Information Security for Management 9789350245293

892 137 15MB

English Pages 137 Year 2009

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Information Security for Management
 9789350245293

Citation preview

Information Security for Management

Venugopal Iyengar CISA; CISM; CISSP; ACFE; M.Sc; DIRM; D1T; DCS; DCM; LA ISO 9001; ISO 27001; BS 25999; BS 15000; ISO 17020 Director,IOTM Visiting faculty to JBIMS, NMIMS, SPJIMR, WIMSR

tmI Gflimalaya %blishing Gflouse MUMBAI • NEW DELHI. NAGPUR • BANGALORE • HYDERABAD • CHENNAI • PUNE • LUCKNOW • AHMEDABAD. ERNAKULAM

ISBN

: 978-93-5024-529-3

REVISED EDITION: 2010

Published by: Mrs. Meana Pandey

for HIMALAYA PUBLISHING HOUSE PVT. LTD., Ramdoot", Dr. Bhalerao Marg, Girgaon, Mumbal- 400 004. Phones: 2386 01 70fl386 38 63, Fax: 022-2387 71 78 Email: [email protected] Website: www.himpub.com

For

IiIOTM VEHUGOPALIYENGAR INTERNATIONAL ORGANIZATION FOR TRUST MANAGEMENT

Email: [email protected] Telephone: +91 (022) 9820500951

CONTENTS Cllapter 1: Preamble ................................................................ 1

Cllapter 2: Security life C}'Cle ....................................................... 5 Chapter 3: Selection of specification and good practices Identification of IT Security Standards ............................ 9 Cllapter 4: Security Threats ...................................................... 29 Cllapter 5: The Knowledge ...................................................... 39 Cllapter 6: Data Security and Privacy .......................................... 47 Cltapter 7: The Next Step ........................................................ 77 Cltapter 8: Entetprise Security................................................... 81 Cllapter 9: The scene of outsourcing ........................................... 89 Cltapter 10; Towards Infonnation Security Governance ................... 91 Olapter 11: The Challenge....................................................... 97 Cltapter 12: The need of the hour.................. . . . . . . . . . . . . . . . . . . . . . . . . .. 10 1 Good Practices for Bankers ................................................. GP 1

"This page is Intentionally Left Blank"

Chapter 1: Preamble The word "SecuritY' has become a commonly used special word for marketing products by vendors, consultants, and consumers of IT to provide assurance of safe transaction.

An enterprise or a business house today needs to be focused in the area of its core competence not only to hold its present position but also to strive moving up the ladder to number one position. Governing one's business has become a challenge and need for one to become successful. It will help them to maintain their leadership position in the industry. Information Technology has become the key enabler to an enterprise to meet this challenge. Therefore it is imperative to implement an IT governance model within the enterprise. Technology has grown so vast that protecting an enterprise's information that is created; stored, maintained, monitored, updated, transmitted and weeded using this technology has posed a new challenge of facing information theft, electronic frauds, cyber vandalism and legal charges or litigations. The depth and spread of this book is too vast as it takes into consideration a holistic approach covering business, its process at various levels, operational workflow, and all forms of infrastructure including that of IT supporting the business. The International Organization for Trust Management understands the importance of providing continual support to both professional community and industries in the area of information security. This is the first book for creating appreciation, awareness and application of information security principles to their own day-to-day operations. Thus, manage their enterprise information security posture.

This book includes a separate annexure to address information security specifications and good practices. One can get an overview of various security related standards,

2

INFORMATION SECURITY FOR MANAGEMENT

terminology, best practices and professional secunty organizations for various industries.

This book contains recommendations to meet information security assurance requirements; and road map that will help all stakeholders (shareholders, employees, vendors, customers, and regulatory bodies) to adopt it for their security implementation.

This book has a separate chapter sectioned for data privacy and security. The intent is to create awareness among different layers of service providers particularly, the business process outsourcing service provides to understand that they are primarily handling customer (citizen) information from different countries. In most cases these o utsource service provider assumes the information as data and handle them like data. The layers of data and information for holding, to provide information against request, and done mostly to all who are authorized. Some of them seeking such information may pose themselves as authorized person to seek information. These sections address the need for them and understand layering of protection for data which is information for client and their subscribers. The contract between their customer and them are not known to the service providers. This results in weak service level agreement, poor monitoring, if monitored may be not in the appropriate focus areas. International G>mpanies consider IT infrastructure security, such as network security, personnel security, physical security, privacy of customer information protection to be critical while entering into business alliance. They evaluate the security adherence levels through independent third pany auditors wherein they verify the implementation and configurations of security devices such as intrusion detection systems, firewalls, antivirus software, and also look for the existence of a written security policy. There is a need to comply with trans-border and local laws such as the Data Protection Act, I-llPAA, GLBA, Sarbanes-Oxley Act, SAS70, etc. Therefore, there is

INFORMATION SECURITY FOR ALL

3

a need to understand various fiduciary requirements related to business irrespective of the technology used. Many companies look for basic level of ISMS implementation and security certification (BS ISO/IEC 17799:2005 and BS ISO/IEC 27001:2005). Hiring security consultants, signing service level agreements, existence of an Information Security Policy are integral parts of business alliance agreements in addition to the expected functional delivery capabilities. Further, the Government is proactively strengthening the existing laws; for example Sections 65,66 and 72 of the Indian IT Act 2000, the Indian Contract Act, Section 406 and 420 of the Indian Penal Code, the Indian Copyright Act, etc. The Ministry of Information Technology and Communication has taken several initiatives to upgrade security standards in India. These include set\ing up independent organizations such as the Standardization, Testing and Quality Certification (STQQ Directorate, the Computer Emergency Response Team (CERI) , the Information Security Technology Development Council (ISTDq, etc. Almost all Indian companies involved in the business of Information Technology (I1) and IT enabled Services (ITeS) consider information security to be an integral part of the infrastructure as well as software applications while providing services to clients. IT and ITeS companies follow global best practices in providing adequate security cover to their clients irrespective of their size and investment. The Government of India passed the "Information Technology Act 2000" which covers cyber and related information technology laws. Chief Security Officers ((SO) who are accountable for expenditures should recognize that "Information Security' is not part of IT infrastructure and therefore should not club it with the IT budget. This tendency is seen because anti- virus and firewalls are part of IT infrastructure. IT budget should include cost of protection in terms of IT infrastructure. To meet the security objectives of people -

4

INFORMATION SECURITY FOR MANAGEMENT

process - technology; Infonnation Security should also include policy, process, procedure, measure and metric (using tools), and trained security professionals (specialized discipline) . Therefore, there is a need for creating awareness on Infonnation Security Management in industry so that their organizations can establish ISMS and implement IT Security Governance through various Infonnation and IT infrastructure related security standards.

5

INFORMATION SECURITY FOR ALL

Chapter 2: Security life cycle Anything and everything that is created has its own life cycle, whether it is a project, a process, a database, a product, or security. Here is a diagram shown below the generic IT security life cycle applicable to all type of industries. We have system development life cycle (SDLq, software development life cycle (SoDLq, data life cycle, etc.

6

INFORMATION SECURITY FOR MANAGEMENT

Like those mentioned, security also has its life cycle. This is because, what is today is not tomorrow, world is continuously changing because of the inhabitants present within; the need changes, and hence challenges changes, thus, technology supporting them changes. The more the sophistication of technology, the time to accomplish needs reduces; so also the time to create an insecure environment. Understanding business It is important to understand the business first; the nature of business, size of organization, number of employees, its organiz..ation structure, roles and responsibilities, thus, goals, targets and the business objectives. Goals are qualitative and strategic to the business where it is decided where the organization should be positioned or labeled or leveled at. Targets are quantitative measures that tell the organization how far they are from their present status and how much steering can accomplish this. Align information technology function IT is always a tool for management to accomplish their goals strategically and steer them to achieve planned targets in the set direction and meet their business objectives. It is important to translate business goals to IT goals and IT goals to IT processes. This step includes the use of IT criteria such as effectiveness, efficiency (qualit0; confidentiality, integrity, availability (securit0; compliance and reliability (fiduciar0 over the information technology resources such as people, application, infrastructure and information using IT processes. Proper mapping of this, implementing, monitoring and reviewing this is said to be IT alignment.

INFORMATION SECURITY FOR ALL

7

Risk management Risk management consists of two major tasks. These are risk assessment and risk treatment. The risk assessment consists of asset identification, valuation of asset based on its replacement value in the work flow where each of the asset listed in the asset register is used. Identify inherent vulnerabilities present in each of these assets; the threat that are surrounding the asset. Threat could be man made or natural. Express how these threats can exploit the associated vulnerabilities present in each of these assets; assess the impact when a threat exploits vulnerability of an asset on the business. Risk treatment starts from here where an enterprise need to identify different options they have for treating the risk identified in the risk assessment phase. The options include mitigating the risk, accepting the risk, transferring the risk, and lastly avoiding the risk Select appropriate risk treatment approach for each of these assets. Based on the approach selected, design IT controls and prepare a plan that can be implemented. Seek management approval to accept risks and authorization to implement controls. Measure, monitor, and report are the next phase of activities during the implementation of ISMS. Identify appropriate measures for all IT controls selected; monitor IT controls for its effectiveness and report both failures and effectiveness of each of these IT controls. Identify business risk, suitability of all these implemented controls over the business process. Bring in changes to IT which will meet both immediate or short tenn and long tenn security requirements for the organization.

8

INFORMATION SECURITY FOR MANAGEMENT

Security life cycle is a very important consideration for an enterprise as threat profile keeps changing with time. The scene is applicable to merger of two companies; acquisition of smaller company by another bigger company; expansion of existing company; and diversification into other lines of business. When things go strategically cost or time ineffective, unproductive, then the enterp~e look for outsourcing some of its internal processes or activities to third .party. The business risk does change with this and therefore the security life cycle. Thus, study of security life cycle is an important area for all levels of management.

