Discussion and Replies

Information_Security_Design_Implementation_Measure..._----_Chapter_4._A_Security_Baseline.pdf

Home >Computer Science homework help >Discussion and Replies

A Security Baseline

The security baseline proposed in this chapter is built on the key risk indicator (KRI) controls identified in Chapter 2. Of the possible 133 controls in the ISO/IEC 17799:2005 (27002), I have identified 35 controls as KRI controls. These controls are critical and paramount to every information security program, independent of organization or industry. Each of the 35 controls will be listed in the forthcoming sections. The rationale of why they should be considered as a security baseline is described and included within the text. Requirements for implementation and assess- ment are beyond the scope of this chapter, and if additional guidance is required, refer to Chapters 7 through 17 as needed as well as the official standard itself.

KRI SECURITY BASELINE CONTROLS

Any organization, independent of industry, could benefit from having the 35 KRI controls implemented to a high degree of effectiveness within their organization and operation. Furthermore, the absence or lack of effectiveness of the KRI controls would likely result in a weakened security posture and introduce unnecessary risks into the organization. A listing of these 35 controls is provided in Listing E.

Listing E: KRI Security Baseline Controls

• Information Security Policy Document • Management Commitment to Information Security • Allocation of Information Security Responsibilities • Independent Review of Information Security • Identification of Risks Related to External Parties • Inventory of Assets • Classification Guidelines • Screening • Information Security Awareness, Education, and Training • Removal of Access Rights • Physical Security Perimeter • Protecting Against External and Environmental Threats • Secure Disposal or Reuse of Equipment • Documented Operating Procedures • Change Management • Segregation of Duties • System Acceptance • Controls Against Malicious Code • Management of Removable Media

AU7087_C004.fm Page 55 Tuesday, May 23, 2006 8:27 AM

Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:51.

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

• Information Handling Procedures • Physical Media in Transit • Electronic Commerce • Access Control Policy • User Registration • Segregation in Networks • Teleworking • Security Requirements Analysis and Specification • Policy on the Use of Cryptographic Controls • Protection of System Test Data • Control of Technical Vulnerabilities • Reporting Information Security Events • Including Information Security in the Business Continuity Management

Process • Identification of Applicable Legislation • Data Protection and Privacy of Personal Information • Technical Compliance Checking

SECURITY BASELINE

The concept of a security baseline is intended to establish and document a series of key controls that every organization should consider implementing to a high level of effectiveness within their operations. The scope and intent of these controls must also be documented as part of the information security program, including the information security policy. All 35 of the KRI controls will be listed and described in detail in the forthcoming sections. The controls are presented by order of their control reference number (i.e., 5.1.1, 6.1.1, etc.) in ascending order. There is no type of weighting or credit applied to one control versus another. The idea is that all 35 of the KRI controls are critical to uphold the information security program in its entirety and that the sum of controls is required to ensure program integrity.

Chapters 7 through 17 provide detailed information and guidance on all 133 of the ISO/IEC 17799:2005 (27002) controls including control purpose and scope, control class, key questions to ask for assessment purposes, and any additional information as appropriate. Implementing the KRI controls does not guarantee 100 percent security, as no balance of controls and safeguards could ever guarantee this. It is reasonable to assume that if all 35 of the KRI controls are implemented to a high level of effectiveness, an organization will have much fewer risks than the average organization. The KRI controls will need to be continually assessed, mon- itored, and reinforced. Organizations are dynamic, and information technology sys- tems and environments are ever changing. New vulnerabilities can be introduced that can possibly be exploited by new threats at any given time, resulting in increased risks to the organization.

AU7087_C004.fm Page 56 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

INFORMATION SECURITY POLICY DOCUMENT

The information security policy document control points out the obvious requirement of an organization developing and publishing an information security policy docu- ment. The control stresses the importance of communicating the policy to all appro- priate parties including employees, consultants, contractors, and external parties. The code of practice does not give specific guidance regarding how to accomplish this, but it suggests that the policies be communicated in an effective manner that ultimately gains the acceptance and compliance of the target users. The exact mix and process for delivering information security awareness messages will likely vary for each organization, but the method to build and deliver an information security awareness program is basically the same for every organization. The ISO/IEC 27001 provides guidance on the development and maintenance of the security policy and program.

