SECURITY ORGANISATION Security Awareness and the Five Aspects of Security



Similar documents
Acceptable Use of Information Systems Standard. Guidance for all staff

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Newcastle University Information Security Procedures Version 3

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

UNIVERSITY GUIDEBOOK. Title of Policy: Acceptable Use of University Technology Resources

13. Acceptable Use Policy

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Estate Agents Authority

FINAL May Guideline on Security Systems for Safeguarding Customer Information

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Third Party Security Requirements Policy

Administrative Procedures Manual. Management Information Services

Information Security Code of Conduct

Information Security Policy

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

University of Aberdeen Information Security Policy

Service Children s Education

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Service Schedule for Business Lite powered by Microsoft Office 365

REMOTE WORKING POLICY

Sample Policies for Internet Use, and Computer Screensavers

Security aspects of e-tailing. Chapter 7

Information Resources Security Guidelines

Network Security Policy

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

PRAIRIE SPIRIT SCHOOL DIVISION NO. 206, BOX 809, 121 KLASSEN STREET EAST, WARMAN, SK S0K 4S0 -- PHONE: (306)

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

Regulations on Information Systems Security. I. General Provisions

Central Agency for Information Technology

AASTMT Acceptable Use Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Consensus Policy Resource Community. Lab Security Policy

How To Protect Decd Information From Harm

Top tips for improved network security

APHIS INTERNET USE AND SECURITY POLICY

Information Technology Cyber Security Policy

Inspection of Encrypted HTTPS Traffic

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Information Security Management. Audit Check List

Wellesley College Written Information Security Program

ISO27001 Controls and Objectives

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

ISO Controls and Objectives

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

plantemoran.com What School Personnel Administrators Need to know

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Acceptable Use Guidelines

Marion County School District Computer Acceptable Use Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Internet Use Policy and Code of Conduct

M&T BANK CANADIAN PRIVACY POLICY

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security: A Perspective for Higher Education

POLICIES AND REGULATIONS Policy #78

Supplier Information Security Addendum for GE Restricted Data

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Information Technology Branch Access Control Technical Standard

ABERDARE COMMUNITY SCHOOL

INFORMATION TECHNOLOGY SECURITY STANDARDS

Internet, and SMS Texting Usage Policy Group Policy

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

MARIN COUNTY OFFICE OF EDUCATION. EDUCATIONAL INTERNET ACCOUNT Acceptable Use Agreement TERMS AND CONDITIONS

Information Security

Acceptable Use Policy

Acceptable Use Policy

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

IBX Business Network Platform Information Security Controls Document Classification [Public]

ICT POLICY AND PROCEDURE

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SAS TRUSTEE CORPORATION ( STC )

All Users of DCRI Computing Equipment and Network Resources

The Standard. of Good Practice. for Information Security

A Guide to Information Technology Security in Trinity College Dublin

1. Computer and Technology Use, Cell Phones Information Technology Policy

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

The Office of the Government Chief Information Officer BASELINE IT SECURITY POLICY [S17]

University of Sunderland Business Assurance Information Security Policy

Transcription:

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security Shift Security simply used to protect information vs. Enabling business initiatives with security Bolt-on/add-on structure to business process vs. Integrating security and controls into daily business processes Security Solutions and Technology used to supplement core infrastructure vs. Leveraging security technical solutions to enhance core infrastructure Aspect SM (Security Management) Keeping the business risks associated with information systems under control within an enterprise requires clear direction and commitment from the top, the allocation of adequate resources, and effective arrangements for promoting good information security practice across the enterprise. High-level Control Safeguarding information and systems, as well as other assets, requires security activity to be organized efficiently across the enterprise. Accordingly, this area covers the organizational arrangements for managing security across the enterprise and the security awareness, know-how and skills of individuals with authorized access to the organization s information, systems and other valuable assets. Provide a top-down management structure and a practical mechanism for coordinating security activity across the enterprise. High-level control should be exercised by top management via a high-level working group, committee or equivalent body. Membership of the group should include top management, business managers, those in charge of computer / network facilities, legal, the person responsible for promoting good practice in across the enterprise and other stakeholders as dictated by the entities purpose and goals. The group should meet at least three times a year to monitor the security condition of the enterprise, provide direction (such as by approving security standards and procedures) and coordinate security activity. Driving Force To actively promote good practice in information security and ensure that it is applied effectively across the enterprise. A unit should be established, such as a specialist security function, which has an enterprise-wide responsibility for promoting good practice in security. The specialist security function (or equivalent) should: Define a set of security mechanisms and supporting standards Be responsible for helping business managers, users, IT staff, and others to fulfill their security responsibilities, by providing expertise and running awareness programs Measure the effectiveness of security enterprise-wide

