Hardware and Software Security



Similar documents
Central Agency for Information Technology

Did you know your security solution can help with PCI compliance too?

Data Management Policies. Sage ERP Online

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security aspects of e-tailing. Chapter 7

74% 96 Action Items. Compliance

CITY OF BOULDER *** POLICIES AND PROCEDURES

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Introduction. PCI DSS Overview

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Technical Standards for Information Security Measures for the Central Government Computer Systems

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Technology Cyber Security Policy

PCI DSS Requirements - Security Controls and Processes

INSTANT MESSAGING SECURITY

AASTMT Acceptable Use Policy

System Security Policy Management: Advanced Audit Tasks

Network Security Guidelines. e-governance

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Driving Company Security is Challenging. Centralized Management Makes it Simple.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

REGION 19 HEAD START. Acceptable Use Policy

University System of Maryland University of Maryland, College Park Division of Information Technology

Enterprise K12 Network Security Policy

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Global Partner Management Notice

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Cyber Essentials Scheme

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Security Management. Keeping the IT Security Administrator Busy

13. Acceptable Use Policy

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

March

Information Technology Branch Access Control Technical Standard

Information security controls. Briefing for clients on Experian information security controls

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Best Practices For Department Server and Enterprise System Checklist

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Fundamentals of Network Security - Theory and Practice-

GFI White Paper PCI-DSS compliance and GFI Software products

Remote Deposit Terms of Use and Procedures

How To Protect A Network From Attack From A Hacker (Hbss)

DHHS Information Technology (IT) Access Control Standard

Supplier Information Security Addendum for GE Restricted Data

IBX Business Network Platform Information Security Controls Document Classification [Public]

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Weighted Total Mark. Weighted Exam Mark

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Estate Agents Authority

Basics of Internet Security

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI)

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

Guidelines for Account Management and Effective Usage

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Achieving PCI-Compliance through Cyberoam

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Supplier Security Assessment Questionnaire

How To Use A College Computer System Safely

Industrial Security for Process Automation

Payment Card Industry Self-Assessment Questionnaire

Locking down a Hitachi ID Suite server

Cisco Advanced Services for Network Security

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Internet & Cell Phone Usage Policy

PC Security and Maintenance

Mailwall Remote Features Tour Datasheet

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Remote Services. Managing Open Systems with Remote Services

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

3. Are employees set as Administrator level on their workstations? a. Yes, if it is necessary for their work. b. Yes. c. No.

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

SANS Top 20 Critical Controls for Effective Cyber Defense

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Consensus Policy Resource Community. Lab Security Policy

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Airtel PC Secure Trouble Shooting Guide

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Transcription:

Today, with the big advancement of technology and the need to share data globally at all time. Security has become one of the most important topics when we talk about data sharing. This means that the more secure and reliable the product is the bigger asset it represents. Hardware and Software Security From theory to practice DaQuan Stevens, Esteban Proano, Salem Alzaabi

Table of Contents INTRODUCTION... 3 IT GOVERNANCE... 3 Organizational Structure... 3 Roles and Responsibilities... 4 Strategic Planning... 4 Policy... 4 Compliance... 4 Risk Management... 4 Measuring and Reporting Performance... 4 SECURITY MEASUREMENTS... 4 Access Control... 4 Confidentiality... 4 Authentication... 4 Integrity... 4 Non repudiation... 4 Security policies implemented by Information Security in Abu Dhabi Police... 4 Departments of Information Technology and Telecom... 4 Information Security Division... 5 These policies have been applied as follows;... 5 ACCESS CONTROL POLICY... 5 Objective:... 5 Scope:... 5 ACCESS CONTROL:... 6 End-user Access Control Policy:... 6 CRYPTOGRAPHIC USAGE POLICY... 6 Objective:... 6 Encryption requirements:... 6 Encryption Controls:... 6 Cryptographic keys shall be:... 7

EMAIL SECURITY POLICY... 7 Objective:... 7 Acceptable Email Usage:... 7 Automated emails:... 7 Email Security Controls:... 8 Email Account Auditing... 8 MALICIOUS CODE PREVENTION POLICY... 8 Objective:... 8 Scope:... 8 Fit for Purpose Anti Malicious Code Infrastructure:... 8 Deployment of Anti Virus and Personal Firewalls:... 8 Scanning Inbound and Outbound Traffic:... 9 Virus Signature Updates:... 9 Systems Hardening and Patching:... 9 Notification of Users:... 9 User Responsibilities:... 9 PASSWORD SECURITY POLICY... 9 Objective:... 9 Scope:... 10 This policy applies to:... 10 Passwords Policy:... 10 Baseline Password Policy:... 10 REFERENCES... 11