Implementation guidance provides basic instructions on some of the most obvi- ous sections and statements that should be included in the formal information security policy document. One of the most overlooked and most critical components that should be included in every information security policy is risk assessment and its relationship to risk management. There is little guidance on exactly what should be included in the information security policy, and for good reason. There is no magic list of items, other than the basic components included in the implementation guidance section of this control, that should be a part of all information security policies.

Information security policies are developed by information security managers and ultimately approved by senior or executive management—as they should be. As an information security professional who has reviewed information security pro- grams for many organizations, I see this one area cause information security man- agers the most trouble. It is a difficult task to decide what should, or should not, be included within the policy and exactly which words to use to effectively convey the intent and meaning of the policy.

A large number of information security managers have backgrounds that are rooted in information technology and not in the writing and publishing of policy documents. No matter the depth of a professional’s background, writing, developing, selling, and publishing information security policy documents that meet all of the organizational requirements are complex and difficult tasks. The potential impact of having misaligned or missing information security policies is potentially devastating for an organization. There could be financial, compliance, regulatory, or other neg- ative consequences as a result of the missing or inappropriate policies. In severe cases, it could lead to legal actions or the downfall of the company.

For public organizations, legal, federal, and regulatory compliance matters involving information security must be accounted for in the formal policy document. With the recent legislation (HIPAA, GLB, SOX), it is imperative that information security policies appropriately document the organization’s requirements or there is a possibility of serious negative consequences.

It is logical to refer to the 5.1.1 control implementation guidance section for additional information about the sections and components to be included in the

AU7087_C004.fm Page 57 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

information security policy. The implementation guidance has limited value for information security managers seeking advice and input on what should be included in the policy. Control 5.1.1 is not intended to provide structure and advice on information security policy. The purpose of this control is to state the importance and criticality of having a documented and supported information security policy and not to state the definition of its content. Refer to the ISO/IEC 27001 for additional information and help in this area.

Information security managers should attempt to form peer relationships with organizations within their same industry. Most organizations are typically not inclined to share corporate documents, and information security policies are no exception. Most organizations are fearful of the legal consequences that might occur as a result of sharing the information contained within their policy documents.

The information security manager should be concerned first with creating a framework for the information security policies and then with creating the individual policies as needed. The framework should be approved by executive management and be realized by a formal process that ultimately produces an approved policy. The structure of the ISO/IEC 17799:2005 (27002) is one option for the structure of the information security policies. There are a number of resources available via the Internet that can assist in the creation of an ISO/IEC 17799:2005 (27002)–compliant framework. There are a number of professional consulting firms specializing in the creation and development of ISO/IEC 17799–aligned information security policy documents. Information security managers and executive management should lever- age every resource available to them and not be afraid to involve external experts for guidance or confirmation.

It is theoretically impossible for an organization to have a cohesive information security program that will appropriately protect the organization’s assets without having a written and approved information security policy. It is easy to understand that if an organization has a written and approved policy as described in this section, many other actions are required by several other organizational resources to formally publish the policy. The benefits gained from involving the correct resources in the policy development process are invaluable to the overall security posture for an organization.

MANAGEMENT COMMITMENT TO INFORMATION SECURITY

Control 6.1.1 (Management Commitment to Information Security) outlines the importance of senior management supporting and sponsoring the information secu- rity program. This control suggests that management involvement goes all the way to the board of directors and requires that executive management and the board of directors take an active role in information security.

For example, it is the responsibility of the information security officer, or the highest-level position for information security within the organization, to develop, sponsor, and publish the information security policy documents, but it is the

AU7087_C004.fm Page 58 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

responsibility of the executive management team to ensure that the policies meet organizational, legal, contractual, and regulatory requirements.

The information security officer or manager should seek out the help and advice of an executive management sponsor and leverage this relationship to carry a number of information security issues forward to the board of directors.

The implementation guidance section within this control gives practical and relevant advice on how management can actively support the information security program. Without the clear and active support of executive management, the infor- mation security program will not be as effective as it should be and will likely fail at some level. The reason this control is considered a key risk indicator is that without executive management support, the information security posture of the organization would be at significant risk and likely lead to devastating consequences for the organization at some point in the future. Management commitment for information security could be thought of as a key element that absolutely must exist at the core of every information security program if it is going to be effective and successful in controlling information security risks.

