EMPLOYEE CONFIDENTIALITY UNDERTAKINGS

It is increasingly important that employees are required to sign confidentiality undertakings to their employers. The following guidance is given for consideration, although organizations are recommended to seek further expert opinion on the suitability of such statements to their own contracts of employment:

'Confidential Information' normally means any information which is not generally known in the relevant trade or industry, and belongs to the Organization, or is learned, discovered, developed, conceived, originated or prepared during, as a result of, or in connection with, the Employees work, or relates to the Organization's customers of clients, including but not limited to :

• Information which is unique to the Organization
• Any information which the Organization or their clients or customers may wish to protect by patent or copyright, or by keeping it secret or confidential; and
• Information relating to the existing or contemplated products, services, technology, designs, processes, formulae, computer systems, computer software, algorithms, research or development of the organization;
• Information relating to proprietary products or services;
• Any proprietary information not generally known to the public;
• Information relating to the business plans, sales or marketing methods, methods of doing business, customer lists, customer requirements or supplier information of the Organization;
• Information which may affect the value of the shares in the Organization and (where relevant) any price sensitive information

The Employees should be asked to acknowledge that the Organization:

• Is (inter alia) in the business or providing
• Operates a highly competitive commercial arena.
• Has and will invest significantly in terms of money and time in developing their business and products;
• Has and will expect to develop confidential proprietary information relating to their business; and

The Employees should acknowledge that during their employment they may have access to, gain knowledge of, be entrusted with and be involved in the creation of Confidential Information, improper disclosure of which could :

• Result in the Organization losing its competitive edge;
• Cause the Organization to suffer financial loss; and
• Be otherwise detrimental to the Organization.

The Employees should undertake that both during employment or thereafter, they will:

• Not disclose, divulge or communicate to any person any Confidential Information, save to those officials of the Organization whose proper province it is to know such information or with the written consent of the Board;
• Not use any Confidential Information for his/her own benefit or for the benefit of any third party or in a manner which could be detrimental to the Organization;
• Do everything reasonably within his power to protect the confidentiality of all Confidential Information;

The Employees should also undertake that on leaving the company they will:

• Deliver up to the Organization all copies and originals of documents, computer disks, tapes, accounts, data, records, papers, designs, specifications, price lists, lists of customers and all other information, whether written or electronically stored, which belongs to the Organization or relates in any way to their business or affairs or the business or affairs of any of their suppliers, agents, distributors or customers, or contain any Confidential Information, and are in the Employees' possession or under his control.
• Upon request supply the Organization with a signed statement confirming that the Employee has complied with this undertaking.

Again, further guidance on this and similar topics is included in the RUSecure Security On-line Support system (http://www.yourwindow.to/security-policies/).

From : 17799-news.the-hamster.com

CIA triad

From Wikipedia, the free encyclopedia

CIA triad is a widely-used information assurance (IA) model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information. The three characteristics of the idealized model are also referred to as IA services, goals, aims, tenets or capabilities.

Confidentiality
Confidentiality is assurance of data privacy. Only the intended and authorized recipients: individuals, processes or devices, may read the data. Disclosure to unauthorized entities, for example using unauthorized network sniffing is a confidentiality violation.

Cryptography is the art and science of storing and transmitting confidential data.

Integrity
Integrity is assurance of data non-alteration. Data integrity is having assurance that the information has not been altered in transmission, from origin to reception. Source integrity is the assurance that the sender of that information is who it is supposed to be. Data integrity can be compromised when information has been corrupted or altered, willfully or accidentally, before it is read by its intended recipient. Source integrity is compromised when an agent spoofs its identity and supplies incorrect information to a recipient.

Digital Signatures and hash algorithms are mechanisms used to provide data integrity.

Availability
Availability is assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required. Most often this means that the resources are available at a rate which is fast enough for the wider system to perform its task as intended. It is certainly possible that confidentiality and integrity are protected, but an attacker causes resources to become less available than required, or not available at all. See Denial of Service (DoS).

High availability protocols, fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.

