Towards Improved Security Management Practice:
 Designing an organizational model procedure for
   the implementation of I...
Towards Improved Security Management Practice: Designing an
   organizational model procedure for the implementation of
In...
Towards Improved Security
      Management Practice:

      Designing an organizational model procedure for
      the impl...
Page 2




Certification Statement


I hereby certify that this dissertation constitutes my own product and that the
   wo...
Page 3

Abstract

Growth of personal computing, Internet and even more complex
enterprise infrastructures, and inter-compa...
Page 4

Acknowledgements



To keep the right sequence, first of all I would like to express my
respect to my parents and ...
Page 5

Likewise I would like to thank every single reader of this thesis who
comes back with ideas and proposals for augm...
Page 6

Table of contents

1. -        Brief overview on information management and security ................................
Page 7
          3.5.1.1. -      Physical security perimeter ................................................................
Page 8
           3.7.2.2. -      Management of privileges ..................................................................
Page 9
        4.3.2. -         Updating business continuity plans ..........................................................
Page 10


1. -      Brief overview on information management and security

        1 .1 . -        Information technology ...
Page 11




          1 .1 .3 . -   The steady growth of the Internet

It is not astonishing that the personal computer wa...
Page 12




     Figure 1 OS Vulnerabilities




     Figure 2 OS Vulnerabilities



        1 .3 . -       The influence ...
Page 13

that are connected to online services. As the Internet population is growing rapidly,
vulnerability is growing at...
Page 14


    The possibility to implement a standardized procedure that covers all aspects of
Ø
    security
    The capa...
Page 15

    Confidentiality:     protecting infrastructure, systems, services, applications
Ø
    and data from misuse an...
Page 16

to every business. Financial institutes like banks and companies that are
permanently online usually invest much ...
Page 17
        2 .6 . -        Risk assessment

Securing your information might be a very expensive act. However, to be i...
Page 18
                                          Concepts, directions, rules, access rights under emergency
Emergency Fea...
Page 19


The second part of setup is to update all your statutory and contractual affairs that
might exist with trading p...
Page 20
        2 .9 . -        Distribution, marketing and reviews

The    policy should be accessible to all employees. ...
Page 21


    A management statement of the purpose of information security and the
Ø
    confirmation to support the goal...
Page 22

         Reviewing and approving company information security policy, directions,
Ø
         principles, security...
Page 23
          3.2.1.3. -       Allocation of responsibilities

Security policy that is in place with nobody responsibl...
Upcoming SlideShare
Loading in …5
×

Is Dess

383 views
354 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
383
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Is Dess