ALLOCATION OF INFORMATION SECURITY RESPONSIBILITIES

Information security roles and responsibilities must be defined by management; otherwise, it is unreasonable to assume that employees and users of the organization’s assets clearly understand their responsibilities for information security. Confusion or lack of understanding is the recipe for disaster.

The issue of information security responsibility should be clearly defined and described within the information security policy document. The standard suggests that organizations anchor responsibilities to assets. Assets must have owners, and if the owners are aware of their information security responsibilities, this objective is executed. It is logical to conclude that the identification of assets would have numerous benefits throughout the organization and specifically within the informa- tion security program. The definition of an asset in traditional terms typically indi- cates some type of tangible item located on the balance sheet. Risk management and information security have challenged this traditional view of assets and suggest that assets are also intangible. Examples of these types of assets would include company goodwill, employee morale, brand, etc.

The overall assumption is that if an asset has an assigned owner, the owner can be responsible for its protection and security. The spirit of this control is a good candidate to include in the information security awareness and education program as well. People are very busy and tend to forget some of the most obvious require- ments about information security. For example, it seems very logical to lock your workstation or computer when leaving your desk, but in the heat of the moment it is very easy to simply forget and leave the computer unprotected. How many people have you passed within your organization whom you did not know, allowing them to pass you because you assumed they were legitimate?

AU7087_C004.fm Page 59 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

INDEPENDENT REVIEW OF INFORMATION SECURITY

The regular and independent review of an organization’s information security poli- cies and program is one of the best investments the organization can make. Having trained and knowledgeable information security subject matter experts review an organization’s policies and security practices will expose any shortcoming and deficiencies before they are exploited and possibly turned into a negative or devas- tating event. The code of practice suggests that this type of review be led by senior management and not by the system owners. The analysis and report should be shared with executive management and information security management to produce the most desirable results. There is no such concept of a completely secure organization, but the goal is to ensure that the security program is in alignment with the business goals and various requirements including legal, contractual, and regulations. An independent review of the information security policies and program has the potential to help the organization avoid potentially serious and negative consequences.

IDENTIFICATION OF RISKS RELATED TO EXTERNAL PARTIES

One of the easiest areas for the information security program and strategy to break down is the area involving business activities and processes beyond their direct control. An example of this is when an organization utilizes a third party to fulfill a business requirement. It is very difficult to control what you do not have access to or knowledge of. Information security management should develop a series of information security risk assessment processes to evaluate and assess information security risks of third parties. This process should begin during the third-party selection process and be included in the criteria for their selection. The scope of the assessment should be driven by the amount of risk or potential loss. Control 6.2.1 provides a number of very good examples of what an organization should consider including for the review of external parties.

INVENTORY OF ASSETS

Besides the obvious accounting requirements, an inventory of information technol- ogy and systems is a logical and critical task for information security and assurance. In the event of a business interruption, for whatever reason, how would the organi- zation know what to include in the disaster recovery or business continuance plan unless a detailed and systematic inventory is maintained? Example of critical assets would include hardware, software, applications, application data, data files, hard and soft copies of legal and contractual agreements, security and support procedures, human resource data, financial records, etc. The inventory of assets may be critical for some organizations to understand and evaluate the potential impact to their organization in the event of their loss or interruption.

AU7087_C004.fm Page 60 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

CLASSIFICATION GUIDELINES

Organizations operating in current times leverage the advantages and efficiencies afforded them by information processing systems and applications. It is hard to imagine even a small organization operating without the help and assistance of computing systems. Even if an organization operates without the help of information systems, it does not eliminate or reduce the potential impact of operating without information classification. An organization must create and publish information classification guidelines if it expects users to appropriately handle information and data. This topic should be one of the primary elements included in every information security awareness and education program. The classification guidelines should be clearly documented within the information security policy as well.

An information classification scheme should be developed by management in terms of its importance, value, sensitivity, and legal requirements for the organiza- tion. Typical classification labels would include public, internal use, confidential, and restricted. Clear definitions for each of these classifications must be documented and communicated to every user within the organization. Supporting procedures and guidelines must be developed and published so that users understand the requirement for appropriately protecting each class of information and the correct procedures ensuring its protection. Management should refer to control 7.2.1 for additional help and work with their peers within their same industry to possibly provide additional help and guidance.