INFORMATION SECURITY FOR ALL

9

Chapter 3: Selection of specification and good practices Industry leaders know what is best for their business. That is why they are leaders; else they are followers in their own industries. Some will know their products and services; while some will know sources of fund and application of them resulting in good yield (financial strate~. They buy business; sell business. Thus, the top management knows for sure all about managing their business. IT is more used to support them in their production, planning, processing, realizing, monitoring and reviewing their operations for their business. \'V'hich business can escape from regulations, trade bodies, governmental agencies, etc.? It may be difficult to Imo w which one is applicable and to what extent. All these could be well bridged if we use some of the industry good practices. These practices can be certified by external bodies to know where we are using some of the applicable standards. There are several of these standards and we find most of them are to be met with either for own process control or customer process control or for meeting customer specification. The first step will be to create a list of them and map them into a matrix to know the purpose or area of applicability. The matrix will reveal the content of most of these standards and let you know how they are similar and how they are dissimilar. Based on this matrix, identify and select minimum number of applicable standards (specifications - assessment or requirements - certification) to meet the security requirement adequate!y: Ibis is the stage smere your industry or line of business has tied over their first level challenge.

10

INFORMATION SECURITY FOR MANAGEMENT

"Selection of standard(s) and best practice(s) The challenges in implementing this phase involves study of IT supporting the business process workflow where IT controls are to be understood. It is not only implanting of control at identified areas but also need to implant the correct control appropriate to the business. Thus, this is not an area of functional IT experts but an area of specialized IT security professionals. The next area after implementation is identifying metrics, and measuring them periodically by monitoring. This is an operational activity where an enterprise can use trained persons to monitor all periodic activities, measure and report to appropriate higher ups. The next activity is the study of the results of monitoring and identifies the areas of control weakness, impact of risk if the control is not implemented or weak. This will necessitate the implementation of required controls to eliminate, minimize, mitigate or transfer risk The measures should be identified for each metrics and need for continuous monitoring is brought into existence for continuous improvement. It is also important that the organization establish appropriate security professionals at various levels. The Three broad levels are i. Governance

n.

~agement

ill. Operational Governance relates to the board or their managing committee; the function is to set vision and directions for the overall business, enterprise, IT, information security. IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organisation's ITl sustains and extends the organisation's strategies and objectives. [ISACA]

INFORMATION SECURITY FOR ALL

11

Management relates to the top management ensuring security implementation across the enterprise at all levels.

It is the responsibility of the top management to create policy, review established process, procedure, work instructlons, etc. for its continued suitability to the orgarnzauon. Operational relates to all department heads, functional heads, process owners, etc. for them to create operational policy, processes, procedure, work instructions, forms and formats; ensure continuous or periodical monitoring, measuring and reporting to higher ups. This includes those related to the implemented security. The certification involved at the governance level is purely common sense based out of what the business needs to protect. The certifications required by individual responsible for managing the enterprise security or information security should preferably be a aSM; and the organization implement BS ISO/IEC 17799:2005 (ISO 27002:2007) and get certified under BS ISO/IEC 27001:2005 for its . . enterpnse or orgaruzatlon. The certifications required by individual responsible for managing your operational security should preferably get their certification related to applicable product from their vendors providing :You with operating system, firewall, IDS, network, etc. It is also best if they could be a assp. The enterprise can adopt good practice such as ITIL, Level 3, or Fcc, or IEEE standards and comply with so that their information and related technology are maintained at a level that they need to comply with.

12

INFORMATION SECURITY FOR MANAGEMENT

Identification of IT Security Standards Infonnation System Security or protection will depend upon the nature of business, size of the business, the infonnation dissipation across the enterprise - i.e. distributed, decentralized and centralized architecture, technology adopted by the enterprise, fiduciary requirements at several countries across the enterprise, etc. While security considerations are important for government as a consumer of IT and provider of citizen govetp.ance, e.g. Ministries, Departments like defense, police, RTO, passport, visa, customs, central excise, Railwa]S, the coverage of this monograph has been restricted to industry.

IT Security Requirements by Size: IT security requirements are directly influenced by the nature of business and the focus of information security is in different area for different enterpri"se. The size of an enterprise i.e. large or small-medium sector depends upon the nature of business that they do although their business process may remain broadly the same. For example, an airline industry has to have a larger number of branch office.establishments at multi cites for its success. 'Theywill also require alliances operating for them. But their IT has to support both themselves (intranet) and their alliances (extranet). The security of their infonnation supporting reservations based on sector, date, capacity, flight kitchen, crew, etc is much more important. More than confidentiality, integrity and availability of the infonnation is much more critical. Jeopardized infonnation can affect their busL.Tless continuity.

INFORMATION SECURITY FOR

ALL

13

IT Security Requirements by business type (verticals) The understandings of the IT security requirements are a great challenge to industries. This is because the nature of IT risk for one type of industry may not be a risk to another type of industry. For example if we consider a business process in courier industry, IT is used extensively in tracking of goods. An infonnation steal can take place from source to destination to plan some high value sabotage to the client industry. This infonnation is much more critical than accounting info nnation. It is true for tourism, travel, transportation (aviation, shipping, railways and roadways) where the entity related to operations are much more critical than the finance itself. For industry such as food and beverages, production information obtained for production is much more critical than inventory or finance. Such information helps . minimize \VaStages and optimize right circulation of right product in right quantity across for season and off-season. Thus, one can say that the nature of industry detennines the identification of non-productive assets versus productive assets and accordingly the IT infrastructure requirements.

OTHERS

PROFESIIIONALS

t~

11% BANKS &. ANANQAL

"'STIlUlIOloI$ BUILOIN3& T£Xl1L1!S ..

:w. SH .....NQ&

I!NGlNr:eJUHG 24%

14

INFORMATION SECURITY FOR MANAGEMENT

Professionals • • • • • •

Gmsultancy Services Accounting & Audit Services Legal Services Management Consultancy Media, Advertising & Marketing Architects

Predominantly, the professionals from these segments are well acquainted with requirements and content areas that they need to provide for their clients. These firms do have access to client's vital, critical, confidential and sensitive infonnation. There is a need for integrity (data protection in store and in transit) of data. Some of the common concerns would be• • • •

Intetpretation of best practices Implementation of best practices Adequacy to compliance against these practices Commitment to safeguarding customer infonnation

(SLA) • Assurance of safeguarding customer infonnation (IT resources including infrastructure) • Continuous exposure to newer technologies • Compliance to existing and newer laws o E.g. - Multinationals - Trans-border laws. o Media industry - Protection of IPR • Employee awareness on IT security (internal as well as customer infonnation)

As professionals belonging the above organizations, one needs to look for process oriented security approach rather than people oriented approach.

INFORMATION SECURITY FOR ALL

15

Banks, Financial Services and Insurance BFS&I sector is one of the largest sector catering to domestic as well as international customers involving the need for cross border technologies and cross border laws. The information held by this sector is generally of following types (~ own management of bank administration and (it) customer information in store and in transaction The customer information is a value to many. They can be sold to competitors; used as potential prospects; can be looted over the net; or any. Some of this information can be personal and can be misused by relations and friends to cause embarrassment. The data privacy act is created to ensure privacy of personal information requiring banks to protect them for their confidentiality; data protection act is created to ensure the infonnation is critical and that it is made available to only authorized person. Infonnation assets that the bank hold with them belong to their customer and they are prone to theft, modification (change of existing record), adultery (add or substitution of records), destruction (obstructing business continuit)7, etc. can cause financial losses and cause damage to the credibility of the banking and financial institution. I

Banking and financial institutions are guided by good practices and have their well established processes provided by national central bank of respective countries. They are governed by the requirement published by domestic regulatory bodies as well as international good practices such as Basel II. The causes of information security concerns may arise due to • Interpretations of the requirements • Adequacy of implementation (e.g.) (~ Protection of data in store versus data in transit. (iI) Business Continuity Plan versus cost of implementation.

16

INFORMATION SECURITY FOR MANAGEMENT

(iii)

Study of appropriate security requirements versus infrastructure • Lack of skilled personnel • Anti-virus management including patch updates and upgrades (centralized deployment v/ s distributed dep'loyment) • Olallenge of handling inter-bank and intra-bank transactions involving closed user(s) group(s) in public network(s) and application(s). BFS&I can work with their professional bodies (ISACA, ICAI, IIA, etc.), regulators (RBI, SEBI, etc.), trade bodies (IBA) , technologist's (NASSmM, CSI). RBI along with the government has come out with common infornution security measures that the banks can adhere to. These an: created considering several aspects and use a balanced right mix of good practices.

Manufacturing • Automobile • Basic Products Industries (Including Cement, Glass, Metals, Paper, Leather, Plastic, Rubber) • Olemicals & Petrochemicals • Phannaceuticals • G>nsumer Durables • FMCG - home appliances • G>nsumer Products • Mills - paper, pulp, board, textile, • Engineering • Building and G>nstruction - bridges, dams, roads • Leather - Tanning of leather to making of finished goods, • Heavy industries - automobiles, aircraft, shipbuilding and maintenance, cranes, etc.

INFORMATION SECURITY FOR ALL

17

The use of IT in manufacturing sector is in the area of implementing Enterprise Resource Planning (ERP), Supply (bain .Management (SCM.) and Customer Relationship Management (CRM). Some of the ERP includes SAP, J D Edwards, Oracle (Oracle Financials, PeopleSoft), IFS, SSA Global (BAAN) etc. There are multiple solutions, heterogeneous platfonns, cross border regulations (government levies), user groups from within the enterprise, outsourced personnel and customers on the net. Since the business understands the processes well the functionality is seldom an issue in this sector. Some of the concerns are• • • • • • • •

Interpretation of best practices Implementation of these practices Adequacy to compliance against these practices Continuous exposure to newer technologies I-feterogeneity of operating and application system Mismatch in user level and their awareness levels. Maintenance personnel and past employees. Internet pokers (accidem:al) and intruders (deliberate) • Anti-virus management including patch updates and upgrades (centralised deployment vi s distributed deployment) • Third party service providers • Commitment to safeguarding customer information

(SLA) • Assurance of safeguarding customer infonnation (IT resources including infrastructure) • Securing infonnation to end-users on need to know basis (end-users are equipped with tools such as decision support systems, geographical information systems, analytical and statistical engines) • Availability of temporary and permanent disaster recovery plans • Compliance to existing and nev.rer la"ws

18

INFORMATION SECURITY FOR MANAGEMENT

Being technologically strong at implementation and maintenance, the risk is in identifying security metrics, measures for controls, monitoring for adequacy of controls, identification of newer controls and weeding out of unwanted controls.

