Countering and reducing ICT security risks 1. Physical and environmental risks



Similar documents
BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Stable and Secure Network Infrastructure Benchmarks

How To Protect Decd Information From Harm

Protection of Computer Data and Software

USB flash drive (128MB,256MB,512MB,1GB,2GB,4GB)

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Cyber Security Awareness

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Grasmere Primary School Asset Management Policy

Information Technology Security Procedures

Infocomm Sec rity is incomplete without U Be aware,

Cyber Security Awareness

HIPAA RISK ASSESSMENT

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Business ebanking Fraud Prevention Best Practices

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

Network Documentation Checklist

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

NAZARETH CATHOLIC COLLEGE 1-1 LAPTOP PROGRAM Policies & Procedures. (March 2012)

Complete Managed Services. Proposal for managed services for the City of Tontitown

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Backup & Disaster Recovery Options

A Guide to Information Technology Security in Trinity College Dublin

Chapter 8: Security Measures Test your knowledge

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

TECHNICAL SECURITY AND DATA BACKUP POLICY

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Network and Workstation Acceptable Use Policy

Best Practices For Department Server and Enterprise System Checklist

Cloud Computing. Chapter 10 Disaster Recovery and Business Continuity and the Cloud

HIPAA Security Training Manual

Top tips for improved network security

National Cyber Security Month 2015: Daily Security Awareness Tips

Chapter 15: Computer Security and Privacy

Data Security 2. Implement Network Controls

The Ministry of Information & Communication Technology MICT

Course: Information Security Management in e-governance

Guardian365. Managed IT Support Services Suite

Policy Document. Communications and Operation Management Policy

Birkenhead Sixth Form College IT Disaster Recovery Plan

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

ONE-2-ONE LEARNING LAPTOP PROGRAM 2011

Information Security

Guideline to Back Up Your Computer And Important Files

LAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Secure Your Mobile Workplace

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Section 12 MUST BE COMPLETED BY: 4/22

Certified Secure Computer User

EZblue BusinessServer The All - In - One Server For Your Home And Business

Backing up Data. You have lots of different options for backing up data, different methods offer different protection.

Best Practices Guide to Electronic Banking

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Seagate Business Storage 1-Bay, 2-Bay, and 4-Bay NAS User Guide

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS


SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

POLICY NAME IT DISASTER RECOVERY POLICY AND PLAN POLICY NUMBER POLICY FILE REFERENCE 3/3/6 DATE OF ADOPTION REVIEW OR AMENDMENT DATES

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

INFORMATION SECURITY PROGRAM

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY ( Exchange My Mail ).

Open Source and License Source Information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Cyber Self Assessment

Chapter 15: Computer and Network Security

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information Security Policy. Policy and Procedures

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

High Speed Internet - User Guide. Welcome to. your world.

ICT Disaster Recovery Plan

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Supplier Security Assessment Questionnaire

Dublin Institute of Technology IT Security Policy

Version: 2.0. Effective From: 28/11/2014

ScoMIS Encryption Service

Cyber Security Best Practices

Transcription:

Countering and reducing ICT security risks 1. Physical and environmental risks 1. Physical and environmental risks Theft of equipment from staff areas and Theft of equipment from public areas Theft of equipment off the premises (e.g. laptops) Fire! Flood Power Surge / Outage Loss of back up media Reducing the Risk Insurance (applies to all topics) Physically locking down with cables etc Record serial numbers Burglar alarm/bars, window locks General office security, know who s on site etc Marking equipment (Selectamark) and rota for locking up Lockable cabinets Monitoring Cameras Check insurance coverage for offsite Staff awareness Usage policy Password protection Lock in secure cabinet when in office Do you really need to use the laptop or can you just take data with you on memory pen, CDR? Sign in and out procedure Good backup policy for equipment use Fire alarms/extinguishers (ensure staff know which type of extinguishers to use on electrical equipment) Sprinklers (ensure critical equipment cannot be affected by water damage) Portable appliance testing (reduce risk of electrical fires) Don t leave equipment on standby Fireproof safe important documentation Keep equipment away from water sources (pipes etc) Raise equipment off ground Flood rescue policy or disaster policy UPS (Uninterruptible Power Supply) on important equipment (servers, router, switches etc) Surge protection/circuit breakers on other equipment Don t plug high powered equipment into extension leads with computing equipment on them e.g. heaters etc Fireproof safe Copies offsite Multiple back ups (don t rely on one tape/cdr/dvd) Check back up is working and that can restore Backup policy and routine to be adhered to 1