It is logical to conclude that if an organization does not create and publish classification guidelines for all information and data types within their organization, they are making themselves and their organization vulnerable to unnecessary risks and dangers. For many industries, this is required by law or regulation. Even if information classification is not required by law or regulation, it is considered to be an industry best practice for information security.

SCREENING

The act and process of screening employees, contractors, and third-party users is critical to uphold the integrity of the information security policy. The scope and degree of the screening should be in alignment with organizational requirements. For example, the scope of the screening process for a manufacturing firm that manufactures widgets and does not store or process information that is governed by laws or regulations would likely be different from the scope of the screening process for a financial institution that must comply with numerous regulations and laws. However, the manufacturing firm may elect to screen employees, consultants, and third parties just as aggressively as financial or government organizations do because their data is critical to the long-term success of their organization.

Typical screening activities would include past employment dates and references, personal references, identity check (driver’s license, social security cards, etc.), college education verification, confirmation of professional certifications, personal credit check, criminal background investigation, etc. Many organizations perform this type of check only at the beginning of the employment process and do not

AU7087_C004.fm Page 61 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

consider performing additional checks upon promotion or increased responsibilities. The background and risks associated with an employee can change drastically over time. It is possible for employees to commit fraudulent actions, experience financial distress, or develop other conditions that could possibly alter their normal behaviors. This is why it is critical for organizations to create a process that is in alignment with the risks of their organization. The actions of a single bad person can compro- mise the integrity of the actions of the entire organization. People, without doubt, are an organization’s greatest assets—but also one of its greatest risks.

INFORMATION SECURITY AWARENESS, EDUCATION, AND TRAINING

Information security awareness, education, and training are overarching principles that must be implemented in every organization. There is a clear difference between awareness, education, and training. Awareness is typically directed at all users and tends to focus their attention on global security principles. Training, on the other hand, is much more in-depth and the message is directed at a specific group or audience with an expected outcome. Education is another step beyond training where concepts and topics are covered in depth for the purpose of developing new skills and altering the outcome in some way. Education answers the question “why” and focuses on theory and research. Education is understood to continue over a period of time to master the concepts and theories.

REMOVAL OF ACCESS RIGHTS

Without a formal process and diligent actions on the part of the network adminis- tration staff, access rights for terminated employees, consultants, contractors, and third parties could lead to a negative and significant security-related event. All access rights should be removed and recorded immediately upon termination of the rela- tionship. The removal process could also include logical and physical access such as keys, identification badge/card, access badge, etc. Depending on company policy, collection of these types of items could be handled by the human resources depart- ment or the reporting manager. Either way, a clear and documented process and procedure should be developed and executed as required. Failure to do so could result in a security-related breach or exploit of systems or assets.

PHYSICAL SECURITY PERIMETER

Physical perimeters are obvious but often overlooked by many. Walls, gates, manned parking lots, and alarm and fire systems are all commonly thought of by many organizations. Card-controlled access to every entry into the organization’s facilities is becoming more common, as is a manned reception desk. Physical security perim- eter controls should undergo the same due diligence and risk assessment process as other controls. The controls and safeguards should be implemented because of the result of analysis and consideration, not because they are obvious and customary.

AU7087_C004.fm Page 62 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

This approach can create a false sense of security because management believes that all of the appropriate physical perimeter controls have been implemented to protect and safeguard the organization. If an organization has implemented a card-controlled access system for all entry and exit points to the organization’s facilities but does not have a cohesive business process to monitor and audit the logs, the control has not been implemented properly and there is unnecessary risk for the organization. This control and other closely related information should be included in the infor- mation security awareness initiative. Several examples for implementation guidance are provided in the body of the code of practice.

PROTECTING AGAINST EXTERNAL AND ENVIRONMENTAL THREATS

Protecting against external and environmental threats is a continuation of the same philosophy from the physical perimeter security control. Protecting your organiza- tion from natural or man-made disasters should be considered a primary and critical concern by any organization. Implementation guidance and examples are reviewed and described in the standard. The scope of this control should be part of the annual risk assessment an organization undergoes to evaluate the appropriate controls and safeguards required to uphold the integrity of the security policy and associated business requirements.