  1. 1. Towards Improved Security Management Practice: Designing an organizational model procedure for the implementation of Information Security Management in heterogeneous Information Management environments by Marko Nordquist ISBN: 1-58112-161-X DISSERTATION.COM USA • 2002
  2. 2. Towards Improved Security Management Practice: Designing an organizational model procedure for the implementation of Information Security Management in heterogeneous Information Management environments Copyright © 2001 Marko Nordquist All rights reserved. Dissertation.com USA • 2002 ISBN: 1-58112-161-X www.dissertation.com/library/112161xa.htm
  3. 3. Towards Improved Security Management Practice: Designing an organizational model procedure for the implementation of Information Security Management in heterogeneous Information Management environments. Marko Nordquist A thesis submitted in partial fulfilment of the requirements of School of Computer and Information Sciences, Holmes University for the degree of Doctor of Philosophy. November 1998 - September 2001
  4. 4. Page 2 Certification Statement I hereby certify that this dissertation constitutes my own product and that the words or ideas of other, where used, are properly credited according to accepted standards for professional publications. Signed:_________________________________________ Marko Nordquist Marko Nordquist: “Towards Improved Security Management Practice”
  5. 5. Page 3 Abstract Growth of personal computing, Internet and even more complex enterprise infrastructures, and inter-company cooperation has not yet reached its peak. Although the prophets of the IT-branch are continuously affirming that the growth rate will decrease, there is not really a trend that is significant to justify these statements. Growth of the information technology branch automatically entails an accretion of security leaks, attacks and many forms of vulnerabilities. This thesis hooks into these topics and offers the reader a precise instrument to set up, refine or check and balance security in its own environment. The thesis is not limited to corporate IT departments but also addresses private individuals to have a look to the wide field of security related topics and questions. The thesis is intended to be as complete as possible, however regarding the rapid growth, it will have to be reviewed and completed on a regular basis. The thesis develops a security model that can be adopted as-is or that can be altered, extended or completed according private or business needs. The thesis also tries to give a brief overview to the role and responsibilities of an “information security officer” and attempts to design a security organization model for larger enterprises. Marko Nordquist: “Towards Improved Security Management Practice”
  6. 6. Page 4 Acknowledgements To keep the right sequence, first of all I would like to express my respect to my parents and to all my former teachers, tutors and professors at schools and universities. I am aware that teaching is a tough job today and pupils and alumni are not always the pride of their schoolmasters. However, even if I have not always been the most popular apprentice, I can say that all of you made a good job. Your patience was admirable and even if you thought your doctrines died away unheard, they have been impressive enough to enable me to make my way and write this thesis. Another bunch of people that I would like to thank is all colleges, co- workers and superiors that I worked together with during the last two centuries?. You all gave me the opportunity to enhance my work and life experience and to grapple with topics that might have passed my attention otherwise. Most of all I would like to thank my wonderful wife Monika. Without her, there would have been no dissertation at all. Her patience was unending, no matter how many hours of work I had to put in, she never complained. She gave me the opportunity to complete my studies and to write down this lifework. She was an unending source of motivation towards my educational goals. Without her assistance and encouragement, my studies would have been even more difficult. I thank her for these efforts with all my love. Marko Nordquist: “Towards Improved Security Management Practice”
  7. 7. Page 5 Likewise I would like to thank every single reader of this thesis who comes back with ideas and proposals for augmentations, improvements and additions. Feel free to mail me your proposals in detail. Notice that statements about chapter and topic are vital to any addition, improvement and augmentation. Please use the following email-address: marko@nordquist.com and use plain text for transmission of written materials. Marko Nordquist: “Towards Improved Security Management Practice”
  8. 8. Page 6 Table of contents 1. - Brief overview on information management and security ............................................10 1.1. - Information technology in the last century .................................................................... 10 1.1.1. - The early years of computing.................................................................................. 10 1.1.2. - The personal computer breakthrough ...................................................................... 10 1.1.3. - The steady growth of the Internet........................................................................... 11 1.2. - Starting security considerations ................................................................................... 11 1.3. - The influence of the Internet on information security ..................................................... 12 1.4. - Is “complete information protection” possible ? ............................................................. 13 2. - Introduction to information security .............................................................................13 2.1. - Background of this study............................................................................................. 13 2.2. - Objectives of this study............................................................................................... 13 2.3. - What is the meaning and importance of information security ? ....................................... 14 2.4. - The structure of the model procedures ......................................................................... 16 2.5. - Setup and major points to the information security model .............................................. 16 2.6. - Risk assessment ......................................................................................................... 17 2.6.1. - Risk assessment documents.................................................................................... 17 2.7. - Setting up enterprise security requirements .................................................................. 18 2.8. - Critical key factors to successful security management................................................... 19 2.9. - Distribution, marketing and reviews ............................................................................. 20 3. - Management controls for information security .............................................................20 3.1. - Security Policy............................................................................................................ 20 3.1.1. - Information security policy...................................................................................... 20 3.1.1.1. - Information security policy document ............................................................... 1 3.2. - Security organization .................................................................................................. 21 3.2.1. - Information security infrastructure .......................................................................... 21 3.2.1.1. - Steering committee for information security .................................................... 21 3.2.1.2. - Information security coordination................................................................... 