Provide support for security classifications, risk analyses, audits, third party agreements and business continuity plans Monitor general business trends, technological developments, new threats /vulnerabilities (for example via the Internet) and new solutions (such as cryptography) Be run by staff who are equipped with the know-how, skills, resources and management support needed to fulfill their role. The person in charge of the specialist security function (or equivalent) should have direct access to all levels of management throughout the enterprise and maintain contact with counterparts in the commercial world (including government or law enforcement agencies) and external security experts. Local Coordination To promote good security practice at a local level within the enterprise, and ensure that it is applied effectively. The heads of business units / departments should be responsible for information security within their own areas. Arrangements should be made to coordinate information security activity within each part of the enterprise. Local security coordinators should be appointed in individual business units /departments. They should be equipped with the know-how, skills, time, tools, contacts and authority needed to fulfill their role. Local security coordinators should have access to in-house or external expertise in information security and be supported by standards /procedures for day-to-day security activities. The condition of information security in all parts of the enterprise should be reported to the head of the enterprise-wide driving force for information security, in a consistent manner and on a regular basis. Security Awareness To ensure business and IT managers, users and others with access to the information and systems of the enterprise understand the key elements of security, why it is needed and their personal responsibilities. Awareness of information security should be maintained via effective awareness programs covering all individuals with access to information or systems within the enterprise. Employees (including contractors) should be provided with guidance to help them understand information security, the importance of complying with policies / standards and to be aware of their own personal responsibilities. Formal awareness programs should be: Coordinated by a designated individual or group Run using structured education / training programs and specialized awareness material Supported by top management Kept up-to-date with current practices Applied to all individuals with access to information or systems. The level of awareness within the enterprise should be measured and reviewed periodically. Security Education To equip personnel involved in controlling, using, running, developing and securing the information and systems of the enterprise with the knowledge and skills required to fulfill their security responsibilities.

Education / training should be provided to all personnel with control over, or access to, the organization s information, systems and other assets. This should equip all personnel with the know-how required to assess security requirements, propose security controls and ensure controls function effectively. Education / training should also be provided to ensure that: Business users use systems correctly and apply security controls IT staff develop systems in a disciplined manner and run installations or communications networks correctly Information security specialists understand the business, know how to run security projects and can communicate effectively. Electronic Mail To ensure that: electronic mail services are available when required; the confidentiality and integrity of messages is protected in transit; and the risk of misuse is minimized. Mail servers should be configured to protect the availability of electronic mail (e-mail) systems, by limiting the size of messages / user mailboxes, restricting the use of large distribution lists and preventing e-mail loops. E-mail messages should be scanned for: Known malicious code, including attachments where such code could be hidden Prohibited words, such as those that are offensive Key known phrases, such as those commonly used in hoax viruses or chain letters. E-mail systems should be protected by: Blocking messages that originate from undesirable web sites or e-mail list servers, for example to help prevent spamming Hashing messages to help maintain integrity and encrypting those that are confidential Ensuring non-repudiation of messages, for example to prove the origin of a message by Using mechanisms such as digital signatures. Users of e-mail systems should be warned that the contents of e-mail messages might be legally binding, messages sent or received may be monitored and misuse of e-mail facilities can result in disciplinary action. Remote Working To ensure that computers used by staff working in remote locations operate as intended, remain available and do not compromise the security of any facilities to which they can be connected. Computers used by staff working in remote locations (typically desktop or laptop PCs) should be purchased from a list of approved suppliers, tested prior to use, supported by effective maintenance arrangements and protected by physical controls. Computers used in remote locations should be: Equipped with standard configurations of system and application software Protected by the use of a comprehensive set of system management tools, access control mechanisms and up-to-date virus protection software Automatically logged-off after a set period of inactivity. Staff working in remote locations, including from public areas, such as trains or airports or from home, should be: Authorized to work in specified locations