Agribusiness • Food Processing • Dairy and Milk Products • Agricultural Products - grains, jute, cotton, oil seeds, plantation of vegetables, fruits • Marine products Agricultural products are essential to society for day to day living. The products are perishable and have definite shelf life for storage. Thus, they involve specific type of packaging for storing and transporting from source to destination. Automation can be used in planning crops, yields, tendering or bidding of products before realization of its value. Some part of the information are critical like those that are part of logistics, shelf life, etc; and some of them are sensitive such as disclosure of buyer, delivery destination, and bid value until it is public post delivery. The line of business use services of contractors and third parties. Leakage of information can cause financial loss, as the nature of goods is perishable; geography is niche, availing of governmental subsidies (influence costing). For example procurement price of sugar cane can affect the pricing of several products that are derived from sugarcane such as molasses, alcohol, etc. The selection of tobacco leaves, processing of these leaves, blending with stem and their ratio, composition and mixing to achieve different niche flavors, storage of finished products, sales to domestic and export market are part of the business workflow. The leakage of infonnation can cause a closure of their business. There is only continuous investment over such products and the value realization is only during the harvest period. There is not enough time to cope up back to nonnal.

19

INFORMATION SECURITY FOR ALL

In India, agriculturalists are considered as fatalist as their living depends on rain, weather, climate, and availability of seeds, labor, and all these at right time. Any change of time for all these factors identified can result in loss of goods, yield, and therefore loss of money till the next season. Thus, the good practices that this industry should take to will be quality management system QMS ISO 9001:2000 followed by information security management system ISMS BS ISO/IEC 27001:2005 and BS ISO/IEC 17799:2005 and finally business continuity management system BCMS BS 25999:2005 as a savior.

Transportation

• Airline • • • • •

Shipping Railways Roadways C&F Agents, Logistics

Transportation was always an important service to citizen and therefore it is provided by the state. This was used for the transportation of people, commodities, goods, mails, and food stock There was a need for local and long distance transportation. The use of this service has grown phenomenally as many intercity services are dependent on them. The use of information technology has revolutionized their @ operations and (il) management of business. The former includes services like booking, fleet management, logistics, movement of inventory, third party services, billing and receivables. The later includes management of accounts, finances, fleet operations management, human resources and allocation, wages, logistics of providing infrastructure for operations from different locations. The challenges are many. Information on goods carried could be sensitive and confidential and could be disclosed because of legal requirement with authorized officers. The leakage of information can cause

20

INFORMATION SECURITY FOR MANAGEMENT

theft of goods causing reputation loss to the business. TIlls can lead to embezzlements to the business owner resulting in sale of their establishment. Most of owners of transportation use infonnation technology to manage their day-to-day business extensively. They also use wired and wireless technologies, public networks, and outsourced sefV1ces. Some of the concerns are • G>mpetitors can exploit the weakness of infonnation theft or leakages without even actually getting into competitors work • Usage of internet / email on- board for business and personal (segregation of services is a must) • G>ntrol weaknesses in e-ticketing / e- booking. • G>ncems of usage of EDI are applicable. Better security governance can be achieved through the implementation of ISMS that includes measuring, monitoring and continuous security provisioning.

Services • Telecommunication • Power and Energy - thennal, nuclear, hydropower statIons, • Hospitality (HOtels) • Travel and Tourism • Healthcare (Hospitals, path labs, other medical services) • Real Estate The technology varies from the nature of service they provide, type of customers they interact with, kind of regulatory compliance requirements, and niche of their business processes.

21

INFORMATION SECURITY FOR ALL

The concerns in this type of industry are • Knowledge of the business by the technology provider • Nature of controls required in the business process workflow • The type of controls required at various stages of the workflow • Service providers service level agreements (SLA) • Safeguarding information of one customer from another within their data storage areas. (bandwidth, database, VLAN, etc.) · These industries need to primarily define their business objectives, list IT objectives that will deliver or help in meeting their bUsiness goals, IT controls required along the business-IT workflow, providing info on need to know basis or need to do basis, etc. They have to work on their security objectives and use multiple standards and specifications that are appropriate to meet their security objectives. Some best practices they can adopt would include • ISMS BS ISO/IEC27001:2005 and BS ISO/lEe 17799:2005 • Q)lltrol Objectives for Information and related TechnologyCDBIT (for IT Governance) • :Health Insurance POltability and Accountability Act

(HIPAA) • Compliance to HL7 (Health Levell) and DICOJvl (Electronic Medical images) • Standards or specifications from FIPS/IEEE/ etc for security products or appliances used in their IT infrastructure • Regulatorycompliance (SAS70,'SOX, FEMA, RBI, etc.)

22

INFORMATION SECURITY FOR MANAGEMENT

Info tech IT and IT enabled services and BPOs

Information technology is considered a business issue that is to be addressed as part of an organisation's planning activities. Today IT has found its way into almost all business processes and functions, including HR, engineering/R&D, finance and accounting, logistics, procurement, sales and marketing, customer support, facilities management, and training. Business today depends on IT and the IT infrastructure has grown in leaps and bounds to support the demands of business. Desktop pes, word processing and number crunching software, internet, email and loads of facilities like these are enabling the business operations. However, while IT and IT enabled services are simplifying our activities, there is also a risk of infonnation theft or technical failures that could cause loss of confidentiality and integrity of the infonnation. In addition this would also cause a loss of man- hours and will have financial implications. It is therefore very important to ensure that all the IT components that go into the business functions operate reliably and are protected from loss or damage. Deciding on the security infrastructure that can be u~ed to protect your information requires an understanding of the threats against which protection is required. Typically the infrastructure that would go into securing the SOHO, Enterprises and BPO units would vary largely because of their diverse business needs.

23

INFORMATION SECURITY FOR ALL

The SORO infrastructure

The Small businesses (SOHO) units would generally have a centrally managed network of desktop systems and products and typically not maintaining publicly accessible servers. They would be sharing resources over the network and using dial-up or high-speed access to the Internet. Typical infrastructure and procedures that one would require for small business units are inclusive of, but not limited to the following • Installation of a small hardware firewall appliances at Internet connections to block inbound unauthorized connections and possibly to filter outbound traffic. • The operating systems, anti-virus software and other critical applications must be regularly updated and patched. • Web and e-mail clients must be configured to filter and block messages that could contain malicious content • Unwanted applications must be disabled • Restrictions on user privileges • Restrictions on sharing resources such as directories orpnnters • Backup and recovery procedures • Physical security procedures

24

INFORMATION SECURITY FOR MANAGEMENT

The Entetprise infrastructure The Enterprise environment audience generally includes medium to large businesses, large governmental agencies, and organizations requiring managed IT systems and remote offices. Enterprise environments normally have a group that supports users and provides security. The minimum protection that can be built into the infrastructure of enterprises, include some of the practices listed below• Segmented internal networks. • Centralized management of security- related applications such as antivirus • Automated installation of system and application patches and updates • Restricted access to multi-function devices and their features • Centralized backup and recovery facilities.

25

INFORMATION SECURITY FOR ALL

The BPO infrastructure

The BPO infrastructure also could be similar to that of large enterprises. However the most important factor here is the protection of Data. Here Data needs to be protected when it is stored, processed and when it is transmitted. Typical protection that would be built into a BPO environment includes •

• •



• • • • • •

Maintaining segregated networks to ensure that client information remains within a defined boundary: Ensuring that physical access to servers and data storage units are controlled Visitors must not be allowed alone inside the premises unless escorted with an authorized person from the organization Employees, visitors, contract·workers must not be allowed to cany communication devices (e.g Mobile phones, PDA), image capturing devices (e.g. Mobile phones, cameras, PDA) Disable unwanted application services on servers and workstations I nstall and maintain perimeter security products like Firewall and Intrusion prevention system. Maintain updated anti-virus application and filters on mail-servers Disable USB, floppy disks, G)-ROMs on workstations Provide for VPN connectivity and where feasible encrypt the data that is being transmitted. Provide for an effective disaster recovelY and business continuity plan

26

INFORMATION SECURITY FOR MANAGEMENT

Offshore Development Centers ODe or an offshore development center primarily works on customer processes and customer infonnation (input, process, results of processing, etc.) and therefore there is a need for protecting their infonnation from within an IT knowledgeable environment, with people having skill in the area of technology. It is more challenging to protect infonnation from the creator or the protector of information. In other words, it is securing the security service providers. Therefore, ODe is expected to provide the following additional security controls are considered based on SLA between the customer and the service provider. Some of them would include • Developing and adhering to the ODes internal policies • Adopting client specific policies for specific relationship • ccrv monitoring • Dedicated and physically segregated work enVIronment

• • Physically isolated network, logical segregation through firewalls or VLAN implementation for specific relationships • Relationship level dedicated Infonnation Security Manager • An Non-disclosure agreement (NDA) or a Omfidentiality Agreement (CA) with client organisation for each associate working for the relationship, depending on the classification of infonnation. • Detailed background checks for associates working for the particular relationship • Data/Information residing on Servers (on-site and off-site)

INFORMATION SECURITY FOR ALL

27

• Gmtinuous monitoring of extractions of information to desktops/PCs • Segregation of duties and work environment • Restriction on Administrative privileges (system administrator, network administrator, security administrator, database administrator, application administrator) • Disabling of CD/Floppy drives/USB Ports • Controls on Internet access/F1P transfers/Folder sharing • Encrypted link • Digital / Digitised Signatures • Mail encryption soft-ware • Dc-personalization of data • Mapping user identities to Machine Authentication Code (MAQ Addresses for better accountability and traceability. • Regular Backups, Secure Offsite storage, testing backups through restorations • Business continuity planning and testing • Disaster Recovery planning and testing • Firewalls and IDS at Qient and network gateway • Compliance audits vis- vis client's security policies

a-

Generally these organizations provide security compliance requirements as specified by their customers rather than implementing best practices for their industry. They are more customers driven and therefore comply with cope or ITIL v3 and get certified against ISMS ISO/lEe 27001:2005, ITSM BS ISO/lEe 20000-2:2005.