2. Data Risks 2. Data risks Reducing the risk Files being deleted accidentally Files being deleted maliciously [e.g. by discontented staff (or exstaff) ] Files being corrupted or infected by viruses Files being viewed by unauthorised staff Users installing unlicensed (or unapproved) software Database alterations by unauthorised staff Data being viewed by contractors Loss of data on mobile devices e.g. memory keys, CDRs, Portable Hard drives, floppy disks Technical support staff having full remote access rights to systems Unauthorised use of server administrator password Regular backup and restoration check (applies to most topics) Backup policy (ditto) Staff training and awareness (ditto) Passwords/restrictions Read only folders Training and induction for staff Folder permissions Account management (change passwords) Contracts and policy Anti virus (install, run, update automatically & check) Firewall updates Disk maintenance Staff awareness of virus activity and suspicious emails Permissions Log on screen savers, lock workstation when away from desk Acceptable use policy Group policies Block download access through firewall Management of licences/software media resources etc Operating system tweaks Passwords on database access Access restrictions Configurable permissions for users e.g. read only etc. and training Confidentiality policy/agreements Contract Don t put anything important or irreplaceable on mobile devices Security programs Thumb print recognition Don t use as whole-system back up devices Confidentiality policy/agreement Use of web based support tools which request rather than permanently open access Change password if changing company Only key users to know this Confidentiality policy/agreement 2

3. Breakdowns and Maintenance Risks 3. Breakdowns and maintenance (PCs and Servers combined) Hard drive crashing or dying risk of data loss Power supply dying Memory failing Other failures- motherboards, drives, graphics cards etc. Operating system (OS) unsupported (e.g. Windows 95, 98, NT Workstation, NT Server) Potential security risks through operating system not being updated Reducing the risk PC and server warranties (applies to all topics) Plan ahead financially and strategically (ditto) Tech support and Service Level Agreement (SLA) (ditto) Regular maintenance (policy issue) Spare disc/redundancy/raid (Redundant Array of Independent Disks) on server Back up Don t keep important stuff on PC drives if have server Surge protectors on PCs UPS (Uninterruptible Power Supply) on server and critical PCs Redundant power supply on server Check event logs for errors Replace hardware as policy As above Data recovery costs (high!) Upgrade to supported OS If can t then ensure firewall etc. is secure Download and install automatic updates Service packs Check updates are being applied 3

4. Network Security Risks 4. Network security Risks Reducing the risk No log on passwords issue Set up and change regularly! Use unusual/varied passwords not names, postcodes etc Complex server password Set up on server for agreed period (e.g. 3 months) Server being used for spam relaying Unsecured wireless network Staff able to plug in unsecured USB (Universal Serial Bus) devices No passwords (or defaults being used) on routers and firewalls Firewall Maintain firewall Set WEP (Wireless Encryption Protocol) security (as minimum) Consider cabling? Secure SSID (Service Set Identifier) broadcasts (change name of SSID from default) Block USB ports/cdrom/floppy Scan any media plugged in using security monitoring program (large orgs only) Password protect / change password from default 4

5. Internet Use Risks 5. Internet Use Risks Reducing the risk Email used for sending confidential information Pop-ups and browser hijacks (malicious software installs and takes over your web browser) Spam Phishing attacks (directing you to fake websites that try to steal information such as credit card numbers) Online purchasing of personal items Visiting unsecured or offensive sites MSN Messenger for personal or unauthorised use Downloading and installing programs/toolbars from unknown sources Downloading of copyrighted music and video files through files sharing sites ( torrent, Peer to Peer) Website hosting is insecure Email/Internet (applies to many topics below) Encryption/digital signature/ certification Use alternatives such as fax or post Password-protect documents Use alternative browser such as Firefox Pop up blocker Anti-spyware programs install, run regularly and update Anti-spam software Don t publish easily harvestable addresses on website Don t send mail to multiple /awareness by staff Anti-spam software Blocking of secure sites (firewall) Blocking through use of software or online service Request invoices for good rather than using credit cards Blocking through use of software or online service Can be blocked on firewall but can also be got around due to behaviour of MSN General awareness Check hosts Service Level Agreement etc. For an explanation of any unfamiliar terms try the ICT Hub Knowledgebase Glossary Copyright 2006 Superhighways Partnership and Lasa Information Systems Team This work is licensed under a Creative Commons Attribution- NonCommercial-NoDerivs 2.0 UK: England & Wales License. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information