SECURE DISPOSAL OR REUSE OF EQUIPMENT

Computers and all types of devices house sensitive company data and information. Special care should be taken to properly remove all data before disposal or reuse in another capacity. There are many sources available to organizations to help them understand how to properly destroy data on media. This control must be part of the formal information security policy, and written procedures and supporting guidelines should also be developed and published.

DOCUMENTED OPERATING PROCEDURES

Having a clear set of operating procedures for all critical systems and applications within an organization is a huge task, even for smaller organizations. The intent of this control is to set the expectation that information security-related tasks and operations must also be included in the operating procedures. Special care must be taken to ensure that only authorized personnel have access to this information, as failure to do so could lead to a system or application compromise. In the implemen- tation guidance section of the standard, several examples are provided that anyone can reference and use as a baseline to get started. The examples provided in the standard should not be used as the benchmark, only as a representative example of what should be included.

AU7087_C004.fm Page 63 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

CHANGE MANAGEMENT

Controlling changes to information processing facilities is a logical request within any sized organization. The potential negative impact, regardless of the information security consequences, should drive the need and requirement for a formal change management process and system. A documented change management process can also serve as an audit log for information security in the event an unauthorized change is suspected. Part of change management is the assessment of potential impact to the organization. Information security representatives should be included in this assessment to ensure that a comprehensive impact analysis was conducted. As a general rule, the person requesting a change cannot approve the request.

SEGREGATION OF DUTIES

Segregation of duties has long been a recognized control to help minimize unautho- rized changes or misuse of company assets. For organizations where segregation of duties is not possible or feasible, detailed audit logs should be designed and imple- mented and only audit personnel should have the ability to view or access the logs. Segregation of duties is a fundamental concept that should be applied across the board whenever possible, and compensating controls such as audit logging should be implemented in addition to, or in lieu of, this concept, as appropriate.

SYSTEM ACCEPTANCE

The concept of system acceptance as it relates to information security is critical, because it ensures that information security controls have been assessed and designed during the development phase of a new system or upgrade project before the system or application is implemented and promoted to production. System acceptance should be a part of normal business operations and not a stand-alone process. The most effective way to ensure that system acceptance occurs is to integrate it into existing processes and controls. Current research is beginning to validate that people rarely read stand-alone policies, procedures, or guidelines. This is why the approach of integrating the scope of this control into existing business operations is highly effective. The implementation guidance within the standard provides numerous examples of the types of elements to consider for formal acceptance prior to imple- mentation.

CONTROLS AGAINST MALICIOUS CODE

With the proliferation of information systems and enterprise applications, it is logical to include controls against malicious code as a key risk indicator control. If an exploit was exercised in a networked environment with the deployment of the appropriate controls, rapid proliferation of the exploit is very possible and would likely devastate the operations of an organization. Guidance within the body of this control suggests that the focus be placed on detection and repair, and couple the scope of this control within the information security awareness training program. A detailed list of items

AU7087_C004.fm Page 64 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

to consider within the malicious code area is presented and described in the imple- mentation guidance section of the standard. Information security professionals and management should refer to these items to ensure that a holistic approach has been taken with the scope of their unique operations.

MANAGEMENT OF REMOVABLE MEDIA

Unsecured removable media has the potential to create significant risk for any organization. Because the media is likely small and transportable and often houses a large amount of data and information, a proper balance of controls must be implemented that is in alignment with the organization’s business requirements. Removable media typically includes backup tapes, CD-ROMs, DVDs, removable hard disks, USB flash drives, PCMCIA hard disks, etc. Controls ranging from technical safeguards (encryption, etc.) to management controls (authorization for movement process, etc.) should be developed and monitored to ensure compliance.

INFORMATION HANDLING PROCEDURES

Properly handling information is one of the best controls an organization can deploy to help protect unauthorized disclosure or authorization. This control states that organizations should develop formal procedures for handling and storing informa- tion. These procedures should be developed in alignment with the classification guideline (7.2.1) and be integrated into normal business operations. Information can be housed and transported in many different forms including logical and physical media (paper, voice, network, tape, etc.). All of the appropriate transport media should be identified and addressed within the operating procedures to ensure that the scope of the control is effectively implemented.