INTRODUCTION Hardware and software Security represent a big challenge on the current trend of technology, most of the systems used these days handle critical information from clients with complete transparency to the user. This means that were the data is stored, how is being transmitted and who has access to it is beyond the control of the user. Hardware security is usually seen as the most basic feature of security, it is basically the physical devices that take care of security of a networking system. Then how a business is supposed to structure their network in order to be able to provide a secure service or provide security to themselves. Where severs should be located and how data should be handled. These common issues have been handled by security polices design by groups of big corporations and governments. Record management is one of the big topics together with information governance. These two describe how policies and regulations have been made to ensure some type of standard is used throughout the world. Records are information assets and hold value for the organization. Organizations have a duty to all stakeholders to manage them effectively in order to maximize profit, control cost, and ensure the vitality of the organization. Effective records management ensures that the information needed is retrievable, authentic, and accurate [8]. Software security is the idea of engineering software so that it continues to function correctly under malicious attack. Most technologists acknowledge this undertaking s importance, but they need some help in understanding how to tackle it. When developing a secure network, the following need to be considered [1]: 1. Access Control authorized users are provided the means to communicate to and from a particular network. 2. Confidentiality Information in the network remains private 3. Authentication- Ensure the users of the network are who they say they are 4. Integrity Ensure the message has not been modified in transit. 5. Non repudiation Ensure the user does not refute that he used the network IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500). This system delegates responsibilities to the right person, states who makes decisions and who is accountable Combining governance and these security steps corporations can build a secure network and secure their assets. For our paper we will describe them and show how an implementation has been done on a corporation. IT GOVERNANCE Organizational Structure

Roles and Responsibilities Strategic Planning Policy Compliance Risk Management Measuring and Reporting Performance SECURITY MEASUREMENTS Access Control Confidentiality Authentication Integrity Non repudiation Security policies implemented by Information Security in Abu Dhabi Police Abu Dhabi Police is General Head Quarters & follows the structure of the Ministry of Interior of United Arab Emirates. Abu Dhabi police duties includes providing the security for Abu Dhabi city ( the capital of UAE) and Abu Dhabi, two major cities that are represented in the union of seven state (Abu Dhabi, Dubai, Sharjah, Umm-al-Quwain, Ajman, Ras Al Khaima and Fujaira. Departments of Information Technology and Telecom In brief words, Abu Dhabi Police GHQ contains many of sub departments including the department of Information Technology & Telecom which in turn contains number of subdivisions including Information Security Division.

Information Security Division The Information Security Division has the responsibility of protecting (system, application, network, users), policy formulation (which provides sufficient awareness and protection from improper use of the technology), audit and monitoring, & implementation of rules and regulation that relate to the information security. This also includes updating the policies and information permanently and continuously to achieve the public interest of the organization. These policies have been applied as follows; ACCESS CONTROL POLICY ASSET CLASSIFICATION POLICY CHANGE MANAGEMENT POLICY COMMUNICATION AND OPERATION POLICY COMPLIANCE POLICY CONFIGURATION MANAGEMENT POLICY CRYPTOGRAPHIC USAGE POLICY EMAIL SECURITY POLICY HANDHELD AND PDA DEVICE SECURITY POLICY INFORMATION EXCHANGE and MEDIA HANDLING POLICY (IS) s ACCEPTABLE USAGE POLICY INTERNET SECURITY POLICY LICENSE MANAGEMENT POLICY MALICIOUS CODE PREVENTION POLICY NETWORK SECURITY POLICY PASSWORD SECURITY POLICY PERSONNEL SECURITY POLICY PHYSICAL AND ENVIRONMENTAL SECURITY POLICY SECURITY AWARENESS POLICY SECURITY OF THIRD PARTY ACCESS POLICY In this paper I will be addressing some of these policies, which are in the heart of the subject, and I m going to select certain points where it cast light on the main points and summarize its content. Objective: Scope: ACCESS CONTROL POLICY The objective of this policy is to control user s access and business processes based on business requirements and security requirements and provide (the information resources) an acceptable level of protection at Abu Dhabi Police (ADP). The scope of this policy with associated procedures covers all the (IS) s environments managed by ADP.