Augmentations to the CIA Triad
There have been attempts to augment the CIA triad with concepts such as accountability, non-repudiation, authentication, value, intended use (utility) and others.[1] The triad, being a very simple model with narrow application, cannot adequately describe many important security objectives. Therefore augmentations may be an effort to broaden the applicability of the model. There is a perceptible incongruity, however, between the triad, which identifies fundamental security characteristics of information, augmentations which identify security characteristics of processes (e.g. trusting, sharing, using or evaluating) and loss of control, otherwise known as theft. Newer models are the Parkerian hexad and Security in Context from the Information Security Management Maturity Model.

Some common augmentations to the triad are:

Accountability
Accountability is assurance in tracing all activities to a responsible and authorized individual or process within a reasonable amount of time and without undue difficulty.

Non-Repudiation

Non-Repudiation is assurance that:

* The sender of data is provided with proof of delivery
* The recipient is provided with proof of the sender's identity

In this case neither can later deny having processed the data. In e-commerce and legal terms this prevents the sender, an online vendor for example, from being obliged to ship replacement goods to a malicious customer who denies receiving the original data. The non-repudiation of sourcing information means that the sender can't deny submitting the information. This prevents the sender from anonymously spoofing messages with malicious intent.

Authentication
Authentication is the process to verify the identity of an individual, a computer, a computer program, or similar.

Utility
Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications (encryption of data-at-rest) and then lost the decryption key. This is a breach of utility. The data is confidential, controlled, integral, authentic and available – but it is just not useful. Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility if the substitution made it more difficult to interpret the data. Another example is the storage of data in a format inappropriate for a specific computer architecture like EBCDIC instead of ASCII. A tabular representation of data substituted for a graph could be described as a breach of utility since the substitution makes it difficult to interpret the data. Utility is often confused with availability because breaches such as those described in the examples may also require time to work around the change the data into a useful form.

Possession
Suppose a thief were to steal a sealed envelope containing a bank debit card and somehow its personal identification number (PIN). Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that he or she could do so at any time without the owner's control. That situation illustrates a loss of control or possession of information, but does not involve the breach of confidentiality.

Variations on the Mnemonic
Other mnemonic variations are in use to represent the CIA triad. This is done to avoid confusion with the acronym for the U.S. Central Intelligence Agency (CIA).

Another mnemonic is PAIN:

* Privacy = Confidentiality
* Availabilty/Authentication
* Integrity
* Non-Repudiation

The CIA triad sometimes also referred to in reverse order as the AIC triad.

History
“ ...the high-level security goals most often specified are that the system should prevent unauthorized disclosure or theft of information, should prevent unauthorized modification of information, and should prevent denial of service. ”

A Comparison of Commercial and Military Computer Security Policies, Clark-Wilson, 1987

In a 1987 survey document comparing commercial and U.S. Department of Defense (DoD) computer security by David D. Clark and David R. Wilson, the authors introduced the concept of the computer security integrity model. The paper formalizes the notion of information integrity as compared to DoD's Orange Book's emphasis on security labels and classification, i.e. security is confidentiality. Clark and Wilson argue that the existing computer security models such as Bell-LaPadula and Biba were better suited to enforcing data confidentiality rather than information integrity.

Extend business reach with a robust security infrastructure.

Overview
In the face of growing numbers of complex regulatory requirements, organizations must find a way to protect their information and systems while giving ever-growing numbers of users access to the systems and applications they need. This is particularly critical when it comes to the continually growing business requirement to increase employee, customer and trading-partner access to valuable data and resources. IBM security management solutions are designed to work across platforms and applications to integrate and support critical business initiatives. Through extensive features and tools, an organization can establish centralized, automated policies and processes to help minimize security risks and address regulatory mandates — freeing IT staff from routine security tasks to focus on integrating existing systems and extending the network.

IBM provides end-to-end service management solutions for successful innovation, including the implementation and management of new-generation architectures. Our proven solutions enable customers to establish an enterprise-wide hardware and software foundation, manage optimal business flexibility and ensure effective service delivery. New technologies can be quickly and cost-effectively assimilated into their environments. Workload balancing, provisioning, availability and security can be more easily and effectively managed across new architectures.

IBM service innovation solutions represent one of a number of modular entry points into IBM Service Management, a comprehensive, fully integrated approach to closing the gap between business and IT innovation. IBM Service Management helps organizations both create and manage value, with products and services that address the complete service management life cycle, from business management to IT development and IT operations, with solutions spanning hardware, software, consulting and financing services.