22 3.2.1.3. - Allocation of responsibilities ........................................................................... 23 3.2.1.4. - Authorization process for IT facilities .............................................................. 24 3.2.1.5. - Co-operation between organizations............................................................... 24 3.2.1.6. - Independent reviews of information security ................................................... 25 Security of 3rd party access ..................................................................................... 25 3.2.2. - Identification of risks from 3rd party connections.............................................. 25 3.2.2.1. - Security conditions in 3rd party contracts......................................................... 26 3.2.2.2. - 3.3. - Classification and Control of Assets .............................................................................. 27 3.3.1. - Accountability for assets ......................................................................................... 27 3.3.1.1. - Inventory of assets ....................................................................................... 27 3.3.2. - Classification of Information.................................................................................... 28 3.3.2.1. - Classification guidelines................................................................................. 28 3.3.2.2. - Classification labeling .................................................................................... 30 3.4. - Personnel security ...................................................................................................... 30 3.4.1. - Security in job definition and recruiting .................................................................... 31 3.4.1.1. - Security in job description ............................................................................. 31 3.4.1.2. - Recruitment screening .................................................................................. 31 3.4.1.3. - Confidentiality agreement.............................................................................. 31 3.4.2. - User training ......................................................................................................... 32 3.4.2.1. - Information security education and training .................................................... 32 3.4.3. - Responding to incidents ......................................................................................... 32 3.4.3.1. - Reporting of security incidents ....................................................................... 32 3.4.3.2. - Reporting of security weakness...................................................................... 33 3.4.3.3. - Reporting of software malfunctions ................................................................ 33 3.4.3.4. - Disciplinary process ...................................................................................... 33 3.5. - Physical and environmental security ............................................................................. 34 3.5.1. - Secure areas ......................................................................................................... 34 Marko Nordquist: “Towards Improved Security Management Practice”
  9. 9. Page 7 3.5.1.1. - Physical security perimeter ............................................................................ 34 3.5.1.2. - Physical entry controls .................................................................................. 36 3.5.1.3. - Security of data centers and computer rooms.................................................. 36 3.5.1.4. - Isolated delivery loading areas....................................................................... 37 3.5.1.5. - Clean desk policy.......................................................................................... 38 3.5.1.6. - Removal of Company property....................................................................... 38 3.5.2. - Equipment security ................................................................................................ 39 3.5.2.1. - Equipment placement and protection ............................................................. 39 3.5.2.2. - Power supplies ............................................................................................. 40 3.5.2.3. - Cabling security............................................................................................ 40 3.5.2.4. - Equipment maintenance................................................................................ 41 3.5.2.5. - Security of equipment off-premises ................................................................ 41 3.5.2.6. - Secure disposal of equipment ........................................................................ 42 3.6. - Network and computer management............................................................................ 42 3.6.1. - Operational procedures and responsibilities .............................................................. 42 3.6.1.1. - Documented operating procedures................................................................. 43 3.6.1.2. - Incident management procedures .................................................................. 44 3.6.1.3. - Segmentation of duties ................................................................................. 45 3.6.1.4. - Separation of development and operational facilities ........................................ 46 3.6.1.5. - External facilities management ...................................................................... 46 3.6.2. - System planning and acceptance............................................................................. 47 3.6.2.1. - Capacity planning ......................................................................................... 47 3.6.2.2. - System acceptance ....................................................................................... 48 3.6.2.3. - Fallback planning.......................................................................................... 48 3.6.2.4. - Operational change control............................................................................ 49 3.6.3. - Protection from malicious software .......................................................................... 49 3.6.3.1. - Virus control ................................................................................................ 50 3.6.4. - Housekeeping ....................................................................................................... 51 3.6.4.1. - Data backup ................................................................................................ 51 3.6.4.2. - Operator logs ............................................................................................... 52 3.6.4.3. - Fault logging ................................................................................................ 52 3.6.4.4. - Environment monitoring................................................................................ 52 3.6.5. - Network management ............................................................................................ 53 3.6.5.1. - The Principles of Secure Network Design ........................................................ 53 3.6.5.2. - Adapting the Software Process Model to Network Security................................ 54 3.6.5.3. - Phase 1: Systems Requirements .................................................................... 54 3.6.5.4. - Phase 2: Concept Formulation ....................................................................... 54 3.6.5.5. - Phase 3: Systems Definition .......................................................................... 55 3.6.5.6. - Phase 4: Engineering Design ......................................................................... 