ACCESS CONTROL: User access to the information resources of ADP will be based on business requirements and specific job responsibilities of the individuals accessing the system and maintaining the infrastructure, software and hardware. All Systems should have a user access lifecycle. Roles and privileges should be created with the privileges needed for the user. User access to information must be controlled base on business requirements and security requirements. User access to ADP (IS) s must be audited to make sure the access of the users is appropriate. All Operating Systems and Application must login with a user ID and password. Without entering user ID and password, login must terminate. All Equipment on the ADP network must be identified, registered and authorized. End-user Access Control Policy: All users of the ADP (IS) s should have a unique ID to identify an individual user. End users should be presented with a statement of their access rights and required to acknowledge. Systems should be configured to remove or disable user accounts after a defined period of inactivity. End-users accounts must be approved by the System Owners before being created and enabled. If an End-user changes his/her roles within the ADP, their access rights shall be reviewed to ensure they are appropriate. Objective: CRYPTOGRAPHIC USAGE POLICY Protect the confidentiality, authenticity and integrity of information being stored or transmitted. Cryptographic systems are used for the protection of information that is considered as sensitive information. Encryption requirements: Risk assessment of the business need. Business owner should ensure that the requirements of encryption are reviewed and approved by the ADP Information Security team and ADP IT team. ADP Information Security team should establish encryption standards for application security, WLAN, file encryption on the basis of the Information System risks. ADP should implement the encryption standards as per the business requirements. Encryption Controls: Data transferred through WAN between ADP and its Stakeholders via internet should be adequately protected with suitable encryption.

Based on business requirements, confidential emails shall be encrypted before sending the same to recipients. On basis of business requirements, confidential data should be stored encrypted if necessary. Any IT system utilizing encryption for protection of confidentiality of information must be implemented based on approval from ADP Information Security. Depending on the business requirements, the asset (information) owner and ADP Security team shall decide a mutually acceptable encryption methodology for protecting identified critical and sensitive business information. Cryptographic keys shall be: Provide adequately protected against unauthorized access. ADP Information Security team should have to defined type and quality of encryption algorithm used. Digital certificates based on public key infrastructure solutions should be implemented for identified critical applications. ADP Staff should be accountable and responsible for the transactions and safe maintenance of the digital certificates. ADP Internal Network should have the ability to issue or revoke digital certificates. Objective: EMAIL SECURITY POLICY To define an acceptable use of ADP email infrastructure and protect the security of information exchanged over emails. Acceptable Email Usage: Access to the email service of ADP will be on basis of business requirements and specific job responsibilities of the individuals. All Administrative accounts used for managing the email servers should follow to the ADP Password policy. All email User accounts should follow to the ADP Password policy. User Account creation should follow a formal approval process. Emails from shared accounts should not be routable outside of the ADP network boundary. Users must not initiate or forward chain emails from ADP email addresses. Spam emails must be reported immediately to ADP Information Security Department through ADP Helpdesk. Spoofing and Anonymous is strictly forbidden. Automated emails: Application generated emails must use separate mail infrastructure to ADP users. Email Service Accounts used for applications must not be interactive and should follow the ADP Password Policy.

Email Security Controls: Only approved ADP mail infrastructure shall be in place, using unauthorized mail relays on the ADP network is explicitly forbidden. Public, private key infrastructure shall be used for encrypting emails. All email servers shall have a security appliance (Spam Filters, AV Scanners). Blocking of suspicious emails shall be performed, with a release process being enabled for legitimate business use mails. Email Account Auditing All official emails shall remain the property of ADP. Emails shall be reviewed, monitored, logged with or without the user s knowledge for review against the ADP security policies. MALICIOUS CODE PREVENTION POLICY Objective: The objective of this policy is to describe the requirements for the deployment and use of antivirus software and desktop protection controls on ADP computers to protect electronic information resources within Abu Dhabi Police (ADP) against malicious code attacks. Scope: All IT systems and electronic information assets that they contain, that are leased, procured, received, owned, utilized, hosted and/or produced by ADP are covered within the scope of this policy. Fit for Purpose Anti Malicious Code Infrastructure: ADP Management are aware of the importance of preventing network and system disruptions caused by malicious codes such as viruses, worm, Trojan horse etc. and are determined to provide sufficient resources to develop and maintain an anti malicious code structure to prevent any malicious attack. The Antivirus infrastructure should be the primary method of control within ADP in preventing disruptions from malicious code. ADP IT team must ensure the antivirus infrastructure is fit for purpose through adoption of leading practice principles for malicious code prevention. Deployment of Anti Virus and Personal Firewalls: All ADP assets such as servers and PCs and workstations should have antivirus application running the current antivirus signatures. All PCs and workstations used for accessing production systems should have a personal firewall installed. ADP IT team should ensure the antivirus definition is kept up-to-date through an automated distribution process within ADP. If a system is too old to use the latest antivirus engine and signatures, it shall be investigated for possible replacement, and mitigating controls used until replaced.