28

INFORMATION SECURITY FOR MANAGEMENT

Trading/Import and Export • Film - manufacturing, distribution, production units, laboratories, editing, exhibitors, • Gem &Jewelry- Import of raw export of finished diamond, artificial diamonds, gems and stones, • Export houses • Merchandising, stockiest, trading, etc. The entire sector is dependent upon the technologies such as EDI, e-Biz and web technologies. This sector is exposed to high risk of alienated systems, third party appliance providers, service providers, etc. Malware is one of the worries. Patch management of all software including antivirus, application, firewall, operating system, etc adds to the nightmares of crO/GO's. The use of authentication and non-repudiation mechanism including that of digital signature (class 3), digitized signature (class 2), seal of web trust by different agencies, use of VPN (IPSec), SSL and SE T are challenged every minute on the net.

It is important to follow appropriate security standards / specification on the appliances, use IT governance implementation using mBIT, use IT security management framework such as ISMS will help in protecting their information.

29

INFORMATION SECURITY FOR ALL

Chapter 4: Security Threats Risk Assessment To understand security threats over the information asset it is important to establish a risk management framework Risk management framework has two major areas; viz. risk assessment and risk treatment. Risk assessment is the first step that enable further steps such as identification and design of IT controls, implementation, use of metrics to measure, monitor and report and bring in changes, to protect the enterprise IT infrastructure. Study of risk begins with understanding security threats on IT infrastructure and its impact on the enterprise. Prepare an information asset register not a financial asset register as they do overlap but the intents are different. The former provides a financial value on tangible asset to be included in the balanced sheet while the later covers both tangible and intangible information asset where the replacement value is taken for valuation. Each asset has its own vulnerabilities which can be exploited by threat resulting in impact to business for an enterprise.

Security Threats According to the QA world fact-book, India is ranked at 91 globally during the period Jan-Jun 2003 with an attack rate of about 55 attacks per 100,000 internet users. The same moved to 53 during the period Jul- Dec 2003 with an attack rate of about 1,424 attacks per 100,000 internet users. Recently India ranks 63 with an attack rate of 1,781 attacks per 100,000 internet users. The increase in rank indicates that the country is in better control over the internet attacks. However, the increase in number of attacks per lakh of internet users is definitely alarming. This is just an example to understand existence of electronic security threat.

30

INFORMATION SECURITY FOR MANAGEMENT

Definition Malicious software that attaches itself to other software. For example, a patched software application in which the patch's algorithm is designed to implement the same patch on other applications, thereby replicating. Worm Malicious software which is a stand-alone application Trojan Horse A Worm which pretends to be a useful program or a Virus which is purposely attached to a useful program prior to distribution A Virus or Worm designed to Time Bomb activate at a certain date/time A Virus or Worm designed to Logic Bomb activate tmder cenain conditions Rabbit A \Vorm designed to replicate to the point of exhausting computer resources A Virus designed to attach itself Bacterium to the as in panicular (rather than any application in general) and exhaust computer resources, especially CPU cycles Getting one computer on a Spoofing Spoofing network to pretend to have the identity of another computer, usually one with special access privileges, so as to obtain access to the other computers on the network Accessing a computer by Masquerade pretending to have an authorized user identity Sequential Sequentially testing Scanning passwords/ authentication codes Scanning until one is successful Dictionary Scanning through a dictionary of Scanning commonly used passwords/ authentication codes until one is successful Snooping Digital Snooping Electronic monitoring of digital networks to uncover passwords (E ves dropping) or other data

Category Malicious Software

Threat Virus

INFORMATION SECURITY FOR ALL

31

CategoIY

Scavenging

Spamming Tunneling

Malfunction

Human Error

Physical Environment

Threat Definition Shoulder Surling Direct visual observation of monitor displays to obtain access Dumpster Diving Accessing discarded trash to obtain passwords and other data Browsing Usually automated scanning of large quantities of unprotected data (discarded media or on-line "finger" -type commands) to obtain clues as to how to achieve access Spamming Overloading a system with incoming message or other traffic to cause system crashes Tunneling Any digital attack that attempts to get "under" a security system by accessing veIY low-level system functions (e.g., device drivers, OS kernels) Equipment Hardware operates in abnormal, Malfunction unintended mode Software Software behavior is in conflict Malfunction with intended behavior Back Door System access for developers inadvertently left available after software delivery User / Operator Inadvertent alteration, Error manipulation or destruction of programs, data files or hardware Physical destruction of Fire Damage equipment due to fire or smoke damage Water Damage Physical destruction of equipment due to water (including sprinkler) damage Power Loss Computers or vital supporting equipment fail due to lack of !power Ovil Physical destruction during DisorderiVandal operations other than war Ism -Battle Damage Physical destruction during military action

32

INFORMATION SECURITY FOR MANAGEMENT

Information harvesting Infonnation harvesting is the technique of without actually 'breaking into' a system; some remotely accessible programs can be exploited to return information that was not meant to be available. An example of this was the University of Texas a couple of years ago. They had a web based systems that students could use to check grades or something, and someone figured out that if you passed the right querystring arguments to one of the cgi programs, it would return complete information about a student, including address and SSN.

Denial of Service or DoS DoS attacks are commonly launched from one or more points on the Internet that are external to the victim's own system or network In many cases, the launch point consists of one or more systems that have been subverted by an intruder via a security-related compromise rather than from the intruder's own system or systems. As such, intrusion defense not only helps to protect Internet assets and the mission they support, but it also helps prevent the use of assets to attack other Internet-connected networks and systems. LikeWise, regardless of how well defended your assets may be, your susceptibility to many types of attacks, particularly DoS attacks, depends on the state of security on the rest of the global Internet.

,-

33

INFORMATION SECURITY FOR ALL

They are caused due to -

Tep floods - A stream of TCP packets with various flags set are sent to the victim IP address. The SYN, ACK, and RST flags are commonly used. ICMP echo request/ reply (e.g., ping floods) - A stream of ICMP packets are sent to a victim IP address. UDP floods - A stream of UDP packets are sent to the victim IP address. Source IP address - In some cases, a false source IP address, a method commonly called IP spoofing, is used to conceal the true source of a packet stream. In other cases, IP spoofing is used when packet streams are sent to one or more intermediate sites in order to cause responses to be sent toward a victim. The latter example is common for packet amplification attacks such as those based on IP directed broadcast packets (e.g., "smurf" or "fraggle"). Source/ destination ports - Ta and UDP based packet flooding attack tools sometimes alter source and/or destination port numbers to make reacting with packet filtering by service more difficult. Other IP header values - At the extreme, we have seen DoS attack tools that are designed to randomiL..c most all IP header options for each packet in the stream, leaving just the destination IP address consistent between packets. Denial of service can be achieved by three ways of propagations. They are • Central source propagation, • Back chaining propagation and • Autonomous propagations.

34

INFORMATION SECURITY FOR MANAGEMENT

The propagation steps for each one these are shown in the following figures. central~rce

attacker 1

_ _. . . . 1 next-victims

'victim

1 1 - exploit 1

3 - repeat 1

Figure 1 - Central source propagation

2-copycode

I

.J'

.)lm I.--.....~ I

1 1 - exploit .

I

1 3· repeat

next-viCtims=:]

I

Figure 2 - Back-chaining propagation

attacker

1

II

1 victim

1 - exploit & copy code

I

~

1 - -. . . . 1

2 - repeat

_ne_x_t._vJc_t_lm_s----'

,-I

I

Figure 3 - Autonomous propagation

Virus, Worms and Trojan I-Iorses Viruses, WOnIlS, and Trojan Horses are malicious programs that can cause damage to your computer and information on your computer. They can also slow down the Internet, and they might even use your computer to spread themselves to your friends, family, co-workers, and the rest of the Web. The good news is that with an ounce of prevention and some good common sense, you are less likely to fall victim to these threats. Think of it as locking your front door to protect your entire family.

35

INFORMATION SECURITY FOR ALL

What is a virus? A virus is a piece of computer code that attaches itself to a program or file so it can spread from computer to computer, infecting as it travels. Viruses can damage your software, your hardware, and your files. Virus (n.) code is written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or information. Just as human viruses range in severity from Ebola to the 24-hour flu, computer viruses range from the mildly annoying to the downright destructive. The good news is that a true virus does not spread without human action to move it along, such as sharing a file or sending an e-mail.

What is a wonn? A worm, like a virus, is designed to copy itself from one computer to another, but it does so automatically by taking control of features on the computer that can transport files or information. Once you have a worm in your system it can travel alone. A great danger of worms is their ability to replicate in great volume. For example, a worm could send out copies of itself to everyone listed in your e-mail address book, and their computers would then do the same, causing a domino effect of heavy network traffic that would slow down business networks and the Internet as a whole. When new worms are unleashed, they spread very quickly, clogging networks and possibly making you wait twice as long for you (and everyone else) to view Web pages on the Internet.

36

INFORMATION SECURITY FOR MANAGEMENT

Wonn (n.) is a subclass of virus. A wonn generally spreads without user action and distributes complete copies (possibly modified) of itself across networks. A wonn can consume memory or network bandwidth, thus causing a computer to stop responding.