PHYSICAL MEDIA IN TRANSIT

In many cases, a breach of data and information occurs outside the direct control of the owner and organization. While media is in transit, for whatever purpose, controls should be designed, implemented, and monitored to ensure that the data and information is not misused, corrupted, or improperly accessed in any way. Several examples are provided in the implementation guidance section of the control.

ELECTRONIC COMMERCE

Data and information transported and transmitted over public networks require special controls to ensure the confidentiality, integrity, and availability of the data to its authorized users. These controls should involve all three types of controls (management, technical, operations), and each organization based on a risk assess- ment should develop and implement the appropriate balance of controls. Several examples ranging from encryption to data verification are included in the implemen- tation guidance section of the standard. The examples provided within the standard

AU7087_C004.fm Page 65 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

should be considered not a holistic criteria but rather typical examples that likely apply to most organizations. A formalized information security risk assessment will always yield the correct balance of controls for each unique environment and organization.

ACCESS CONTROL POLICY

Controlling access to data and information is one of the most difficult and critical series of controls an organization with sensitive data and information must design, implement, and monitor. The development of a formal policy is the framework for the development of associated procedures and guidelines. Controlling access to data, information, applications, and systems is a difficult task for any sized organization. The scope of how to accomplish this is out of context for this section, but several examples and guidelines are provided within the standard for review and consider- ation. Information security professionals and management should review the stan- dard in detail to ensure that their risk assessment process contains all of the elements and variables that apply to their organization.

USER REGISTRATION

Having a formal and documented process for registering and deleting new user accounts for all information systems and applications is critical to uphold the integ- rity of the organization’s information security posture. To ensure complete audit- ability, each user account must be unique and not shared by multiple resources. Accounts should only have access and rights as appropriate for their role and function. An external party should audit and review system accounts on a regular basis to ensure that the integrity of this control is completely implemented.

SEGREGATION IN NETWORKS

One of the primary objectives in the defense-in-depth principle is to contain risks and separate as many risk elements as possible. Within the high-tech world of inter- networks, it is increasingly difficult to separate systems, applications, networks, resources, etc. into small and manageable segments. The scope and intent of this control is to separate networks into smaller segments and apply a graduated set of controls within each domain. Whenever possible, an organization should design and support the segregation of its networks, and have a clear distinction and separation between its public and private networks.

TELEWORKING

Remote or mobile working and telecommuting is becoming more common for many organizations. For those organizations that deploy and support mobile workers, a clear policy and set of procedures should be developed and implemented to ensure that the integrity of the organization’s security posture is maintained. Issues ranging

AU7087_C004.fm Page 66 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

from theft of remote equipment to system or identity spoofing are a concern for executive management. A series of technical and operational controls must be con- sidered and ultimately implemented to protect the organization and its assets. Several examples and guidance are provided in the standard, and a risk assessment should guide the design and deployment of controls.

SECURITY REQUIREMENTS ANALYSIS AND SPECIFICATION

Within the initial planning or upgrade of information systems and planning, control 12.1.1 outlines the need to specify information security requirements and controls during this stage as opposed to including information security as a postprocess. Incorporating information security into existing business processes is a timely task and could take years for large organizations. It is difficult to change environments, behaviors, and attitudes even in the smallest organizations. The onslaught of reported information security incidents in 2005 should help provide the leverage and moti- vation some organizations need to start implementing information security now as opposed to later.

POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS

The use of cryptography as a technical control is mandatory in some industries and considered best practice for others. Encryption is the type of control that has no other replacement. In other words, if it is needed or required, compensating controls will not likely address the requirement.

Defining the requirement or understanding when the use of this type of control is necessary can be difficult in some cases, but in others it is easy and straightforward. For example, if a publicly traded financial institution is using a third-party vendor to process and transmit confidential client data over the Internet, the requirement for encryption is mandated by law and by regulation. The information security policy should provide clear direction in this area, and it should be a part of the information security awareness and training program. A set of procedures and guidelines would help staff and stakeholders implement encryption within the intended scope.

