Review ICS Guidelines


Published on

A censored (for confidentiality reasons) third party review report on a client's Information Security Guidelines.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Review ICS Guidelines

  1. 1. 500-1045 Howe Street V6Z 2A9 Vancouver, B.C. Ph.604-314’4485 Fx:604-6845909 Mr. xxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxxxxxxx xxxx xxxx,2011Review of the document entitled xxxx Security GuidelinesDear xxxx,….. we have undertaken the review of the XXXX Security Guidelinesdocument ….......... information security (including industrial controls).As a general introductory remark we note that despite the statements inSection 1, Introduction, of the received document we neither know theintended audience of the received document (Skilled staff, employees,company guests, vendors?), its precise scope, nor the limitations thathave been given to the author(s). We believe it would be very useful forXXXX if those would be clearly stated, as it would help calibrating thepertinent amount and level of technical information included in the SecurityGuidelines for each intended audience. We do understand that guidelines aregenerally purposely vague (see for example ISO 27000, ISO 31000, ON49000, just to quote some in the area of Information Risk Management andSecurity), but we do know that it is usually in details that security (of all kinds)get compromised.It is essential that all employees clearly understand the value of theCompanys Information and their individual and collective responsibility toprotect it. Awareness will constitute the first line of defense (see belowHuman Factors) in mitigating the chances of inappropriate malicious usageand other nefarious cyber activities. The document last statement (6,Personnel Security) rightly quotes ISA-99: “Personnel security measures are meant to reduce the possibility and risk of human error, theft, fraud, or other intentional or unintentional© Oboni Riskope Associates Inc. Page 1 of 5 09/26/11
  2. 2. misuse of informational assets.”But then states that this aspect of security is not covered within theproposed Security Guideline since it references corporate policies andprocedures including hiring and employment conditions. It also states that“designers should keep in mind that inappropriate access by corporate staffand other approved people is as much an issue as hackers”. We are in totalagreement with the author(s) of the document and encourage XXXX to“break-up the silos” as Information Security should cover selection, hiring,etc. of personnel, subcontractors and suppliers. Personnel is one of themost likely sources of leak or file alteration, capable of annihilating anytechnical effort described in the Guidelines.Thus, we would also encourage the compilation of several versions of theguidelines tailored towards the needs of various layers of users (seebelow the “need to know” remark). As a matters of fact, for example, thepresent glossary is well written and professional, but ….......We understand these Security Guidelines should determine the minimumlevel of security to be achieved and establish the criteria against which resultsare measured. So, coming back to information/competence silos, we find oddthat there is no formal and well structured reference to any protectionfrom physical man-made or natural hazards, business continuity plans,resumption plans, backup capabilities etc. Again, we do not know if ….....,but we would encourage XXXX to include these considerations into a broaderview of IS.You will find below a point by point analysis of the received document inthe form of a list of themes that are either missing in the present documentor should be, in our opinion, developed/expanded: • Compliance with Information Security Policies (ISP) must be mandatory. Exceptions must be contemplated, but approved by the Company CIO. ISP apply to all information assets and processes • We have not seen a section on the Separation of Duties and Functions or Individual Accountability or Maintenance of Trust (Security Principles and Strategies) • There should be a section on client and supplier involvement in Information Security. • Strategies, Information Security Management xxx... • We believe the document would be stronger if it was based on what users “Need to know”, “Need to do”, “Separation of Functions” and “Individual Accountability” (note xxx ) • We have neither seen a chapter regarding Users Work Space (like for instance securing …..... in a locked desk or file cabinet, etc.) (cleaners, janitors and other third party workers can be hackers, agents, criminals), nor Secure Work Habits: users must develop and implement security conscious work habits in order to keep their© Oboni Riskope Associates Inc. Page 2 of 5 09/26/11
  3. 3. workplace safe. • Network Access Controls(see note yy) section should be significantly expanded by defining, for example: o Policy on network services use o …. o …. o Network routing address control • We think that Operating System Access Controls should be expanded upon: log-on process must indeed be configured to minimize the opportunity for unauthorized access, etc.: o Unsuccessful log-on attempts (record unsuccessful log-on, etc.) o ….. o …... o Mobile computing and teleworking o Smartphones • We have seen a minor section of the document dedicated to Human Factors. Security Awareness Training must be provided to users to ensure they are: o Aware of additional risks and responsibilities inherent to mobile computing, smartphones and company personal computers and workstations o A Security Threat and Risk Assessment must consider threats to information and information technology assets, such as: physical theft, data interception, credential theft, device destruction, information destruction, malicious and mobile codes • Minimum Information Protection safeguards such as encryption of stored data should be described. • A section on Information Systems Acquisition, Development and Maintenance is missing in the reviewed document. Such a section should establish requirements for ….........: o Security requirements of information system o System security plan o ….. o ….. o Security of development and support processes, changes to software …. • Technical Vulnerability Management including: o Vulnerabilities information external sources monitoring, o Risk assessment of published vulnerabilities • Communication and Operations Management. This chapter must establish the requirements to support the integration of information security in the services provided by XXXX information processing facilities. Examples are: …..... • The reviewed document seems to focus only very briefly on protection against malicious and mobile code.... The existence of malicious© Oboni Riskope Associates Inc. Page 3 of 5 09/26/11
  4. 4. code and related attacks must indeed be considered a fact by a company operating an ICT infrastructure connected to the outside world. Malicious code ….. Among possible prevention and detection controls: o Installing, updating and consistently using approved software designed to scan for detect, repair and provide protection. o …. o …... o Restriction on mobile code (scanning mobile code before execution, etc...) • In the reviewed document we did not find any reference to Back-Up. Information and information systems must be yyyyy. The back-up and recovery strategy must comply with, for example: o Business continuity plans o …. o ….. o Recovery point objectives, the point in time to which data must be restored to resume processing transactions … • We stress the importance of testing back-up and recovery processes (at least once per month). We stress as well the importance of network control and management (…...) to maintain the integrity of networks, changes to network devices configuration information (such as ....). • Wireless Local Area Networking should also receive attention, for example: o Strong link layer encryption o ….. o ….. o Instructions on how to use telephone and smartphone if some exchange of information occurs during a telephone conversation, etc. • We have not found any chapter regarding e-mail management in the document. We underline the importance of setting up clear rules for …. • The reviewed document does not include requirements for reporting a possible breach of information security, …..... reporting and mitigating security events. • A section on Business Continuity Management is also apparently missing. That section should provide guidance for planning the resumption of business or services in the aftermath of a man-made or natural disaster. Of course the events or sequence of events that can cause interruption to the Company day to day business process (e.g. natural, third party, criminal, military, man-made) must be identified. A Risk Assessment must then be undertaken to determine the impact of those interruptions, both in the damage scale and recovery period. A Business Continuity Strategy must be developed using the results from the risk assessment, which will determine the overall approach to business continuity.© Oboni Riskope Associates Inc. Page 4 of 5 09/26/11
  5. 5. • A section on Compliance should describe the requirements for verifying that information systems comply with ….... (for example: suppliers are forbidden to …. etc.). Compliance policies identify how to ensure that the Company is in compliance with applicable laws and policies (...).© Oboni Riskope Associates Inc. Page 5 of 5 09/26/11