Because worms don't need to travel via a "host" program or file, they can also tunnel into your system and allow somebody else to take control of your computer remotely. Recent examples of worms included the Sasser wonn and the Blaster wonn.

What is a Trojan horse? Just as the mythological Trojan horse appeared to be a gift, but turned out to contain Greek soldiers who overtook the city of Troy, today's Trojan Horses are computer programs that appear to be useful software, but instead they compromise your security and cause a lot of damage. A recent Trojan horse came in the fonn of an e-mail that included attachments claiming to be Microsoft security updates, but turned out to be viruses that attempted to disable antivirus and firewall software.

Trojan horse (n.) A computer program that appears useful but that actually does damage.

to

be

37

INFORMAnON SECURITY FOR ALL

Trojan Horses spread when people are lured into opening a program because they think it comes from a legitimate source.

Threats to infonnation assets and resources Theft of information is the most significant cost threat to organizations, and identity theft is just one of the costly consequences of information theft. The US federal trade commission (FTq report significant number of cases while the US federal bureau of investigation (FBI) estimates almost three and half times the figure reported by FTC

Most of these threats come in many forms that include theft, disruption, or destruction of infOlmation assets. They range from physical threats such as destruction of an IT centre by fire, to intangible threats such as the covert theft of proprietary information. While discussing threats, it is useful to consider the following:

38

INFORMATION SECURITY FOR MANAGEMENT



Type of threat



Vulnerability that can be exploited by the above threat



Threat agent or the perpetrator



Assets to be protected



Impact on the organization



Result if the threat is accepted by the organization

Safeguards against internal threats • • • • •

Legitimate access to users Access control tool at the back end servers and applications File integrity safeguards Detect changes to the systems and files Ensure internal network protection against external network

INFORMATION SECURITY FOR

ALL

39

Chapter 5: The Knowledge Implementation model for information security The lines of business within ap. entetprise can range from one focused activity to multi diverse activities. The probability that an entetprise will drive their business well depends upon their identified business success factors. Some of these success factors includes, market need, market reach, purchase power, regulations of the land, awareness among the target consumers, etc. The first major step for an entetprise is surviving in their line of business. Then comes sustaining which come from ongoing monitoring, measuring, and taking corrective decision. The challenge of continuous growth in any given lines of business, comes from the use of IT infrastructure at the core and business intelligence at the perimeters. There is a need for a well-designed Information security architecture to be built into the IT application. This will mean a proactive measure including change in working style, remodeling workflow or its IT infrastructure. There are three things that are essential for an cntetprise to be successful • Existence, • Survival and • Growth. Therefore a business is essentially supported by business information running over an Application System such as ERP over network, connected to several servers, ISP. rIlle clients (desktops) and servers (application, network, database, mail, proxy, etc.) needs to be proactively protected from virus, spam, Trojan, using preventive and detective software such as network filters (firewalis, IDS), entetprise network monitoring (ENM) tools, entetprise management software (EMS) and application filters such as anti VlrUS, antI worm, etc.

40

INFORMATION SECURITY FOR MANAGEMENT

An application system or business system comprise of deliverables that focus primarily on billing, inventory, receivables and payments for sustaining the business. The system is provided with continuous monitoring and analysis tool that help in growth. The anti-virus, firewall, IDS are used as detective devices to monitor and take corrective measures and for providing input for proactively making proper decision from time to time. The advent of web technology has provided the entrepreneur to maximize business from the present optimi7..ation of business. The net has brought a proactive and dynamic transaction of shelved goods. The nonmoving has become moving. The shelf stay of goods has got reduced by price discounting, price bidding and thus prevent proactively from being scrapped. It has also moved goods out from becoming obsolesced. The web ERP and web intelligence tool help the entetprise manage these.

The Architecture and the Security The IT architecture to run an entetprise constitutes of • Network framework • Communication framework over the network • Application framework over the network • Operating system to support the application at both server end and client end • Office productivity system such as email and Internet access besides normal word processors, spread sheets, presentation tools. • Database architecture to store outputs from all these. • System management software tools • System development software tools • Outsourced and teleworking framework

INFORMATION SECURITY FOR

ALL

41

Therefore securing this entire framework is a challenge to an enterprise. An enterprise can use two key supponing pillars to meet these challenges. They are [A]Stal1dards and their implementation [B]Use of certified security professionals.

A] STANDARDS - 111ere are several standards that are adopted at various levels within an enterprise like at the overall management and EC respectively). The Common Criteria resolves the cDnceptual and technical differences between the source criteria. It is a contribution to the development of an international standard, and opens the way to worldwide mutual recognition of evaluation results. Common Criteria version 2.1 (c:£ V2.1) is adopted by ISO as ISO 15408. They have therefore withdrawn two of their earlier standards. Glstomer Operations Performance Centre (CDPG2000 R3.1) Standard is used globally by both buyers (clients) and providers of customer-contact and fulfillment services (collectively called customer-service providers, or CSPs) to improve the service quality provided to end users and to reduce costs. The objectives in developing and promulgating this Standard are twofold: • To· define management and operational requirements for CSPs to ensure that the services provided by the CSP meet the CSP's clients' and end users' expectations. • To provide CSPs with a framework within which they can define and implement improvement efforts. Such a framework would also establish, for CSPs and their clients, a common language for managing relationships and communications. CSP focuses on three areas namely - service, quality and cost.

,

INFORMATION SECURITY FOR ALL

43

Infonnation Technology Infrastructure Library (ITIL V3) focus on five areas namely - Service Strategy, Service Design, Service Transition, Service Operation, and Gmtinual Service Improvement. (1) Service strategy focuses on Service Management strategy and value planning; Linking business plans and directions to IT service strategy; Planning and implementing service strategy. (2) Service design focuses on Service design objectives and elements; selecting the service design model; G:>st models; Benefit! risk analysis; implementing service design; Measurement and controL (3) Service transition focuses on Managing organisational and cultural change; Knowledge management; Servimpanion best practices. (4)' Service operation focuses on Application management; Olange management; Operations management; G:>ntrol processes and functions; Scaleable practices; (5) G:>ntinual service improvement focuses on Business and technology drivers for improvement; Justification; Business, financial and organisational improvements; Methods, practices and tools; Measurement and control; Q:,mpanion best practices.

Information Technology Service Management (ITSNI) ISO/lEe 20000-1:2005 defines the requirements for a service provider to deliver managed services of an acceptable quality for its customers. The specification may be u;;ed by businesses that are going out to tender for their services; by businesses that require a consistent approach by all service providers in a supply chain; by service providers to benchmark their IT service management; as the basis for an independent assessment; by an organization which needs to demonstrate the ability to provide services that meet customer requirements; and by an organization which aims to improve service through the effective application of processes to monitor and improve service quality. Gause 6 address Service delivery process where service level management; Service reporting; Service

44

INFORMATION SECURITY I"OR MANAOEMEN'r

continuity and availability management; Budgeting and accounting for IT services; Capacity management; Information security management. Cause 7 address Relationship processes that address business relationship management and supplier management. Qause 8 addresses Resolution processes that cover incident and problem management. Qause 9 address control processes which depend on configuration and change management. Lastly release process addresses all about release management processes. .

B] Certified Professionals - The use of certified professionals provide a reasonable assurance that they understand their area of information system audit and control or security control implementation, monitor and measure from time to time and bring in reasonable level protection to the enterprise. Let us understand some of the security related certifications and the roles that these professionals will play in the eSecurity Governance.

Celtified Information System Manager (OSM) This is a certification provided by Information System Audit and Control Association (ISACA) through a centralized exam conducted once in a year at various locations across the world. The program is aimed at covering IT Security Governance and the professional is examined to understand various aspect of IT security governance. Thus, these professionals provide a secured architecture to an enterprise and playa role as information system managers.

45

INFORMATION SECURITY FOR ALL

Certified Infornlauon System Security Professional (GSSP) -

This

is

a certification provided by International Infonnation System Security Certification Consortium (ISq2. These professionals are good at implementation of physical, logical and environmental security for an organization. They understand application, database, network security. They also understand the importance of backup and recovery to meet the risk of sudden short term failure and long term outages or disaster by maintaining both daily onsite and offsitc backup for disaster recovery. Most of these champions are more trained towards network security and/or web application security with a few in the area of OS and other areas of security. Certified Infonnatioll System Auditor (GSA) TIlls is a certification by Information System Audit and Control Association (ISACA) for audit professionals who understand IT Governance and can become champions to implement, consult, audit this area with the help of Control OBjectives for Information and related Technology (COBI1). Certified Business Continuity Professional (CBa) -

This certification is intended for professionals seeking specialization in the area of Business Continuity. The Disaster Recovery Institute International (DRII, USA) awards this certification. It also provides certification points with BG, UK. Certified Fraud Examiners ((FE)111is certification is issued by Association of Celtified Fraud Examiners (ACFE) who were purely into financial fraud examination and now they have extended it to financial frauds in IT environments.

46

INFORMATION SECURITY FOR MANAGEMENT

Certified Auditor/Lead Auditor in ISMS BS ISO/IEC 27001:2005 and BS ISO/IEC 17799:2005 -

This program is conducted for those who wish to implement, maintain, monitor, and audit an enterprise against meeting the standards' requirements. The program is administered by various registration agencies that recommend for certification. Thus, a professional with this certification is useful for the enterprise· in meeting Infonnation Security Management System (ISMS) standard mentioned above.

