. More to come so stay tuned!
About Robert J. Shimonski
Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at www.rsnetworks.net
Article Source : www.windowsecurity.com
Subscribe to:
Posts (Atom)