Contents
- Overview
- Adapt to today’s security landscape
- Drive value from end-to-end security solutions
- Assess security requirements
- Institute effective identity and access control management
- Manage user accounts across the enterprise
- Validate and exchange user identification with trusted enterprises
- Enforce policy-based access control
- Synchronize identity data across multiple repositories 8 Help identify attacks, malware, misconfigurations and misuse to mitigate security risks
- Implement, enforce and report on security compliance policies
- Leverage IBM leadership in security solutions
- Summary
- For more information
- About Tivoli software from IBM

See All 12 Page At Ibm.com

ISO 17799: Asset Management

By Gregory Yhan, CISSP, MCAD.Net

Introduction
In a previous article, I outlined the scope and implementation guidelines for the ISO
17799 information security standard. The article also examined Security Policy, the f irst
of eleven security clauses mentioned in the standard. The ISO 17799 defines the term
asset as ‘anything that has value to an organization.’ In the realm of information
technology, assets can range from data f iles to physical assets, such as removable
media; how ever, the ISO definition allow s an organization to classify items as assets
from a broader spectrum. Intangibles, such as reputation of the organization, general
utilities, and the skill sets of a workforce can all be classified as assets. The following
article will examine the ‘Asset management’ security clause, including the tw o main
security categories listed under this clause.

Responsibility for assets
‘Responsibility for assets’ is the first of two main security categories listed under the
Asset management clause. According to the ISO, the overall objective of asset
responsibility is to achieve and maintain adequate protection of assets. To achieve this
objective, the 17799 standard has listed three controls. Inventory of Assets, Ow nership
of assets and acceptable use of assets, collectively or individually implemented w ill
enable an organization to maintain appropriate protection of assets.

Inventory of assets
As aforementioned, Inventory of Assets is one of three controls listed under the main
security category, Responsibility of assets. As the phrase implies, Inventory of Assets
requires assets to be clearly identif ied and an inventory of ‘important’ assets be created
for an organization. According to the implementation guidelines offered by the ISO, the
importance of each asset should also be documented. The importance of an asset can
be measured by its business value and security classification or label. The inventory
should include all necessary information required for an organization to recover from a
‘disaster.’ Depending on an organization, inventories of assets will not only allow for
effective protection of assets but also may be required for other business processes,
such as insurance or financial reasons. The ISO 17799 also highlights that an inventory
is an important prerequisite for risk management.

Ownership of assets
The second of three controls listed under the Responsibility for assets main security
category is Ownership of assets. According to the ISO, all information and assets
associated w ith ‘information processing facilities’ should be ‘ow ned’ by a designated part
of the organization. In the 17799 standard, information processing facilities is defined as
‘any information processing system, service or infrastructure, or the physical locations
housing them.’ The term ‘ow ner’ identifies an ‘individual or entity that has approved
management responsibility for controlling the production, development, maintenance,
use and security of the assets.’ Therefore, ownership can be allocated to an application,
a business process or a defined set of data. The standard further warns that the term
does not mean that the person has any property rights to the asset. The designated
ow ner of an asset should ensure that information and assets associated with processing
facilities are properly classified. In addition, the ow ner is responsible for defining and
review ing access classifications.

Acceptable use of assets
The last of three controls listed under the Responsibility of assets security category is
‘Acceptable use of assets.’ This control assists in maintaining protection of assets by
identifying, documenting and implementing rules for the acceptable use of information
and assets. The organization is expected to establish rules for the acceptable use of
information and assets. These include, but are not limited to, email and Internet usage.
The key to a successful ‘use of asset’ policy is one that is supported by management.
The goal is to make all employees and even contractors aware of the limits that exist
regarding the use of their organization’s information and assets.

Information classification
Information classification is the last of tw o main security categories listed under the
Asset management security clause. Instead of achieving and maintaining adequate
protection of assets, the objective of information classification is to ensure that
information receives the appropriate level of protection. Information should be classified
to indicate the expected degree of protection w hen handling the information. The ISO
17779 has listed tw o controls to meet this objective, Classification guidelines and
Information labeling and handling.