55 3.6.5.7. - Phase 5: Design Verification .......................................................................... 56 3.6.5.8. - Phase 6: Production and Installation............................................................... 56 3.6.5.9. - Phase 7: Operations ..................................................................................... 56 3.6.5.10. - Phase 8: Retirement..................................................................................... 56 3.6.5.11. - Conclusion .................................................................................................. 57 3.6.5.12. - Network security control ............................................................................... 57 3.6.6. - Media handling and security.................................................................................... 58 3.6.6.1. - Management of removable computer media.................................................... 58 3.6.6.2. - Data handling procedures.............................................................................. 59 3.6.6.3. - Security of system documentation.................................................................. 59 3.6.6.4. - Disposal of media ......................................................................................... 60 3.6.7. - Data exchange ...................................................................................................... 61 3.6.7.1. - Data exchange agreements ........................................................................... 61 3.6.7.2. - Security of media in transit............................................................................ 61 3.6.7.3. - EDI security ................................................................................................. 62 3.6.7.4. - Security of electronic mail ............................................................................. 62 3.6.7.5. - Security of electronic office systems ............................................................... 63 3.7. - Control of system access............................................................................................. 64 3.7.1. - Business requirement for system access .................................................................. 64 3.7.1.1. - Documented access control policy .................................................................. 64 3.7.2. - Management of user access.................................................................................... 65 3.7.2.1. - User registration........................................................................................... 65 Marko Nordquist: “Towards Improved Security Management Practice”
  10. 10. Page 8 3.7.2.2. - Management of privileges ............................................................................. 66 3.7.2.3. - Password management ................................................................................. 67 3.7.2.4. - Review user access rights.............................................................................. 67 3.7.3. - User responsibilities ............................................................................................... 68 3.7.3.1. - The use of Passwords ................................................................................... 68 3.7.3.2. - Unattended user equipment .......................................................................... 69 3.7.4. - Network access control .......................................................................................... 70 3.7.4.1. - Limited services............................................................................................ 70 3.7.4.2. - Enforced path .............................................................................................. 70 3.7.4.3. - Authentication of users ................................................................................. 71 3.7.4.4. - Authentication of machines ........................................................................... 71 3.7.4.5. - Remote diagnostic port protection.................................................................. 72 3.7.4.6. - Segmentation in networks ............................................................................. 72 3.7.4.7. - Network connection capability control............................................................. 73 3.7.4.8. - Network routing and switching control............................................................ 73 3.7.4.9. - Security of network services .......................................................................... 74 3.7.5. - Access control to computers ................................................................................... 74 3.7.5.1. - Terminal/Computer identification ................................................................... 74 3.7.5.2. - Terminal/Computer logon procedures ............................................................. 75 3.7.5.3. - User identifiers ............................................................................................. 76 3.7.5.4. - Password management system ...................................................................... 76 3.7.5.5. - Duress alarm to safeguard users .................................................................... 78 3.7.5.6. - Terminal/Computer time out.......................................................................... 78 3.7.5.7. - Limitation of connection time......................................................................... 78 3.7.6. - Access control to applications ................................................................................. 79 3.7.6.1. - Information access restriction ........................................................................ 79 3.7.6.2. - Use of system utilities ................................................................................... 80 3.7.6.3. - Access control of the source program library ................................................... 80 3.7.6.4. - Sensitive system isolation.............................................................................. 81 3.7.7. - Monitoring access and use of systems...................................................................... 82 3.7.7.1. - Event logging ............................................................................................... 82 3.7.7.2. - Monitoring system use .................................................................................. 82 3.7.7.3. - Clock synchronization.................................................................................... 82 3.8. - System development and maintenance......................................................................... 83 3.8.1. - Security requirements of systems ............................................................................ 83 3.8.1.1. - Security requirements analysis and specification .............................................. 83 3.8.2. - Security in application systems................................................................................ 85 3.8.2.1. - Validation of data input ................................................................................. 85 3.8.2.2. - Validation of internal processing..................................................................... 86 3.8.2.3. - Data encryption............................................................................................ 86 3.8.2.4. - Message authentication................................................................................. 87 3.8.3. - Security of application system files .......................................................................... 87 3.8.3.1. - Control of operational software ...................................................................... 88 3.8.3.2. - Protection of system test data ....................................................................... 88 3.8.4. - Security in development and support environments................................................... 