47

INFORMATION SECURITY FOR ALL

Chapter 6: Data Security and Privacy Introduction

The word 'Data' and 'Information' are quite often used interchangeably. The word 'Data' is the plural of the word 'Datum'. An attribute attached with data brings in meaning to the data and hence is called 'Information'. Thus, conventionally for some people, data is understood as their business information and for some, data is the control information used for monitoring the business performance. In other words, for the first type of person, the data is accounts, purchases, sales, etc. while for the second type of person, data is information about leaves, wages, payments, regulatory- documents, communications, records, etc. This can be better explained once we classify them broadly as administrative data and operational data. The data pertaining to administrative data are the ones that provide support to business infrastructure while the one that is addressing operational data are the ones that are associated with business data (example- transaction information, customer information, credit information, etc.). Conventionally for many, the later meaning of data are considered more critical and therefore they tend to ignore the former meaning associated with data. It is important to consider both of them

It has become a business necessity to maintain information of people who work on data, process that one uses to receive, store and retrieve data (includes manual and electronic). There are statutory and regulatory- requirements to preserve these data for stipulated time period. These data can be altered, destroyed, tampered, stolen, repudiate, etc. These can be put together and termed as 'nonavailability' of data as they may not be available at any point during the valid retention period. In the manual operations, these records were available on need basis while in the electronic storage; it is easy to make the data non-available through various options. The distance is no more the criteria to reach the data; access is no more a difficult task

48

INFORMATION SECURITY FOR MANAGEMENT

as it can break through the electronic barriers without breaking the physical barriers. Infonnation Technology has brought ease of access to info nnation, handle complex processing, analyL.e infonnation for business growth, and contribute in strategic plan. All these can be jeopardized by the absence of the right kind of protection and appropriate controls. Thus, the regulators have realized the importance of protecting the privacy of people working on sensitive data of citizen besides being stored as business records. This has created the need for protecting the administrative data as well along with the operational (business) data. The Acts under the fundamental right provides broadly protection to personal infonnation of citizen in various countries. J\'s pan of expansion of this act, many countries have introduced an explicit act for privacy and protection of such personal data irrespective of its origin and storage. Since, this aspect has come under regulation; IT must show evidence of complying with this. Therefore, there is a need for understanding "Data Privacy and Security' for Chief Executive Officer, Chief Compliance Officer, Chief Finance Officer and other CXO's (00, era, eso, etc.). Enterprise compliance pertaining to statutory requirements could be addressed by Chief Compliance Officer (Company Secretary) while Operational technology compliance and fulfillment requirements could be addressed by the ao/ero nominated COO.

49

INFORMATION SECURITY FOR ALL

Vocabulary DATA is facts and statistics collected together for reference or analysis. Data can be expressed in quantities, characters, or symbols on which operations arc perlonned by a computer, ,vhich may be stored and transmitted in the fonn of electrical signals and recorded on magnetic, optical, or mechanical recording media. ,The word 'Data' is originated in mid 17th century as plural of the word 'Datum'. Data can also be infonnation not in the fonn of words, sounds, or images: such data is usually infonnation stored in a highly organized and compact fonn suitable for data processing. INFORMATION is evidence, intelligence, material, background, input; proof, fuel, ammunition; sute me nt, report, return, dossier, file, documentation, archive(s) and infonnal info mlation. Data (in computing) is the InfOlmation that has been prepared, often in a particubr fonnat, for a specific purpose. In a more restricted sense, data may be the information input for a particular program, as opposed to the results or output. Data is available as either hard copy (paper documents and records) or in electronic fonn. Hard copy data resid~ in cabinets, cupboards, storage units or are found in transit when they are couriered or sent through postal service. Electronic data resides in either in some fonn of a repository, like a database or collections of individual files or is found in small quantities when transmitted over a network Your data is vulnerable. no matter what fonn it is available in or vvherc it resides; and so it needs to be protected from damage, theft or loss of its integration. It is equally unportant to ensure that the privacy of your data is maintained.

50

INFORMATION SECURITY FOR MANAGEMENT

While many organisations take security measures to protect their data, it turns out that these measures are inadequate to protect valuable corporate assets.

Impactable data Data gets generated in every industry irrespective of the lrind of work being done. Broadly, the tJpe of data generated can be categorized into • Personal data o The types of infonnation that can be used to either identify an individual and may include the expression of opinion of that individual. Typically this would include; a persons name, age, contact infonnation, family details like marital status, number of children, educational qualification, type and number of vehicles, property ownership details etc. etc. Infonnation like the trust worthiness of an individual, the integrity, work capabilities etc are typical examples of "expression of opinion of an individual". We find this in use mostly by the HR departments and shared during job transfers between departments and organISatiOns. • Sensitive Personal data o Personal data like ethnic or racial ongm, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, commission or alleged COmmISSlOn of offences and criminal convictions or proceedings are some examples of sensitive personal data. • Financial data o This is the type of infonnation that can give financial details about an individual or an organisation. Typically this infonnation would include; an individual's or organisation's credit history and status, financial records, payroll

51

INFORMATION SECURITY FOR ALL

information, invoicing and billing information, information about fund management, asset mventory and Its valuation, etc. • Medical data o This is the type of information that can give medical history about an individual. Typically this would include; the various illness that a person has suffered, drugs that the person is allergic to, history of various pathological reports, etc. • Corporate data o This is information that gets generated as palt of the activities that are carried out for business operations. Business development plans, merger and acquisition agreements, project plans, research, design and development plans, customer and supplier information, source-code, etc can be categorized as corporate data. The nature of work being executed and the business requirements drive the Industries into generating either all the above types of data or a combination of these. I-Iowever, the most common combination is the generation of personal, financial and corporate data. Industry concerns

Information technology is the driver behind managing the vast data that is generated by various industries. Understandings the data security requirements are a great challenge to industries, primarily because of the controls required to manage the access, change, movement and discarding of data. Industries need to understand who owns the data, which generates it, who can view it and who can change it.

52

INFORMATION 5ECURITY FOR MANAGEMENT

For example if we consider a banking industry, IT is used extensively right from registering a new customer to allowing the customer to transact with others, to handling customer requirements. At the same time IT is used by the banking industry for their fund management. The type of data held by the banks includes the personal information of their customers and employees; financial information of the customers and employees and that of the bank. Gnporate information such as the bank's project plans. It becomes very important for the bank to understand how they will protect their customer's information such as the credit card numbers, what controls they need to build so that; for example, the database administrator does not steal the credit card numbers stored in the database.

Data las can happen either at the data mmer end, eg uhen a oolnn!r is na; canfu1 Wile transaaing at the A TM muhine or at the data oota/ian end eg t/JalSands ifCJ1Xiit card nurri:x?rs ~t stden

foma Ixmk. The data privacy and protection requirements for each type of data . . will vary. depending upon the criticality of data and Its pnvacy reqwrements.

53

INFORMATION SECURITY FOh ALL

Protection to data Vocabulary PROJECTION is the action of covering someone or something. Some alternate words for protection includes defense, shielding, shelter, preservation, conservation, safe keeping, safeguarding, safety, security, asylum, custody, sanctuary, refuge, lee, immunity, insurance, indemnity, upkeep, maintenance, husbandry.

Examples " Protection against infection • Police protection • Preventing from harm or injury • Protection against the Saxons II

Protection against the evil eye

• Cnver provided by an insurance policy • A legal or other formal measure intended to preserve civil liberties and rights • A document guaranteeing immunity from harm to the person specified in it • Practice of paying money to criminals so as to prevent them from attacking oneself or one's property • Protection money paid on a regular basis • Physical fitness provides protection against stress

54

INFORMATION SECURITY FOR MANAGEMENT

Legislation to protect data in the interest of guarding privacy of the infonnation by the holder fundamental rights of a citizen empower a citizen the right to infonnation, freedom of speech, right to protect includes personal infonnation from being disclosed to other CltIZens.

A more selective approach to enforcing data protection legislation is being adopted by the information commissioner, the independent watchdog for data protection and freedom of information. The move is part of the government's broader drive to make regulation more "risk-based", lightening the routine load on people and businesses while targeting resources on those genuinely abusing the law.... A US law to increase the security and privacy of personal information held by companies was approved by their Senate Judiciary Committee. The bill includes a duty to disclose security breaches. The Personal Data Privacy and Security Act of 2005 were already moved forward to a full Senate hearing. The bill, sponsored by Senators Arlen Specter and Patrick Leahy, will ensure that companies with databases containing personal infOlmation on more than 10,000 US citizens establish and implement data privacy and security programs and vet third-party con1ractors hired to process data. Under the bill, data brokers will generally be required to let individuals know what infomlation is held about them and, where appropriate, allow individuals to con-ect demonstrated inaccuracies. They will also be obliged to notify law enforcement agencies, consumers and credit reporting agencies when digitized sensitive personal data has been compromised.

55

INFORMATION SECURITY FOR ALL

Data Privacy and Security Vocabulary PRIVACY is the state or condition of being free from being observed or disturbed by other people. The alternate words include seclusion, solitude, isolation, retirement, peace, quiet, lack of disturbance, lack of interruption, freedom from interference; rare sequestration, reclusion. The immense exposure of computers on the internet has led to an evolution of cyber security threats from the viruses and worms to denial of service and remote attacks from malicious users leading to the exposure, loss or total unavailability of sensitive infonnation.

As the cyber attacks evolved, the need for better defensive challenges and protection technologies emerged. Today we witness a wide range of products; such as Firewalis, Intrusion Detection! prevention systems, Antivirus, Anti Spam, Anti Malware, Vulnerabilities Scanners, Cryptographic solutions that protect against a wide spectrum of possible attacks. The periphery security market has matured over the years, however, the desktop and portable PC's protection is not yet as matured and data residing on these systems is still at the risk of being exploited by various threats. The question still remains, how can we protect our data? Data Protection is one of the aspects under Protection described as part of vocabulary under the previously described head namely "Protection to Data". Since data in its physical and electronic form is always at risk, we can start by considering the sensitivity of the data and then identifyi..ng the physical security requirements, server configuration and data storage requirements and the network infrastructure that will be needed to protect the data.