Classification guidelines
According to this control, information should be classified in terms of its ‘legal
requirements, sensitivity, and criticality’ to an organization. The implementation
guidance (do you mean guidelines?) sheds further light on these requirements. The
classif ication guidelines should consider the business needs for sharing or restricting
information. This evaluation will lead to a clearer understanding of what information
needs to be protected and the possible impact these measures w ill have on business
rules. The responsibility of classification falls w ithin the asset ow ner’s domain. It is the
ow ner’s responsibility to review and update classification levels. The need for continued
review stems from the fact that information ceases to be sensitive or critical after certain
periods of time. The ISO w arns that ‘over-classification’ can lead to implementing
unnecessary controls leading to additional expense.

Information labeling and handling
The second control under this security category involves developing procedures for
labeling and handling information according to the classification scheme adopted by an
organization. These procedures should consider labeling information in its electronic and
physical formats. For example, the output from certain systems classified as critical
should be labeled. These labeling rules should reflect the rules set out in the
classif ication guidelines mentioned above. Each classif ication level should define
procedures for processing, storage, transmission, declassification and destruction of
assets. As the sharing of information becomes more critical for the success of
businesses, labeling and secure handling of information is key for security.

Conclusion
Managing and securing an organization’s assets can be a daunting task. The ISO
17799 Asset management security clause has laid out a strong foundation from w hich
organizations can implement appropriate controls for protecting assets. Developing an
inventory of assets, defining owners of assets, establishing acceptable use policies, and
classifying and labeling information are all controls that can be implemented to ensure
information and assets receive appropriate protection.

Two Standards, One Tough Choice

By Roy Wiseman
Director, Information Technology Services
Regional Municipality of Peel

Prominent on the agenda of the most recent meeting
of the National CIO Subcommittee for Information
Protection (NCSIP) was a discussion of various
standards for security assessment and certification.
The meeting was held in Charlottetown from June 18
through 20 and included representatives from the
Government of Canada, nine of the 10 provinces and
myself, representing municipalities. (What’s not to like
about Charlottetown in June? Even so, our host, Garth
Matthews of the Province of Prince Edward Island,went
out of his way to ensure that delegates were exceedingly
well looked after – including providing spectacular
weather for our lobster and steak cruise!)
Here are some highlights of our discussions.

ISO 17799: Code of Practice for Information
Security Management
Perhaps the best known, and least understood, standard
for information security management goes under the
unwieldy name of ISO 17799.
ISO 17799 was based on an earlier BS 7799 standard
adopted in 1995 by the British Standards Institute. The
International Standards Organization (ISO) adopted ISO
17799 in August of 2000. Since that time,work has proceeded
on a major review of the standard to overcome
the objections from many participating countries, including
Canada and the United States. While the Government of
Canada is participating in this review, it has yet to take a
position on whether the updated version will be
endorsed as a standard for the Government of Canada.

In its original version, ISO 17799:2005 consists of 12
prime sections:

* 1: Risk assessment and treatment - analysis of the organization's information security risks
* 2: Security policy - management direction
* 3: Organization of information security - governance of information security
* 4: Asset management - inventory and classification of information assets
* 5: Human resources security - security aspects for employees joining, moving and leaving an organization
* 6: Physical and environmental security - protection of the computer facilities
* 7: Communications and operations management - management of technical security controls in systems and networks
* 8: Access control - restriction of access rights to networks, systems, applications, functions and data
* 9: Information systems acquisition, development and maintenance - building security into applications
* 10: Information security incident management - anticipating and responding appropriately to information security breaches
* 11: Business continuity management - protecting, maintaining and recovering business-critical processes and systems
* 12: Compliance - ensuring conformance with information security policies, standards, laws and regulations

ISO 17799 has been criticized for being “a mile wide
and an inch deep.” As noted by Lawrence Walsh in
Information Security magazine (March 2002):“It outlines
security measures an organization should have, but
doesn’t specify how to implement them. . . . For instance,
the standard recommends the use of adequate access
control procedures and defines many of the different
technologies for access control – tokens, certificates and
smart cards. However, it doesn’t discuss the pros and cons
of these technologies in different operational contexts.”
In this regard, ISO 17799 is attempting to be technology
neutral and also avoid becoming quickly outdated by
rapidly changing technology. At the same time, it means
that ISO 17799 is most useful as a checklist identifying
areas to be addressed, rather than providing substantial
guidance in how to address each area.
Notwithstanding this, a substantial industry is emerging,
primarily in Europe, around consulting and certification
services for ISO 17799. Software tools to support ISO
17799 self assessment, as well as ISO 17799 compliant
policies, are widely available from a number of Internet
sites (for a price).