89 3.8.4.1. - Change control procedures ............................................................................ 89 3.8.4.2. - Technical review of operating system changes ................................................ 90 3.8.4.3. - Restrictions on changes to software packages ................................................. 90 4. - Preventive action planning and precaution ...................................................................91 4.1. - Business continuity planning........................................................................................ 91 4.1.1. - Business continuity planning process ....................................................................... 91 4.2. - Business continuity planning framework ....................................................................... 92 4.2.1. - System high availability .......................................................................................... 93 4.2.2. - Database rollback .................................................................................................. 93 4.2.3. - BRS contracts ........................................................................................................ 93 4.2.4. - Backup computer centers ....................................................................................... 93 4.3. - Testing business continuity.......................................................................................... 94 4.3.1. - Testing business continuity plans ............................................................................ 94 4.3.1.1. - Planned testing ............................................................................................ 94 4.3.1.2. - Instant testing ............................................................................................. 94 Marko Nordquist: “Towards Improved Security Management Practice”
  11. 11. Page 9 4.3.2. - Updating business continuity plans .......................................................................... 95 5. - Fulfillment and compliance ............................................................................................96 5.1. - Compliance with legal and contractual requirements ...................................................... 96 5.1.1. - Control of proprietary software copying ................................................................... 96 5.1.2. - Safeguarding of Company records ........................................................................... 97 5.1.3. - Compliance with data protection legislation .............................................................. 97 5.1.4. - Prevention of misuse of IT facilities ......................................................................... 98 5.2. - Security reviews of IT systems..................................................................................... 99 5.2.1. - Compliance with security policy ............................................................................... 99 5.2.2. - Technical compliance checking................................................................................ 99 5.3. - System audit considerations ........................................................................................ 99 5.3.1. - System audit controls........................................................................................... 100 5.3.2. - Protection of system audit tools ............................................................................ 100 6. - Prospective considerations and conclusion .................................................................101 6.1. - How to apply all these policies and rules ? .................................................................. 101 6.2. - Is IT secure after complete implementation ?.............................................................. 102 6.3. - Which fields of IT needs most attention ? ................................................................... 102 6.4. - Critical words about this model .................................................................................. 102 Marko Nordquist: “Towards Improved Security Management Practice”
  12. 12. Page 10 1. - Brief overview on information management and security 1 .1 . - Information technology in the last century Information technology is a line of business that is quiet young compared to traditional vocations like crafts, manufacturing or trading. However, information technology nowadays can lay claim to be one of the leading and most important industries all over the world. Information technology started with the first mechanical computing machines at the th end of the 20 century. Some good examples still demonstrate the size of the machines. In the famous German museum in Munich one of the first computers has a size of a mid-size family home. The only possible calculations were addition and subtraction. 1 .1 .1 . - The early years of computing Some guiding companies developed the initial technology further and in the early 50’s host computing became the leading technology. The famous Mainframe joined tens of thousands of people working on only one system. However, enterprises realized that information technology, accomplished that way, became the most expensive department of the whole company. Industry reacted accordingly and developed so called midrange platforms. These relatively small computers could serve a big enterprise and were more cost effective. One of the most important arguments was, that enterprises could handle these midrange systems themselves. 1 .1 .2 . - The personal computer breakthrough The early 80’s brought a new platform. Today the “microcomputers” are known as personal computers. Nobody ever thought that personal computers could ever have a realistic chance in business computing, but as the demand for personal computing increased enormously, industry turned to this new challenge and one of the most significant breakthroughs began. The 80’s brought also a new tendency, which focused server-client based applications. Thus, the personal computer became of prime importance for enterprises of any size. Today the personal computer is integral to business. No matter if manufacturing, designing, communicating or collecting and querying data, the personal computer is the typical workplace for manufacturing, planning, executive and administrative tasks. Marko Nordquist: “Towards Improved Security Management Practice”
  13. 13. Page 11 1 .1 .3 . - The steady growth of the Internet It is not astonishing that the personal computer was playing an important role in the development and spread of the Internet. Millions of people share all the Internet services, information and online business offerings by connecting their personal computer to the Internet. And the development still goes on. There seems to be no stopping companies to generate new ideas and Internet pages. With the Internet, security became more and more important. As enterprises noticed that “being online” could be a critical success factor, more and more enterprises became permanently connected to the Internet. This deployment caused certain groups of people to specialize in attacking Internet sites and services. Today, running an Internet site is not easy and quiet a big risk if one is not familiar with all the threats and vulnerabilities exist. Therefore, the emergence of a strong industry has evolved around this new market, developing new hard and software in the defense of hackers, pirates and spies. 1 .2 . - Starting security considerations At the time where enterprises decided to run their own computer department, security was limited to operating systems, media control and computer centers.? The new tendencies in networking as an overall approach for companies of any size caused the responsible managers at that time to start reflecting about an intensified security structure. As the “Information Technology” department became more and more autonomous, the slogan of information security became more concrete and larger companies began to introduce the role of the “information security officer”. Today this job is spanning a lot of tasks that rank from pure media protection, to access control, from system security up to management based questions like employment contracts and the compliance to law. There are numerous vulnerabilities throughout the Internet. The figures below demonstrate that all the considerations surrounding security are real. Marko Nordquist: “Towards Improved Security Management Practice”