ADP Staff systems (desktops, workstations) used for such external system access must have the latest antivirus update and personal firewall installed. Scanning Inbound and Outbound Traffic: All Internet traffic coming to and going from Abu Dhabi Police network must pass through dedicated servers and other network devices that perform a Virus-scanning functionality. The email server shall quarantine suspicious e-mail and attachments to an isolated storage space for and action review by ADP IT team and release to users. Virus Signature Updates: On daily basis, all virus scanning programs on all systems must be enabled to automatically check the latest update for the antivirus program. To ensure coverage and consistent update of antivirus software, all IT systems within ADP must be registered with a centralized domain at ADP. Systems Hardening and Patching: ADP Information Security team and ADP IT team must establish an IT infrastructure patching and a patch management distribution to ensure consistent update of patches for all IT assets within ADP. ADP Information Security team must perform periodic audits to review the implementation of minimum security baseline and patch management. Notification of Users: ADP Information Security team should attempt to notify all ADP employees of possible virus threats through email, SMS or suitable channels. ADP IT must establish suitable mechanisms to send notification alerts automatically to all ADP employees. Employees should not refer or forward virus warning till specified by Security team. User Responsibilities: ADP Staff should ignore unexpected email attachments, even from colleagues or from suspicious or unknown source. ADP Staff s should not download any freeware or shareware without approval from ADP IT department. ADP Staff should not install direct internet access without the approval from ADP Information Security team. PASSWORD SECURITY POLICY Objective: The objective of the password policy is to set up a standard for the creating and managing strong passwords including its protection.

Scope: The scope of this policy together with associated procedures covers all the (IS) s environments managed by ADP. This policy applies to: ADP Employees, including System Administrators and End users. Employees of temporary employment agencies. Business partners, vendors and agents. Passwords Policy: Passwords are an integral aspect of information security. It s the first layer of protection for the user accounts. A weakly chosen password will result in the compromise of ADP s applications and entire network. All users of ADP s (IS) s are responsible for securing and selecting their passwords. Baseline Password Policy: All ADP s (IS) s have to have identification and authentication through pass-phrases, one-time passwords or similar password to permitting user access. Passwords must be considered as confidential and must not be revealed to anyone, except in accordance with ADP s management of password procedure for protection of passwords. Users are liable and responsible for all actions, including transactions, communication on ADP s (IS) s, use of their ID s and passwords. Screen saver password must be enabled by Users (if it s not applied by group policy) on their own PC s to prevent unauthorized access. Critical System passwords must be changed immediately, whenever the employee terminated or leaves ADP.

REFERENCES [1] Dowd, P.W.; McHenry, J.T., "Network security: it's time to take it seriously," Computer, vol.31, no.9, pp.24 28, Sep 1998 [2] Security Overview, www.redhat.com/docs/manuals/enterprise/rhel 4 Manual/securityguide/ch sgs ov.html. [3] http://www.networkworld.com/news/2011/030311-security-roundup.html [4] IT Governance What is It and Why is It Important? By Doug Shuptar, Published on May 7, 2012 [5] Donald G; Mohnish P; Uday P; Methodology for Network SecurityDesign,1990 [6] Marin, G.A. ; Florida Inst. of Technol., Network security basics,volume 3, Issue 6 [7] Rahul Telang; Wattal, S. "An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price", Software Engineering, IEEE Transactions on, 557 Volume: 33, Issue: 8, Aug. 2007 [8] Chess, B.; Arkin, B. "Software Security in Practice", Security & Privacy, IEEE, On page(s): 89-92 Volume: 9, Issue: 2, March-April 2011 [9] Schneier, Bruce. Applied Cryptography Protocols, Algorithms, and Source Code in C, Second Edition. New York: Wiley, 1995. Print. [10] Pfleeger, Charles P., and Shari L. Pfleeger. Security in Computing. 4th ed. New Jersey: Prentice Hall, 2006. Print. 0-13-239077-9. [11] Ciampa, Mark D. "Introduction to Security." Security Guide to Network Security Fundamentals. Boston, MA.: Course Technology/ Cengage Learning, 2009. N. pag. Print. [12] "Abu Dhabi Police Structure." Abu Dhabi Police GHQ. UAE Government, n.d. Web. 21 Nov. 2013.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information