NIST 800-37: Guidelines for the Security,
Certification and Accreditation of Federal
Information Technology Systems (US)
The other major standard for information security has
been developed by the National Institute of Standards
and Technology (NIST) in the United States as a guideline
for use by federal government agencies (and on a voluntary
basis for non-government agencies).
Unlike the ISO 17799 standard, NIST publications are
freely available on the NIST Computer Security Research
Center (CSRC) Web site – www.csrc.nist.gov. In addition
to NIST Special Publication 800-37, referenced above,
these will include:
• FIPS (Federal Information Processing Standards)
Publication 199, Standards for Security Categorization of
Federal Information and Information Systems
• NIST Special Publication 800-26, Security
Self-Assessment Guide for Information Systems
• NIST Special Publication 800-53, Security Controls
for Federal Information Systems
• NIST Special Publication 800-53A, Techniques and
Procedures for Verifying the Effectiveness of Security
Controls in Federal Information Systems
• NIST Special Publication 800-60, Guide for Mapping
Types of Information and Information Systems to
Security Objectives and Risk Levels.
The first of these publications, FIPS 199, provides a
framework for associating a level of risk with a particular
information system. In the document, risk is identified
as being a combination of:
• Likelihood that particular vulnerabilities will be either
intentionally or accidentally exploited, resulting in
loss of confidentiality, integrity or availability, and
• Impact or magnitude of harm that the loss of confidentiality,
integrity or availability would have on
agency operations (including mission, functions,
image or reputation), agency assets or individuals
(including privacy).
Interestingly enough, FIPS 199 virtually discounts differences
in likelihood of an event occurring, arguing that
“in today’s interconnected and interdependent information
systems environment . . . there is a high likelihood of a
variety of threats . . . Accordingly, the levels of risk focus
on what is known about the potential impact or harm
that could arise.”
Guidelines are then provided for rating the level of
risk as low, moderate or high against three security
objectives:
• Confidentiality – guarding against unauthorized
disclosure of information
• Integrity – guarding against improper information
modification or destruction
• Availability – ensuring timely and reliable access to
and use of the information.
Another interesting document is the Self Assessment
Guide, NIST 800-26, which provides in questionnaire format
a set of control objectives for each of 17 control areas,
organized as follows:
• Management Controls
• Risk Management
• Review of Security Controls
• Life Cycle
• Certification and Accreditation
• System Security Plan
• Operational Controls
• Personnel Security
• Physical Security
• Production, Input/Output Controls
• Contingency Planning
• Hardware and System Software Maintenance
• Data Integrity
• Documentation
• Security Awareness,Training and Education
• Incident Response and Capacity
• Technical Controls
• Identification and Authentication
• Logical Access Controls
• Audit Trails.

Readers will note the similarity, in some areas,
between the organization of this document and ISO
17799. Equally apparent is that there are differences.

Supporting this document and the associated questionnaire
is an “Automated Security Self-Evaluation Tool”
(ASSET), which is again freely downloadable.

Whither Canada?
Since it appears likely that ISO 17799 will continue to
gain momentum in Europe while the United States will
focus on the work being done by NIST, Canada is left
somewhat in the middle. While NIST is intended for use
only by US government agencies, it will probably have
an impact beyond this limited application, making it less
likely that ISO 17799 will be widely adopted in the US.

It is not clear whether Canada, the provinces or
municipalities need to specifically adopt any standard.
At this point, it is worth reviewing both ISO 17799 and
the NIST publications, taking the best of each – as the
Government of Canada and many provinces have
already been doing in developing their own self-assessment
frameworks.

But if we are to develop a common security assessment
framework for use by a broad set of agencies
(such as governments at all levels), then we may have
to put a stake in the ground, adopting one standard or
the other (or a home-grown combination of the two).
NCSIP and the Public Sector CIO Council will continue
to wrestle with this issue.

wisemanr@region.peel.on.ca

ISO 17799 SOFTWARE

We are sometimes asked about the role of software/products with respect to ISO17799, particularly the two most well known offerings, COBRA and The ISO17799 Toolkit. Where do they fit in? Are they competitor products or do they compliment each other? How do they help?