  14. 14. Page 12 Figure 1 OS Vulnerabilities Figure 2 OS Vulnerabilities 1 .3 . - The influence of the Internet on information security It is true that the Internet boosted and promoted the worldwide sensitizing to security questions. In the early times of the Internet this development was company driven. Today also, private Users take security precautions for personal computers Marko Nordquist: “Towards Improved Security Management Practice”
  15. 15. Page 13 that are connected to online services. As the Internet population is growing rapidly, vulnerability is growing at the same speed and, that way it can be said, that the Internet is forcing individuals and enterprises to be more aware for secure systems and, individuals and enterprises cause providers and developers to make services initially more secure. 1 .4 . - Is “complete information protection” possible ? Looking at numerous Internet sites that are specialized to security related questions, the answer to this question is very clear: No, -there is no route to “complete information security” ! The Internet changes hardware, software and services hourly, - can you imagine how much time one would have to spend to track all these changes and relate them to possible security vulnerabilities ? The only recommendation possible is to keep the environment as homogenous as possible and thus constant and clear. Even if you succeed doing this, there will be a full time job for somebody who is responsible for security, your “information security officer”. 2. - Introduction to information security 2 .1 . - Background of this study This thesis has been developed in order to propose an acceptable industrial standard for the treatment of security related concerns. There has been no focus on any branch, however, all rules are based on and compiled from best information security practices of many leading international companies. This thesis is also a result of intensive considerations about actual occurrences. Most innocent computer users read or hear about security leaks and do not know how to protect themselves against attacks and violations. The leading industry always paved the way for new standards. The author thinks that a wide spectrum of security related tools would be helpful to all kinds of users and would be also a desirable goal for industry worldwide. 2 .2 . - Objectives of this study The objectives of this study are pretty obvious. The model is meant to provide a basis for the following topics: Marko Nordquist: “Towards Improved Security Management Practice”
  16. 16. Page 14 The possibility to implement a standardized procedure that covers all aspects of Ø security The capability to measure and evaluate security on an inter-company level Ø The basis to customize security standards for their own needs, within a defined Ø frame of accredited rules. The fundamentals for secure and confident inter-company co-operation on Ø every level. The model of this study is intended to be used as a reference. Not all parts may apply in all companies or for private considerations. Public addressed are: Managers Ø Security officers Ø Security auditors Ø IT controllers Ø IT employees Ø Computer users Ø The model of this study can be used as a common reference standard for any kind of inter-company co-operation, might this be contracting, sub-contracting, trading or procurement of information technology products and services 2 .3 . - What is the meaning and importance of information security ? The intended use of information security is to ensure business continuity. This also includes the minimization of site, hardware, software and data damage. Another part of information security is prevention. Foreseeing possible incidents and defining prophylactic actions is part of the job of security specialists. The management of information security is the coordinating and merging part. The protection of computing assets and information, considering the most secure way and the highest effectiveness in working is an ongoing task. Thus, information security management consists of three major components: Availability: assuring that infrastructure, systems, services, Ø applications and data are available to everyone entitled when required or allowed. Marko Nordquist: “Towards Improved Security Management Practice”
  17. 17. Page 15 Confidentiality: protecting infrastructure, systems, services, applications Ø and data from misuse and unauthorized use. Integrity: assuring infrastructure, systems, services, applications Ø and data to be in a complete, proper and correct condition. Today, information is provided in various forms. It is written on paper, it is spoken in conversations it can be recorded to tapes, CDs or DVDs, films or video tapes, it can be stored to computers and computer media and it can be transmitted on several ways like networks, telephone lines, verbal communication, fax or telex. Information security is fundamental to any kind of information, no matter what media is used for transmission, storage and distribution. Infrastructure, systems, services, applications and data are vital assets. Their availability, confidentiality and integrity are essential to maintain the fundamental parts of your business. However, security violations to information systems are increasing day by day. Companies today are facing security violations from a wide range of sources. Computer hackers, computer viruses, attacks leading to denial of service or unauthorized use of systems and services, computer based fraud and spying are common practices and the techniques and methods become more refined every day. The more you or your company depend on computer systems, the bigger the vulnerability and risk is. The need to take action is definitely present and there is nothing that should prevent you to start right away. The sooner you take action to ensure your information security the sooner you are closing doors for unauthorized access. From the financial point of view, information security might be a part of IT that consumes a huge amount of money. On the other hand, only one successful violation or unauthorized access may cost you a hundred times the amount you would have spend to protect yourself. In the worst cases, it might be that your company has to close down or you have been used as a relay for industrial spying, which can cause heavy legal proceedings, which could ruin your business for the future. One good rule of thumb might be the comparison of your company’s turnover and your budget for information security. If your annual turnover is $1 Million your security should be worth 1% of it. If your turnover is $1 Billion your security should be worth 0.1% of it. Please note that this is only a rule of thumb that does not apply Marko Nordquist: “Towards Improved Security Management Practice”