56

INFORMATION SECURITY FOR MANAGEMENT

Technology General IT controls include the procedures and processes that support the overall processing of business applications of an organization. These controls include areas such as access to programs and data, data center operations, program development, program changes, IT disaster recovery plans, and the proper segregation of duties of information systems department personneL The general controls are important because they support applic~tion processing. Q)mputerized application controls include the controls involving the processing and storing of business transactions. They ensure the completeness, accuracy, authorization, and validity of processed transactions. Application controls include application security, input controls, rejected-transaction controls, transactionprocessing controls, and output controls. According to IT OJntrd Gqocti'l£S far Sarlxmes-Oxley (IT Governance Institute, April 2004; available at www.isaca.org), both general and application controls "are needed to help ensure accurate information processing and the integrity of the resulting information needed to manage, govern and report on the . . ,} orgamzatIon. The technology also includes the IT infrastructure such as servers, clients, networks, communication channels, etc. The protection of this infrastructure is also a challenge. The common way to protect these are by design or the infrastructure architecture, usage of firewalls, Intrusion Detection Systems (IDS), Intrusion Preventive Systems (IPS), antivirus, anti spam, hardening of the operating system, etc. There is a need for protecting the physical and environment of a data centre so that the data is protected against damages caused by intentional and unintentional acts.

57

INFORMATION SECURITY FOR ALL

Features provided (availability) Infonnation need makes data available across the entetprise from the data centre irrespective of where they are, how they seek information, etc. Some of the features provided by Data centric information technology include 1. Appropriate segregation of duties of information and department personnel 2. Application controls including processing controls 3. Access to Applications 4. Access to data 5. Transaction controls and monitoring 6. Verification and validation accuracy, authorization

of

completeness,

7. Storage of business transactions 8. Program development and program enhancement (System and Application) 9. IT continuity for business and disaster recovery procedures Exposure created due to availability of features ( vulnerability) While the features are provided to enhance operations of business through availability of infonnation to the user groups, it has become a cause of concern to the custodian organization as much as the infonnation owner orgarnzatlon. In spite of best of segregation of duties, and protected IT infrastructure, service monitored and controlled by system and network administrators, access to data using application to authorized users are becoming cause of concerns. Out of several users, even one of the legitimate users, take camera picture of transactions, or carry data out,

58

INFORMATION SECURITY FOR MANAGEMENT

sell client infonnation, etc. to marketing organizations or competitor. The business application development and maintenance users also have access business data and business logic. While this access is required for legitimate business reasons, organizations always have the concern of a developer coding in a Trojan or a backdoor and have it deployed while deploying a new version. The system administrator or database administrator managing the systems are the trusted employees of the organization and have access to this infonnation by virtue of their nature of work Oient and customer infonnation is also at risk of loss or damage that may occur due to negligence of these adm.inistrators. Processed data also needs to be backed-up. This requirement is understood by organizations; hOVrrever not all of them back up. If backed up they may not be encrypted where necessary before storage. The movement of back-up media is not always controlled. This also results in the risk of loss of infonnation and its exposure to unauthorized persons due to theft or dalnage. In 1996, Toyota had a major problem relating to IT, especially data management. They brought in Barbara Cooper as 00. Her willingness to listen to her internal customers, especially business executives, helped them bring in slowly but rigorously a data management system, guided by the ao, driven by business making the entire data management plan a great success. The evolution of cell phone and its use towards betting on "data", brought in features such as purse holding up to $450, store some credit card numbers, and a forward link to about 22,000 retailers at Japan by JCB. (Sow-ce: The Asian Wall Street Joumal, August 16,2005) IBM has a product for Gmtinuous Data Protection (Q)P) for mobile users who can automatically create back ups in

59

INFORMATION SECURITY FOR ALL

their laptops. With laptops replacing desktops, it is a great strategy to cover both large and medium enterprises. As an additional plan, IBM has included CDP as part of its Tivoli family. (Source: infoworld.com, August 26, 2005).

Impact on misuse or abuse of features (Risk) Features are available on systems and in applications to enable effective execution of tasks, provide support, and carry out maintenance and up gradation activities. For example in a BPO serving an insurance client, access to business application is available to the BPO employee carrying out back-office operations and the IT administrator providing technical support. A back-office operator can add and change information peltaining to a policy as specified in the job function, however if the backoffice operator has malicious intent, then they can misuse the same rights to fudge data and cause fraud. Similarly, Business application developer and maintenance users are not required to cany out data-entry operations; however their access to databases holding the information is enough for one user to carry out unauthorized changes to the data causing undesirable results.

Some of the other factors that can impact data Information Browsing - Unauthorized viewing of sensitive information by intruders or legitimate users may occur through a variety of mechanisms like mis- routed electronic mail, printer output, mis-configured access control lists, group IDs, etc. Information exploitation - The use of information assets for other than authorized purposes can result in damage to reputations, exposure of confidential information can result unauthorized people gaining an insight into organizational information or processes. Unauthorized deletion, modification or disclosure of information - Intentional damage to information assets are possible and can result in the loss of integrity of data; or get

60

INFORMATION SECURITY FOR MANAGEMENT

disclosed thereby loosing confidentiality of business infonnation. System Penetration - Attacks by unauthorized persons or systems that may result in denial of service. While they can be traced back after an incident, they add significant cost, increasing the incident handling costs. Misrepresentation - Attempts to masquerade as a legitimate user to steal services or information, or to initiate transactions that result in financial loss or embarrassment to the organization. While it is not possible to restrict authorised users from carrying out their job functions, certain controls can be implemented to minimize the possibility of misuse of systems. An additional compensating control such as monitoring mechanisms can be implemented to keep an eye out for any suspicious activities. Controls Gmtrols required for Data security include protection of the data processing infrastructure (e.g computer systems, network components etc) from unauthorized use, unauthorized changes, or unavailability of services and protection of data itself from unauthorized disclosure, modification, or destruction. However, because certain security controls can hinder, slow down or reduce productivity, the security measures that are taken should be a balance between the controls required vis impact on producuVity. The three main categories of data security controls are • Physical • Technical • Administrative The applicability of these controls may be either preventive or detective. Preventive controls are those that are applied to prr?l£nt the occurrence of an unwanted physical, technical

INFORMATION SECURITY FOR ALL

61

or administrative secunty control breach. Detective controls lead to the identification or deta:tim, of an unwanted physical, technical or administrative secunty control breach after the breach has occurred. Preventive Controls • Controls applied to deter or restrict individuals from carrying out unauthorized or malicious activities or discourage them from violating organization policies. • Could include measures such as strong access controls mechanisms coupled with auditing of the same or defining disciplinalY or penal action against violators

• Can inhibit productivity, therefore limitation in lts applicability Detective Controls • Controls applied to detect an incident or a security breach or any violations around the applied physical, administrative or technical controls Corrective Controls • Corrective controls can be applied after deta:tim, of a security violation so as to cumrt the damage done by an unauthorized action. Corrective controls will result in application of measures that will either repair the damage done or build in restrictiw antrds by bringing about changes to policies / procedures or system configurations, thereby modifying the physical, administrative or technical controls. Recovery controls • Steps' taken towards nrmery of lost information or information processing equipment. Measures are taken to nmur any monitory losses that are a result of the security violation.

62

INFORMATION SECURITY FOR MANAGEMENT

Preventive Physical Controls Preventive physical controls are applied to fTterenl individuals from gaining unauthorized access into facilities that house support infrastructure such as electrical, HVAC or infonnation or infonnation processing resource such as servers, backup media, network equipment etc. These controls also include protection against natural or man made disasters. Some common prevenuve physical controls that are applied include • Site selection • Fences • Security guards • Identification and access control systems • Double door systems • Loc).G and keys • Backup power • Backup of electronic and paper documents • Fire extinguishers

Site Selection The site for the building where you would have your infonnation processing and storage facilities should be carefully selected to avoid obvious risks. For example, wooded areas can pose a fire hazard, areas on or adjacent to an earthquake fault can be dangerous and sites located in a flood plain are susceptible to water damage. In addition, locations under an aircraft approach or departure route are risky, and locations adjacent to railroad tracks can be susceptible to vibrations that can precipitate equipment problems. Fences Fences fall under the category of preventive physical controls that establish a IVa-trespassing line and can deter a simply curious person. Fences must be backed-up v;~th

63

INFORMATION SECURITY FOR ALL

alanns and surveillance by security guards or CCIV system as may be required and feasible.

Security Guards Security guards add to the physical access control mechanism, since they can intercept intruders and ensure that only authorized personal gain entry into the premises. They can also inspect the packages and other items that move in and out of the facility to ensure that it is an authorized movement. The guards are better equipped if the facility is wired with intruder and fire alarm systems that can be monitored by the guards. The guards should patrol unattended areas within and around the facility during and after normal working hours to deter intruders from obtaining or profiting from unauthorized access.

Identification and access control systems Authorised entry into the facilities and computing resources can be effectively controlled with identification and access control systems. Having photo-identification cards for employees and separate identification cards for consultants / contract personal and for visitors makes it easy to distinguish them. Electronic swipe cards can be coupled with the ID-cards and programmed to define the locations that can be accessed by an individual. The swipe card reading system can detect unauthorized attempts to enter into restricted areas.

If stronger physical access

controls are required, particularly in areas that are considered to be high-security wnes and have very little traffic; one can consider the biometric access control systems. Biometrics used for identification includes fingerprints or handprints, voice patterns and retinal scans. One of the biggest advantages of biometrics is that it cannot be stolen or lost.

Double Door / Turnstiles Double door or turnstiles can be used at entrances to restricted areas to force people to identify themselves

64

INFORMATION SECURITY FOR MANAGEMENT

before they can gain entry into the facility. Double doors and Turnstiles are an excellent way to prevent intruders from following closely behind authorized persons and slipping into restricted areas. Locks and Keys Locks and keys are commonly used for controlling access to restricted areas. Because it is difficult to control copying of keys, many installations use cipher locks (i.e., combination locks containing buttons that open the lock when pushed in the proper sequence). With cipher locks, care must be taken to conceal which buttons are being pushed to avoid a compromise of the combination. Backup Power Backup power is necessary to ensure that information processing facilities are in a constant state of readiness and to help avoid damage to equipment if normal power is lost. For short periods of power loss, backup power is usually provided through uninterrupted power supply units (UPS). In areas that are susceptible to outages of more than 30 minute, diesel generators set are normally recommended.