The truth is that they fulfill completely different needs:

B) COBRA is designed to help you manage that compliance. It takes you through the standard and ultimately measures your compliance level, pointing out where you fall short. Quite apart from this it is one of the most widely used (possibly THE most widely used) risk analysis systems in the world... and bear in mind that risk analysis is integral to the requirements of the standard... references to 'as determined by risk assessment' are almost interwoven.

In essence therefore, one product gets you started, the other helps you manage.

A) The ISO17799 Toolkit on the other hand comprises the basic building blocks: the standard itself (both parts), 17799 cross referenced security policies, and so on. It is intended to 'get you going' on the right path straight away, by providing some basics, as well as guidance and explanations by way of a presentations, glossary, roadmap, etc. It can basically be seen as an introduction and starting pack for compliance with the standard.

From : 17799-news.the-hamster.com

IT COULDN'T HAPPEN HERE....COULD IT?

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) Confidential User-Ids?

Organizations rightly stress the importance of password confidentiality. Some also urge staff to select sensible passwords, which cannot be easily guessed or calculated.

Sometimes this is not taken as seriously as it should be, as individuals believe that, for example, a password of Sept2003 simply isn't going to be guessed by a perpetrator within the maximum number of input attempts allowed.

However, exposure doesn't always work like this. One breach occurred because the perpetrator discovered the format of a firm's user-ids (company code followed by 3 initials and a single digit number). He then reverse engineered the process: He selected a password similar to the above (eg: June2003) and then tried this password once against hundreds of combinations of user-id initials. The net result was that the accounts were not closed because each only had one invalid attempt. Eventually he hit a user with that password. He wreaked havoc.

2) When is Disposal is Not Disposal?

Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced.

The history of information security, however, is littered with examples of disclosure through uncontrolled disposal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife. However, there are plenty of other routes:

a) Not too many years ago a network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!

b) A more recent example along the same lines: On this occasion the perpetrators tracked the disposal route of a computer engineering firm. This firm was responsible for the maintenance of peripherals and routinely replaced the faulty media of their clients. Sadly the hardware fault was not always terminal for the data stored.

Although many of the customers had excellent disposal procedures in place, they had not covered this eventually. Their data as exposed as a result.

From : 17799-news.the-hamster.com

ISO 17799 RELATED DEFINITIONS AND TERMS

In each ISO17799 Newsletter we will include a selection of terms and definitions to unravel and explain some of the jargon and strange language used by IT and information security professionals. In this edition we have provided a selection of terms that all start with the letter “S”.

Shoulder Surfing
Looking over a user’s shoulder as they enter a password. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used. Could the person behind you at the bank ATM be a shoulder surfer?

Super User
The term ‘Super User’, is one that denotes the highest level of user privilege and can allow unlimited access to a system’s file and set-up. Usually, Super User is the highest level of privilege for applications, as opposed to operating or network systems. Notwithstanding the possible semantics, the use of Super User should be under dual control as such a user could, if they so wished, destroy the organization’s systems maliciously or simply by accident; neither is acceptable!

Stripping
Deliberately deleting files, records, or data, from a system. This can be an authorized activity when, for example, duplicate files are identified and removed from the system to reclaim the disk storage space they occupy. More often, however, stripping is associated with the removal of records which evidence some fraudulent or other criminal activity. It is not unusual for Auditors, or Law Enforcement officers to find that the records they need for their investigations are not there. Deleted records can be recovered if the storage media is secured quickly enough, but a skilled stripper can usually remove all trace of them before such action can be taken. The only recourse then is to backup files where (hopefully) copies can be obtained.