  18. 18. Page 16 to every business. Financial institutes like banks and companies that are permanently online usually invest much more in information security compared to wholesalers, retailers or manufacturers 2 .4 . - The structure of the model procedures The model of this study is intended to serve a reference. It is as comprehensive as possible. However, the sources of potential violation and attacks increase day by day and the model will need to be extended and reviewed periodically. The author recommends using this model security guideline as a working example. Not all points described will apply to every situation. Environmental and technological constraints or facts have not been taken into consideration to its limits, as each infrastructure is unique. The listed chapters and topics act as a guideline that can be adapted according to special and unique situations. Any future augmentation of the chapters and topics is welcome and will be used to complete and enhance this model. Mailing addresses for augmentation proposals can be found on the acknowledgement page at the beginning of this thesis 2 .5 . - Setup and major points to the information security model The information security model is set up in three main parts. Ø Management controls for information security Ø Preventive action planning and precautions Ø Fulfillment and compliance The first chapter lists a number of categories that are in general use as recommended best security practices at large, experienced international companies. The second chapter lists categories which consists of preventive actions The third chapter addresses legal and controlling issues. All of the chapters, categories and topics are intended to provide information security in a selective way. If a topic does not apply to a given situation it should be passed or adopted in an adjusted way. There are a certain number of topics in this model that are agreed by most experienced international companies to be of special importance. These major points might be chosen as starting points of information security management. The headers of these points have been highlighted with yellow color. Marko Nordquist: “Towards Improved Security Management Practice”
  19. 19. Page 17 2 .6 . - Risk assessment Securing your information might be a very expensive act. However, to be in a good position facing your top management, you should ensure a balance to the security model you plan to implement against expenditures. To keep it in a clear form, you should execute a risk assessment. The most common form is a table that consists of all the items to be assessed in the left column and, two other columns that value the risk itself and the probability that an incident could occur (values 1-10, where 1 is no risk and 10 is highest risk) To keep the assessment systematical you should structure it from outside of your company to the inside. 2 .6 .1 . - Risk assessment documents Risk Assessment - Topics Assessment Item Explanation Geographical specialties, climatic features, economic Geographical Location situation, political situation, ecological prescriptions situation, zone position, traffic volume, special governmental regulations Constructional development, protection features, Premises accommodation way, access hatch, security equipment, invigilator Constructional specialties, access hatches, suppliers Building entrances, elevators and lifts, monitoring of access, protection features, escape hatches, alarm management, site management. Situation, constructional specialties, access, protection Rooms and Floors features. Communication, air conditioning, heating, water and Infrastructure sewage, fire protection, alarm systems, power supply, emergency power supply, battery packs Topology, centralized elements, elements for distribution, Networking elements for routing, switching or control, cabling, cable funnels, sockets, redundancy, NOS Situations, sizes, numbers of servers, configuration Server Systems description, RAS-availability, security level, physical dependencies, logical dependencies, “part of what process”- description, maintenance windows, hierarchical responsibility, user management. Security level, actuality (patches, service-packs), special Operation Software authorities, monitoring of access and events under special authority conditions, logging, configuration management, backups, licensed programs, emergency concepts List of all applications, know-how distribution, quality, Business Applications sources, redundancy, integrity protection, availability, user management, configuration management Matrix of all services, matrix of all interfaces, matrix per Services and Interfaces server, know-how and responsibility matrix, monitoring, sources, functional protection, change management Situations, redundancy, configuration sheets, technical Peripheral System Components sheets, emergency operation rules Marko Nordquist: “Towards Improved Security Management Practice”
  20. 20. Page 18 Concepts, directions, rules, access rights under emergency Emergency Features conditions, testing of plans and actions Concepts, directions, rules, access rights under emergency Disaster Plans conditions, testing of plans and actions Figure 3 Risk Assessment Document The above table is not meant to be complete and may differ from enterprise to enterprise. The table below shows an example of putting values in. Risk Assessment – Values (Example) Assessment Item Risk Value Probability of Occurrence Geographical Location 1-low 1-almost never Premises 2-low 3- infrequently Building 2-low 1-almost never Rooms and Floors 1-low 1-almost never Infrastructure 5-medium 5-now and then Networking Server Systems Operation Software Business Applications Services and Interfaces Peripheral System Components Emergency Features Disaster Plans Figure 4 Risk Assessment Document The results of the assessment are intended to be a reference to determine the appropriate management actions and priorities for managing information security risks. 2 .7 . - Setting up enterprise security requirements If you have already compiled a Risk Assessment Document, that part of setting up your enterprise security requirements is well done. At this time everybody concerned with business decisions has been interviewed and all generic data has been delivered from all information offices. If there are still open points, for example because one or the other system runs in a special condition, you should go one level down and make a risk assessment just for that special system or, that special part of your business. Marko Nordquist: “Towards Improved Security Management Practice”
  21. 21. Page 19 The second part of setup is to update all your statutory and contractual affairs that might exist with trading partners, customers and contractors. There will be a persistent demand for more and more standardization as cooperation with other companies grows and demand for information security will increase. Last but not least your company’s policy must support information security and interlace common principles, objectives and requirements within the rules for information security. Be sure your management agrees upon a regular review of all directions and policy and, supports adequate testing at least once a year. 2 .8 . - Critical key factors to successful security management There are some key points that have to be considered to be critical key factors to successful implementation of information security management. These points have to be addressed properly. Few of the points will have to be treated by repetitive campaigns to assure a stable quality of service. First of all, security objectives, policy and principles must be of more than Ø common knowledge. There has to be a complete understanding of the threats and vulnerabilities that result from careless treatment. Every employee must clearly understand that non-compliance can cause the company to be less competitive and may lead to a reduction in jobs. The way to make sure policy is known is, to distribute it to all employees, Ø partners and contractors. One good method to put that into practice is described in the section “distribution, marketing and reviews”. It is vital that top and middle management supports, demonstrates and Ø promotes the information security policy and, shows that there is commitment to all the principles and regulations. Information security regulations do not have any effect if they are not based on Ø business requirements and objectives. Thus, if you take this model to develop your own corporate guidelines on information security, be sure that you take into consideration all the corporate policies and guidelines your company have also released. Be sure also, that the executive committee for information security is informed of all changes to these corporate policies, regulations and principles. Marko Nordquist: “Towards Improved Security Management Practice”