Fire Extinguishers In the event a fire has to break out, it is very important to have measures in place that will prevent the fire from causing a loss to the data and data processing facilities. Care should be taken to ensure that data processing facilities are not located close to potential fire sources like kitchens / cafeterias and the infrastructure should be of a non-combustible material. In addition to this, appropriate fire fighting equipment must be strategically located so that they can be easily accessed in the event of a fire outbreak. Backup of electronic and paper documents In the event of a disaster where data is lost or the loss of data integrity due to operational errors or intruder activities, the only: way one can restore data is through the backup. It

65

INFORMATION SECURITY FOR ALL

is therefore essential that data is backed up and is readily available. The care one needs to take with the backup media is • One copy of the backup media must be located at a site that is at far away from the primary site to avoid destruction of the same. • Both, the local and remote backup media must be stored securely. Preferably in a storage that is designed from non-combustible material and is firproof. • The backup for sensitive or highly classified information must be subjected to the same physical security and access controls as is maintained for the original data.

Detective Physical Controls TIle detective physical controls are the ones that can detJrt a physical security incident and raise an alert. Some of the common detective physical controls that are recommended include • Motion detectors • Smoke and fire detectors • dosed-circuit television monitors • Temperature and humidity sensors and alarms

Motion Detectors Facilities that are not manned should have motion detectors placed so as to detect any intruder movements.

Fire and Smoke Detectors Adequate fire and smoke detectors have to be strategically located so that a fire can be detected early enough for taking necessary action. It is very important to test these detectors regularly, because moisture and dust can at times raise false fire alarms.

66

INFORMATION SECURITY FOR MANAGEMENT

dosed-Circuit Television Monitors Strategically located CCIV cameras are used to record activities in the production areas; particularly the behavior or acts of individuals.

Temperature and humidity Sensors and Alanns C}}mputing facilities require that the environment in which they are placed has adequate control over the temperature and moisture. The temperature and humidity sensors monitor environmental conditions inside the computing facilities and in the event that environmental conditions fail to remain within the defined acceptable limits, an alarm will be raised to alert the maintenance personnel to CO't7'OCt the SItuation

Technical Controls Technical controls are the ones that are built into computer hardware, operating systems, application software and into communications hardware and software to safe guard · . agamst any mlsuse.

Preventive Technical Controls Preventive technical controls are the ones that are used to prevent any unauthorized person or application from gaining remote or local access into a system Some preventive technical controls that can be implemented include • User Authentication • Anti-virus software " Encryption • Dial-in access control and callback systems

TJser Authentication User Authentication through access control software enabled with a login-id and password can be used to ensure that only authorized users can authenticate themselves before gaining access to the information available on the computIng resources.

67

INFORMATION SEcuRrrv FOR ALL

Individuals must ensure that the passv,rords used must not be dictionarywords or personal infonnation, but should be reasonably complex so that no one can easily guess the same. They should ensure that password is changed once in 30 days and their login credentials are not shared with others.

Anti- virus Software The escalating rate at which new viruses finJ their way into the cyber world only emphasizes the need to have antivirus software that can detect and block virus activity. While it is true that no anti- vllUS software can protect 100%, the care that must be taken is to ensure that antivirus software are always running and are updated with the latest virus definitions

Encryption Oear text data, when transmitted over the netv.rork is always at the risk of being sniffed upon, leading to unauthorized disclosure of infOlmation. Encryption is the technology that converts clear-text data into an unreadable fonnat thereby making it difficult for malicious users to decipher the contents, even if they sniff onto the network traffic. Encryption can be implemented with either hardware or software. Software-based encryption is the least expensive method and is suitable for applications involving lowvolume transmissions; the use of software for large volumes of data results in an unacceptable increase in processing costs. Because there is no overhead associated with hardware tncryption, this method is preferred when large volumes of data are involved.

Dial-in Access Control and Callback Systems Dial-in is a means by which users can connect to remote computing resources using a modem over a telephone line. However, if adequate controls are not available, an unauthorized user can dial-into an organizations netv.rork

66

INFORMATION SECURITY FOR MANAGEMENT

Dial~in

access control can ensure that only calls from defined numbers are accepted; following which a user is authenticated through user authentication mechanisms. The call-back system, system will further help by authenticating the calling number and then dialing back to the number from where the request was received. This will ensure that one cannot try and gain access into a system using spoofed numbers. Detective Technical Controls Detective technical controls monitor the systems for any violation of intended security and alter the system administrators of the attempted or actual breach. Some detection controls that are implemented include • Implementing intrusion detection and prevention systems. • Log analysis and audit trails.

Intrusion Detection and Prevention Systems

'The intrusion detection and prevention systems are useful in detecting activities that are carried out by unauthorized users who pretend to be authorised users or in cases where authorised users carry out unauthorized activities. These systems monitor user's activities while they are using the system to determine if they are in line with the defined policy and established rules. In the event of a violation, the user's session may be terminated or the rule upgraded to prevent the attacker from causing further harnl. It will also alert the system administrator or the security officer about the breach. Transaction Logs, Incident Logs and Audit Trails The term 'Transaction Log' is used where the infonnation pertaining to transaction details are sought wherein the immediate supervisor can see these logs and take necessary internal corrective actions. The term 'Incident Log' is an

69

INFORMATION SECURITY FOR ALL

automated log which monitors any deviation from the nonnally assigned pennissions and the application malfunctions. This log is to be reviewed outside the working unit by the IT or Business depending upon the nature of incident reported for suitable corrective action by way of patch updates, etc. The term 'Audit Trail' is used to report the administrative aspects of users, files accessed, etc outside the working unit for the internal auditor to review and understand the access to application, data and system are being used as per their roles and responsibilities as decided under segregation of duties. A transaction log is a record of system activities that enables the reconstruction and examination of the sequence of events of a transaction, from its inception to output of final results. Violation reports or in this case incident logs present significant security- related events that may indicate either actual or attempted policy transgressions reflected in the report. Violation reports or incident logs should be frequently and regularly reviewed by security officers and data base owners to identify and investigate successful or unsuccessful accesses. Thus, transaction log is taken within the universe, incident log by the business owners or business IT owners outside the universe, and the audit trail by the auditors who seek for internal control weakness outside the universe.

Administrative Controls Controls need to be established to ensure acceptable level of protection to computing resources. It is best to have a corporate security policy. This should cover the business security objectives. A corporate security policy is the best directive control. The operational area can be aligned to this security policy by creating several administrative controls consisting of operational procedures as appropriate to manage and monitor security. These controls are also called control procedures and compensate management constraints into effective control mechanisms. Thus, delegation of information or data security responsibility and accountability can become very effective.

70

INFORMATION SECURITY FOR MANAGEMENT

Preventive Administrative Controls Preventive administrative controls are techniques used for controlling an individual's behavior to ensure that the confidentiality, integrity, and availability of data is not compromised. Preventive administrative controls include: 1. Security sensitization, awareness, training and certification 2. Separation of Duties and Separation of Duties 3. Recruitment and Termination procedures 4. Supervision

5. Security policies, procedures, Guidelirles with Forms and Formats 6. Disaster recovelY, contingency, and emergency plans 7. System Access Control Framework

Security sensitization, awareness, wining and certification The first step to ensure security over data can be achieved by sensitizing all the stake holders about data protection and privacy. This will mean creating a security culture and cannot be achieved overnight. The process will involve exposing employees, non-employees, contractors, and other in the operational level to understand the implication of do's and don'ts over their day to day activities while dealing with data. They should be exposed to the fact that they are working in a very safe and secured environment and that the enterprise provides such an environment for them to work At the same time it is important for all the stakeholders to realize that failure to comply the do's and don'ts can land them to the extent of facing fiduciary problems, litigations, expulsion, and that are covered by the law. This will create the first level of safe and secure working culture within the enterprise. The second level is creating awareness on what are the current security practices applicable for different stakeholders to maintain data privacy and security. Tills will include informing about the latest antivirus and program

INFORMATION SECURITY FOR ALL

71

patches, spam filters, security alerts, etc. so that they are aware and that the company is treating such information seriously to safe guard the interest of all their data and stakeholders . The third level is training to employees identified to protect the data and understand security requirements across the enterprise. This will include training on various standards, complying international business requirements as applicable to the nature of industry, size, people and data. To achieve operational security skill, the concerned employees may need to undergo product certification and training to keep their technical knowledge up-to-date and meet the business IT requirements. Lastly, at the fourth level, it is important to go for people certification and enterprise certification. People certification could include becoming ISO 27001 / ISO 17799 (BS 7799), ISO 20000 (BS 15000), and enterprise complying to ITIL, COPe, COBIT, etc besides being certified under ISO 9001, ISO 27001, ISO 20000, etc.

Segregation of Duties and Separation of Duties At the enterprise level roles and responsibilities are defined. Based on this definition, enterprise will identify and provide segregated locations for different infrastructure. This will provide segregation of work areas and functions by design. While placing professionals into these segregated duty areas, it is important to maintain separation of access rights to application, data, and infrastructure to meet business IT security objectives. The risk of having one person carrying out a complete project is like having all eggs in one basket. By separating the duties one can ensure that no single individual has total control over a process and instead forces the person to interact with others for completion of tasks (which also means that the person would have to team up with others if there is an intent to cause harm or have some personal gain)

72

INFORMATION SECURITY FOR MANAGEMENT

Recruitment and Tennination Procedures' An effective recruitment procedure can minimize the chances of hiring a person who may violate the security policy. Some of the checks that the human resource department must carry out include • The applicant's criminal history (though this does not screen the individuals honesty and integri~ • Reference checks where the employment, character and where required the credit rating of the individual must be obtained. The second point addresses the background check of all employees, non-employees and contractors. The check on criminal history will help in the first round of elimination; the employment reference will help in judging the