Software Licensing
The use of unlicensed software is illegal, and whilst the majority of organizations would not condone it, the vast majority are believed to be using unlicensed software to some extent or another. In many cases, software piracy occurs totally unintentionally; perhaps where a genuinely licensed program is copied for use on multiple workstations. It is common practice for software vendors to permit customers to ‘try before they buy’. In this case, they offer the software as ‘shareware’ and propose a trial of say, 30 days. At the expiration of the 30 day period, and depending upon the ingenuity of the developer, the software can refuse to load without the input of a valid license key; or it can continue to run as normal or can require the continue depression of a button to signify your understanding of the terms of the license. Unlicensed software is major threat to an organization’s Information Security because, not only does this jeopardize the legal position, it also threatens the data held on such systems as no support will be provided. The End User License Agreement is normally seen during the install process of the software.

From : 17799-news.the-hamster.com

BACK-UP AND RECOVERY STRATEGY

One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.

In this phase, the key business processes are matched against the IT system and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. For large systems, it may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach.

Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could, of course, also have a significant impact on the organization's IT services and systems.

There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business processes (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:

a) No Strategy At All
This is the cheapest strategy. This also carries the highest risk and will involve no off-site back up of system or data. This option often ends up with the organization going out of business.

b) Relocate and Restore Option
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is usually considered to be inadequate for the needs of today’s business.

c) A Cold Site
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.

d) A Hot Site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.

e) A Switchable Hot Site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.

f) A Fully Mirrored Recovery Site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.

From : 17799-news.the-hamster.com

CONTROLLING CHANGES TO THE SERVICE LEVEL AGREEMENT

From time to time, it may be necessary for either the Supplier or the Client to require changes to the services being delivered or other aspects of the servive level agreement. These changes need to be carefully controlled and should be covered by an approved and detailed procedure. It is recommended that change requests are formalized and agreed between the parties. If the changes to the services are reasonably simple then only minor changes to service listings need to be agreed. If, however, the changes to the Services are fundamental or complex, they may also require changes to be made to broader aspects of the agreement itself.

Changes to the Agreement should be handled under agreed change control procedures. It is normally recommended, however, that the Client organization establishes some form of specific Steering Committee which will be responsible for controlling and monitoring the SLA and changes to the Services, service measurement criteria or the Agreement itself. The following process is fairly common:

• The nominated Client Representative should submit a Services Change Request (SCR) on behalf of the user department to the Supplier for consideration, review and costing.
• The Supplier should review the feasibility of the Services Change Request and provide an estimate of the time and work effort
• The Client Representative and the Supplier should jointly present the Services Change Request to the SLA Steering Committee
• Steering Committee is to approve or reject the Services Change Request.
• The Steering Committee should consider the impact on contracts and agreements between the two parties and the budgetary issues
• The Service Change Request, if approved, is then incorporated into the Service Level Agreement.

For a service level agreement template and pre-defined process covering SLAs see: http://www.service-level-agreement.net

NOTE: If you haven't got a formal service level agreement in place for your critical services... you should have!

From : 17799-news.the-hamster.com

ISO 17799 IMPLEMENTATION IN YOUR ORGANIZATION

It is becoming increasingly critical that information security is given the attention and level of importance it deserves. Most organizations are now absolutelyy dependent upon their information and business systems, so much so that serious disruption can mean disaster or critical loss.

ISO17799 is the only internationally accepted worldwide standard/code dealing comprehensively with these issues. Purchasing this standard is a good first step, but as the standard is by necessity a comprehensive and therefore a reasonable complex document, guidance is often necessary to help organizations decide where to start and what priorities should be applied to the implementation process.

The ISO 17799 Toolkit was of course introduced to solve many of these issues in one step. As well as containing both parts of the standard, it also includes a full set of compliant policies ready for implementation, a road map for potential certification of the organization, an audit kit for network based systems, a business impact analysis questionnaire together with many other supportive items (eg: a disaster recovery kit, a management presentation and an IS glossary). This toolkit represents extremely good value as it can enable organizations to commence work with the introduction of vital security aids without reference to expensive external consulting resources.

However, even armed with a support kit such as this, it is important to understand that the key to the standard is PROCESS... the creation and maintenance of a robust ISMS. This is occasionally overlooked, as some organizations simply adopt a tick list from the first part of the standard (ISO17799). This is certainly a good stride forward, but is by no means the end of the journey.

When first considering the standard, therefore, it should be understood that the path forward will certainly include enhancement and improvement of security, but it will largely be driven via the creation and maintenance of information security management systems and supporting procedures.

From : 17799-news.the-hamster.com