Equipped with the necessary skills to perform required security tasks Made aware of the additional risks associated with remote working, including the increased likelihood of theft of equipment or disclosure of confidential information Provided with technical support In compliance with legal and regulatory requirements (for example, health and safety laws) Provided with alternative working arrangements in cases of emergency. Additional controls should be implemented on workstations with the capability of connecting to the Internet, including the: Use of standard web browsers, with key software updates applied, and configured to prevent users from disabling security options Warning users about the dangers of downloading mobile code and the implications of accepting or rejecting cookies Imposing strict disciplines on the downloading of mobile code. Third Party Access To ensure that access to the enterprise s information and systems by third parties (i.e. external organizations, such as customers or suppliers and members of the public) is only provided following rigorous review and formal approval. Third parties (i.e. external organizations, such as customers or suppliers and members of the public) should only be granted access to information or systems within the enterprise following rigorous review. All connections from third parties should be uniquely identified, approved by the business owner, recorded and agreed by both parties in a formal contract. A risk assessment should be carried out, agreed controls implemented and rigorous testing performed. Standards / procedures for third party access should specify methods of: Ensuring that controls over third parties are commensurate with business risks Making third parties accountable for their actions Limiting liabilities and protecting ownership rights Complying with legal or regulatory obligations. Standards / procedures for third party access should cover arrangements for: Achieving technical compatibility, logging activity and providing a single point of contact for dealing with problems Restricting methods of connection and the type of access granted Subjecting third party users to strong authentication Terminating connections when no longer required. Individuals responsible for managing third party connections should have access to information about the risks associated with third party access, guidelines on how to secure connections, supporting tools such as checklists and sources of expertise for technical / specialist advice. Aspect CB Critical Business Applications A critical business application requires a more stringent set of security controls than other applications. By understanding the business impact of a loss of confidentiality, integrity or availability, it is possible to establish the level of criticality of an application. This provides a sound basis for identifying business risks and determining the level of protection required to keep risks within acceptable limits.

User Awareness To maintain a high-level of awareness of information security among users of the application. Users of the application should be aware of a high-level information security policy, and comply with it. Users of the application should be made aware of: The meaning of security and why it is needed the importance of complying with information security policies and applying associated standards / procedures their personal responsibilities for security particular security threats to the application. Users of the application should be made aware that they are prohibited from: using any part of the application (such as modems) without authorization or for purposes that are not work-related making obscene, racist or otherwise defamatory statements, such as through the application, via e-mail or over the Internet illicit copying of information or software disclosing confidential information (such as network designs or IP addresses) or compromising passwords (such as writing them down or disclosing them to others). Users should be advised that they should lock away sensitive media and documentation when not in use and log off the application if leaving a terminal unattended. They should be warned of the dangers of being overheard when discussing business information over the telephone, and in public places such as train carriages, airport lounges or bars. Aspect IP Information Processing Computer installations typically support critical business applications and safeguarding them is, therefore, a key priority. Since the same information security principles apply to any information processing activity - irrespective of where, or on what scale or types of computer it takes place - a common standard of good practice for information security should be applied. Security Awareness To maintain awareness of information security among individuals who run or use the computer installation. Individuals involved in information processing activity should be aware of the high-level information security policy that applies across the enterprise, and comply with it. These individuals should include business owners, users and personnel who run the installation. Individuals involved in information processing activity should be made aware of: The meaning of information security and why it is needed The importance of complying with information security policies and applying associated standards / procedures Their personal responsibilities for information security Particular security threats to the installation. Individuals involved in information processing activity should be made aware that they are prohibited from: Using any part of the installation without authorization or for purposes that are not work-related Making obscene, racist or otherwise defamatory statements, for example through the installation via e-mail or over the Internet

Illicit copying of information or software Disclosing confidential information (such as customer records, product designs or pricing policies). Aspect CN Communications Networks Communications networks convey information and provide a channel of access to information systems. By their nature, they are highly vulnerable to disruption and abuse. Safeguarding usiness communications requires robust network design, well-defined network services, and sound disciplines to be observed in running networks and managing security. These factors apply equally to local and wide area networks, and to data or voice communications. Security Awareness s To maintain awareness of information security among personnel who run the network. Network staff should be aware of the high-level information security policy that applies across the enterprise, and comply with it. Network staff should be made aware of: The meaning of information security and why it is needed The importance of complying with information security policies and applying associated standards / procedures Their personal responsibilities for information security Particular security threats to the network. Network staff should be made aware that they are prohibited from: Using any part of the network without authorization or for purposes that are not work related Making obscene, racist or otherwise defamatory statements (using e-mail or other network services) Illicit copying of information or software Disclosing confidential information (such as network designs or IP addresses) or compromising passwords (such as writing them down or disclosing them to others). Aspect SD Systems Development Building security into systems during their development is more cost-effective and secure than grafting it on afterwards. It requires a coherent approach to systems development as a whole, and sound disciplines to be observed throughout the development cycle. Ensuring that information security is addressed at each stage of the cycle is of key importance. User Procedures and Training To ensure users are equipped to use systems correctly. Users responsibilities should be clearly defined. Users should be fully equipped to carry out their roles and supported by documented procedures, help facilities and training. Users of new or significantly changed systems should be: Involved in - and contribute to - the development process Equipped with the know-how and skills to use systems correctly Formally trained. User training should be carried out prior to systems going live and include information security tasks and responsibilities. User training programs should be signed-off by the project manager, the business owner and a specialist in information security.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information