  22. 22. Page 20 2 .9 . - Distribution, marketing and reviews The policy should be accessible to all employees. Some companies attach the policy for information security to the employment contract and ask new employees to attest the lecture of the policy by signing a special annex to the contract. Another good idea is to publish the security guidelines to the corporate intranet or to put the document on a public drive of a server that everybody has access to. Make sure the path for the document is clear and maintained. There might be a sticker on each monitor where the IT department gazettes the personal duties and responsibilities of employees or the major rules may be published on the blackboard to serve as corporate security slogans. There are a lot of other ideas of how to distribute and market information security. Contact your marketing department for suggestions, or advertise a competition to incite and promote the creativity of your colleges. 3. - Management controls for information security 3 .1 . - Security Policy 3 .1 .1 . - Information security policy The objective of security policy is to provide management support and direction to information security. Management should demonstrate their commitment to information security through the issue of a corporate information security policy. 3.1.1.1. - Information security policy document Experience has shown that it is vital to have a written information security policy document around. The document must be available to all company employees. It would be helpful, to have the policy document as an addendum to the employee contracts. The information security policy document is the management level of corporate security definition. All details to departmental security directions are subject to separate documents but can be mentioned in the main information security policy document. The document should consist of a minimum of the following topics: The corporate definition of information security. There is the corporate overall Ø scope and objective and its importance as an enabling mechanism for information sharing. Marko Nordquist: “Towards Improved Security Management Practice”
  23. 23. Page 21 A management statement of the purpose of information security and the Ø confirmation to support the goals and principles of information security. A definition of general management responsibilities and specific company Ø responsibilities for all aspects of information security. A guideline of how to report suspected security incidents and security Ø weakness. A guideline to specific corporate security policies and standards. Ø Mandatory predications about legislative and contractual fulfillment Ø requirements. Employee requirements to security education. Ø Measures to explain business continuity planning Ø Mandatory schedules about regular reviews of the information security policy Ø document. 3 .2 . - Security organization 3 .2 .1 . - Information security infrastructure The objective of an information security infrastructure is to manage information security within a company. Experience has shown that a management framework is useful to initiate and control the implementation of information security on all levels of the company. 3.2.1.1. - Steering committee for information security In many large companies a steering committee for information security has been established. The purpose of that committee is to have a high level board in place. Information security is a business responsibility shared by all members of the management team. In smaller companies the duties of the steering committee for information security can be added to another existing management committee as needed. The following agenda items might be addressed by the steering committee: Marko Nordquist: “Towards Improved Security Management Practice”
  24. 24. Page 22 Reviewing and approving company information security policy, directions, Ø principles, security strategies and overall responsibilities. Monitoring of vulnerable exposures to major threats to company information Ø assets. Monitoring and reviewing security incidents within the company Ø rd Monitoring and reviewing reported security leaks from services and 3 parties Ø and approving appropriate actions for defense. Approving company programs to enhance information security. Ø 3.2.1.2. - Information security coordination Large companies probably need to coordinate information security management by means of a cross-functional steering team. This steering team consists of members of the middle management of all departments. Similar to the steering committee for information security, the cross-functional steering team meets on a regular basis and has a fixed agenda with the following suggestion for agenda items: Nominating candidates for specific roles and responsibilities concerning Ø information security questions across the company. Approval and protectorate of corporate information security programs and Ø projects (e.g. prevention, elucidation and awareness events) Promoting the commitment to support information security throughout the Ø company. Cross-functional coordination of measures, rules and directions for new Ø services, systems or applications. 1 Agreeing specific processes and methods for information security (e.g. risk Ø classification, risk assessment, security classification) Assuring that security is part of the information planning process of the Ø company. 1 exempli gratia = for instance Marko Nordquist: “Towards Improved Security Management Practice”
  25. 25. Page 23 3.2.1.3. - Allocation of responsibilities Security policy that is in place with nobody responsible to look for compliance is like a speed limit on the highway and no policeman controlling it. It is vital to corporate interests to nominate and initiate the person(s) that are responsible for information security. The information security policy document should contain a chapter that deals with roles and responsibilities. Larger enterprises might face the need to have a security organization that consists of several employees. However, all aspects of all departments and business processes have to be covered. Starting from the supposition that an organization is necessary there will be one person with the overall responsibility. The first line down will be formed by department security responsibility. These people have the overall responsibility for information security within their departments. Usually the security for particular systems, services, applications and other assets are delegated to those employees that are maintaining the daily business. It must be made very clear what the particular sets of security areas are and, who is the responsible person(s) for these single sets. One possible solution is to have clear job descriptions in place where role and responsibility is clearly written down and mapped to special systems, processes or services. Another possibility might be to allocate the responsibilities in more detailed information security policy documents that apply to a certain department or areas of the company. A third possibility is to allocate responsibilities by defining what security processes and policy apply to each system, process and service. Specifying the current incumbent for the system, process or service, automatically allocates the current responsibilities. Pre-requisite of this model is that all assets and security processes associated with each system are identified and clearly defined. Often, more than one person works on one system, process or service. It might be a good idea to define standard authorization levels that are generic and apply for all faculties. Marko Nordquist: “Towards Improved Security Management Practice”

×