PROTECTION OF SYSTEM TEST DATA

Test data must be treated with the same rigor as production data. The same controls implemented to protect and safeguard production data should be implemented for test data. Control 12.4.2 points out that the selection of test data should be a careful and diligent process. Using production data containing personal or private informa- tion should be avoided at all costs. If this is not possible, a series of procedures and guidelines should be developed and used by applicable users to ensure the protection and integrity of the data and information. The implementation guidance provided in the standard has a series of elements to consider if sensitive data is used as test data.

AU7087_C004.fm Page 67 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Information Security

CONTROL OF TECHNICAL VULNERABILITIES

Technical vulnerabilities exist in literally every system, application, and host. The process of applying security patches to eliminate identified vulnerabilities should be a top priority for organizations. If the vulnerability does not exist, the threat of this vulnerability being exploited has been eliminated. All assets must be identified to know if they require patching or updating. Detailed guidance and procedures should be developed and provided to all staff members responsible for system maintenance and updating. Several items should be considered to be implemented within the scope of this control. They are included in the implementation guidance security of the standard.

REPORTING INFORMATION SECURITY EVENTS

Information security events have the potential to be information security incidents if not handled properly and appropriately. Organizations should develop and publish procedures and processes to enable quick reporting and containment of potential incidents. All users should know who to contact in the event of a suspicious or obvious security incident. Information security event identification and reporting procedures are good candidates to include in the information security awareness and training program. The Reporting Information Security Events implementation guid- ance provides a series of very good examples that every organization should consider when developing the scope of its security reporting and incident management pro- gram. Depending on the organization, industry, and possible unique requirements, reporting information security events can take on many different meanings and directions. For some organizations, reporting security events is simply good business practice; in other organizations, it can have serious legal or regulatory implications.

INCLUDING INFORMATION SECURITY IN THE BUSINESS CONTINUITY PROCESS

In a time of crisis, it is very easy for professionals and organizations to cut corners and overlook prudent information security controls and safeguards. After an orga- nization has activated its disaster recovery plan and recovered or relocated its infor- mation systems, the business continuity plan must be enabled and activated. It is critical that information security controls are carried over from the production system’s environment

to the recovered environment. These controls can range the entire scope of the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. Information security personnel should be included in the planning and testing of disaster recovery and business continuity processes and plans. The implementation guidance section within the standard provides a lot of good information and guidance that should be considered by almost every organization.

AU7087_C004.fm Page 68 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

A Security Baseline

IDENTIFICATION OF APPLICABLE LEGISLATION

It is the responsibility of executive management to identify all statutory, regulatory, legal, and contractual requirements and their approach for compliance. In many cases, information security is an integral part of compliance. At a minimum, a complete and thorough assessment and review of the 133 ISO/IEC 17799:2005 (27002) controls provides a platform for information security and executive man- agement to understand the scope of their information security controls and the state of their controls. The information security policy should document and account for the entire scope of an organization’s requirements. Information security policy state- ments should clearly define the scope of requirements.

DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION

The protection and safeguarding of personal information is required by legislation and regulation for many organizations. For organizations not bound by regulations and laws, it is considered best practice and ethically a good business decision to safeguard and protect personal information. A documented data protection and privacy policy should be developed, published, and communicated throughout the organization. The compromise of personal or private information can have serious and negative consequences leading to the complete downfall of an organization. Many different resources from executive management, legal, human resources, infor- mation security, and other areas within the organization should be involved in the identification of data protection and privacy requirement to ensure accuracy and applicability.

TECHNICAL COMPLIANCE CHECKING

Information systems, including hardware, operating systems, and applications, pos- sess a wide array of vulnerabilities. It becomes dangerous when these vulnerabilities are matched with relevant threats. These information systems should be tested for known vulnerabilities, and appropriate actions should be taken to reduce or eliminate the identified vulnerabilities as quickly as possible. Compliance checking should be carried out by unbiased technical experts to help ensure accuracy and a full report.

REFERENCES

ISO/IEC 17799:2005 Information Technology — Security Techniques — Code of Practice for Information Security Management, International Organization for Standardiza- tion, 2005.

AU7087_C004.fm Page 69 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

AU7087_C004.fm Page 70 Tuesday, May 23, 2006 8:27 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .