Wednesday, June 4, 2008

Why Can't We All Just Get Along? Table security policy documentStays; as the management will need to disseminate its commitment and approach to the resultant policy regardless of the motivation. and evaluationStays; again a management forum ensuring there is a clear direction and visible management support and responding to changes is still applicable, regardless of motivation. information security forumStays; see above. security coordinationStays; as management will need to someone acting as their representatives from relevant parts of the organization to coordinate the implementation of the policy. of information security responsibilitiesStays; someone again will need to determine responsibilities for the protection of individual assets and for carrying out specific security processes that were clearly defined by management and their representatives. process for information processing facilitiesStays; as management will need an authorisation process in place for any new information processing facility. Including all new facilities such as hardware and software. information security adviseStays; If bad guys are removed from the equation, there will still be a need for people to get assistance, especially in understaffed/overwhelmed companies. between organizationsStays; but primarily for telecommunication companies, and information service providers, ISPs, to ensure that appropriate action can be quickly taken and advice obtained, in the event of an outage, as availability is a known cornerstone of security. review of information securityStays; this is to provide assurance that the policy is feasible and effective, and having a third parties input can be valuable for gaining perspective.
0.504.2.1Identification of risks from third party access50% Goes, risks from third party access are no longer a factor, however 50% stays as third party contractors working onsite can still create unintentional outages, as anyone working with a VAR can most likely attest. requirements in third party contractsStays; again this will refer to outages. requirements in outsourcing contractsStays; see above. of assetsStays; as a component of a Business Impact Analysis this is will be critical, remember that Business Continuity and Disaster recovery are still issues even if not driven by malicious activity. guidelinesStays; as an information classification scheme or guideline; which is intended to determine how the information is to be handled and protected need not only be based on sensitivity, but also can include value. labelling and handlingStays; defining the information labelling and handling in accordance with the classification guidelines will be a critical part of a classification procedure. security in job responsibilitiesStays; defining responsibilities for the protection of particular assets will play a role in any DR/BC component of a program. screening and policyStays; while nobody is going to be dishonest, verification checks on permanent staff will still need to be carried out at the time of job applications. This is to prevent against people over assessing the skill
0.506.1.3Confidentiality agreements50% Goes, nobody is trading or selling secrets and therefore Confidentiality or non-disclosure agreements would not be needed. 50% Stays; as this could apply to pricing, nobody would want to make a customer jealous inadvertently by offering better pricing to a larger customer. and conditions of employmentStays; employees will still need to know the conditionality of their employment to meet responsibilities. security education and trainingStays; as employees of the organization and third party users will need to learn about where to store files so they are properly backed up in the case of a drive failure and will therefore need to receive appropriate Information Security training and regular updates in organizational policies and procedures. security incidentsStays; regardless of the motivation it is still important to report security incidents such as outages through appropriate management channels as quickly as possible. security weaknessesStays; a formal reporting procedure for users to report business continuity related threats to systems or services is still going to be required. software malfunctionsStays; This is an easy stay, of course it would remain important to report any software malfunctions. from incidentsStays; any time the ability to learn about the types, volumes and costs of incidents and malfunctions in a quantifiable way that is able to monitored. processStays; if an employee has violated organizational security policies and procedures even just by apathy or neglect, there will still need to be formal disciplinary process in place. This process will still be a deterrent to employees who might otherwise be inclined to disregard security procedures. Security PerimeterGoes, with no theives there will not be a need for physical border security. entry ControlsGoes, again thieves will not be trying to get their hands on any assets. Offices, rooms and facilitiesGoes, again thieves will not be trying to get their hands on any assets. in Secure AreasGoes, again thieves will not need security controls for third parties or for personnel by placing them into the secure area. delivery and loading areasGoes, with no theft we do not need a delivery area and information processing area are isolated from each other to avoid any unauthorised access. siting protectionStays, we still need controls to minimize risk from potential threats such as fire, smoke, water, dust, vibration, chemical effects, electrical supply interfaces, electromagnetic radiation, and floods. Also there is good justification for a policy towards eating, drinking and smoking on in proximity to information processing services. SuppliesStays; equipment will need to be protected from power failures by using permanence of power supplies such as multiple feeds, uninterruptible power supplies, and backup generators to prevent outages. SecurityStays, power and telecommunications cable carrying data or supporting information services will still need to be protected from damage. MaintenanceStays; it is still important to ensure that the equipment is maintained as per the supplier’s recommended service intervals and specifications and that logs are kept for all suspected or actual faults and all preventive and corrective measures. Also it will still be equally important to know if the equipment is covered by insurance, and if the insurance requirements are satisfied. of equipment off premisesStays; there will still need to be equipment usage outside an organization’s premises for DR, that will need to have backup procedures, especially for in the event of the primary site undergoing an incident like a power outage. disposal or re-use of equipmentGoes; as information is no longer has a threat of being stolen, storage devices containing sensitive information will not have to be physically destroyed or securely over written. Desk and clear screen policyGoes, as automatic computer screen locking facility is no longer going to need to be enabled, nor will we have to worry when leaving any confidential material around, as no one will steal it. of propertyStays, when equipment, information or software go offsite without appropriate authorization there may not have been the appropriate thought as to whether it could be lost. Operating proceduresStays; It should not be to avert hackers that identifing operating procedures such as backing up systems and equipment maintenance are defined and these procedures are documented and used. Change ControlStays; again programs running on production systems being subject to strict change control i.e., any change to be made to those production programs need to go through the change control authorisation has more to do with the creation of a solid code production and stable code over defeating hackers. management proceduresStays; When a disaster occurs on a critical server an Incident Management procedure to addresses the incident management responsibilities, and respond according to such guidelines will be equally valuable if the damage was intentional or otherwise. of dutiesStays; Although the intent behind duties and areas of responsibility being separated is to reduce opportunities for unauthorized modification or misuse of information or services, the result of keeping this component is that it avoids the "What if the System Administrator gets hit by a bus?" problem that can occur if cross training doesn't. of development and operational facilitiesStays; to not affect the services offered by the production network keeping the development and testing facilities isolated from operational facilities is key to integrity and availability. For example development software should run on a different computer to that of the computer with production software. facilities managementStays; as any Information processing facility managed by external company contains risks especially related to availability. The risks associated with such management is will still need to be discussed with the third party and appropriate controls incorporated into the contract. PlanningStays; Capacity demands will still need to be monitored and projections of future capacity requirements will need to be made to ensure that adequate processing power and storage are available. acceptanceStays; System acceptance criteria will continue to need to be established for new information systems, upgrades and new versions. Suitable tests will still need carried out prior to acceptance to ensure availability and integrity. against malicious softwareThere will not be any malicious software, or any usage of unauthorized software. back-upStays; The Back-up of essential business information such as production servers, critical network components, configuration backup etc., will still need to be taken regularly to ensure integrity and availiability. logsStays; the Operational staff would still benefit their troublseshooting by maintaining a log of their activities such as name of the person, errors, corrective action etc., LoggingStays; faults still need to be reported and well managed. This includes corrective action being taken, review of the fault logs and checking the actions taken.
0.508.5.1Network Controls50% Stays; There will need to be responsibilities and procedures for management of remote equipment, including equipment in user areas were established. 50% Goes; There will not be any special controls to safeguard confidentiality and integrity of data processing over the public network and to protect the connected systems. of removable computer mediaStays; There will still be a need for a procedure for management of removable computer media such as tapes, disks, cassettes, memory cards and reports, but not due to a loss by theft, but only to keep track of inventory. of MediaGoes; as the media that are no longer required will not need to be disposed off securely and safely. handling proceduresGoes; there will not need to be a procedure for handling the storage of information. This procedure is intended to address issues such as information protection from unauthorized disclosure or misuse which will no longer be an issue. of system documentationGoes; the system documentation will not need to be protected from unauthorized access. and software exchange agreementGoes; There will be less of a need for formal or informal agreement between the organizations for exchange of information and software. The agreement would not have to addresses the security issues based on the sensitivity of the business information involved. of Media in transitStays; security of media while being transported will still be taken into account. The media will still need to be protected from corruption.
0.508.7.3Electronic Commerce security50% Goes; Electronic commerce will not need to be well protected and controls will not need to be implemented to protect against fraudulent activity, and disclosure or modification of information. 50% Stays; as there still can be contract disputes over misunderstandings over the contracts content. of Electronic emailStays; there will still be a need for a policy in place for the acceptable use of electronic mail. While there will no longer be a need for antivirus checking, isolating potentially unsafe attachments, spam control, anti relaying, etc. there will still need an understanding reached with employees that work email is not for personal use, as some users may not be aware of this. of Electronic office systemsGoes; there will not be a need for an Acceptable use policy to address the use of Electronic office systems. available systemsStays; there will still need to be a formal authorization process in place for the information to be made publicly available. This will be used for QA, as well as approval from Change Control which includes Business, Application owner etc., forms of information exchangeGoes; as policies, procedures or controls in place to protect the exchange of information through the use of voice, facsimile and video communication facilities will not be needed. Control PolicyStays; The business requirements will not need access control defined and documented, as no malicious users will attempt to breach the network, but a policy will still need to define what is going to be accessible, just to control changes. RegistrationStays; there will still need to be a formal user registration and deregistration procedure for granting access to multi-user information systems and services to control changes. ManagementStays; the allocation and use of any privileges in multi-user information system environment will still need to be restricted and controlled for change control and to protect against ernest intended changes from having unintended consequences. Password ManagementGoes; the allocation and reallocation of passwords will not need to be controlled through a formal management process. of user access rightsStays; there will still need to be a process to review user access rights at regular intervals, again to ensure the process accounts for skill levels. useGoes, as guidelines for selecting and maintaining secure passwords will not be an issue. user equipmentGoes; as users and contractors will not need to be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibility to implement such protection, as nobody will be attempting to take advantage of open connections. on use of network servicesStays; there will still need to be a policy that addresses concerns relating to networks and network services such as: Parts of network to be accessed, Authorization services to determine who is allowed to do what, Procedures to protect the access to network connections and network services, as authorization will still be a factor. pathGoes; There will not be a need for a control that restricts the route between the user terminal and the designated computer services the user is authorised to access, as people should no longer be poking outside of their authorized systems by using injected routing. authentication for external connectionsGoes; there will not need to be authentication mechanism for challenging external connections. AuthenticationStays; connections to remote computer systems that are outside organisations security management will still need to be authenticated to prevent accidental routing issues. diagnostic port protectionStays; as accesses to diagnostic ports will still need to be securely controlled to protect against erronous access and modifications. in networksStays; the network (where business partner’s and/ or third parties need access to information system) is segregated using perimeter security mechanisms such as firewalls to prevent unintended changes as well as to make for easier VPN connections as networks would be arranged not to overlap. connection protocolsStays; network connection control for shared networks that extend beyond the organizational boundaries will need to be maintained. routing controlStays; to enforce network controls to ensure that computer connections and information flows do not breach the access control policy of the business applications. This is often essential for networks shared with non-organisations users. of network servicesStays; as the organization, as a clear description of security attributes of all services used is provided would prove benificial for network management. terminal identificationStays; as there will still be a need for accountability via an automatic terminal identification mechanism is used to authenticate connections. logon proceduresStays; as there will still be a need for accountability for the procedure in place for logging in to an information system. identification and authorisationStays; as it would still help with accountability to assign a unique identifier to every user such as operators, system administrators and all other staff including technical. management systemGoes; as password management system would not need to be in place. of system utilitiesStays; the system utilities that comes with computer installations, but may override system and application control will still need to be tightly controlled to prevent misconfigurations. alarm to safeguard usersGoes; there will no longer be a need for a duress alarm for users who might be the target of coercion. timeoutStays; Just from a resource stand point it seems logical to maintain a procedure by which inactive terminal in public areas to be configured to clear the screen or shut down automatically after a defined period of inactivity. of connection timeStays; Just from a resource stand point it seems logical to put a restriction on connection time for high-risk applications. access restrictionStays; as there will still be a need for accountability when accessing an application by various groups/ personnel within the organization as defined in the access control policy per the individual business application requirement and to ensure access is consistent with the organization’s Information access policy. system isolationStays; sensitive systems will be easier to maintain with an isolated computing environment such as running on a dedicated computer, share resources only with trusted application systems, etc. loggingStays; as audit logs recording exceptions and other security relevant events produced will aid in assisting in future investigations and access control monitoring. system useStays; so long as access is restricted to prevent changes out of change control there should be procedures for monitoring the use of information processing facility. The results of these monitoring activities will need to be reviewed regularly. synchronisationStays; the computer or communication device will need to use a real time clock, it should be set to an agreed standard such as Universal coordinated time or local standard time to aid in troubleshooting anomolies. computingStays; a formal policy will still need to take into account the risks of working with computing facilities such as notebooks, palmtops etc., especially in unprotected environments as a part of the access policy to protect against unintended changes from being made out of change control.; any policy, procedure and/ or standard to control teleworking activities will need to be maintained to consistantly enforce the AUP and ACP.
1.0010.1.1Security requirements analysis and specificationStays; all of the security requirements incorporated as part of business requirement statement for new systems or for enhancement to existing systems will need to be identified and should reflect business value of information assets involved and the consequence from failure of Security.
1.0010.2.1Input data validationStays; regardless of how ideal the user base is, data input to application system always needs to be validated to ensure that it is correct and appropriate.
1.0010.2.2Control of internal processingStays; areas of risks will always need to e identified in the processing cycle and validation checks that are included. This is to ensure the data that has been correctly entered isn't corrupted by processing errors.
1.0010.2.3Message authenticationStays; Message authentication will still be required to detect the corruption of the contents of the transmitted electronic message.
1.0010.2.4Output data validationStays; the data output of application system will need to be validated to ensure that the processing of stored information is correct and appropriate to circumstances.
0.0010.3.1Policy on use of cryptographic controlsGoes, as there will not be a need for a Policy in use of cryptographic controls for protection of information.
0.0010.3.2EncryptionGoes, as encryption techniques will not be used to protect the data.
1.0010.3.3Digital SignaturesStays; Digital signatures can still be used to protect the integrity of electronic documents.
1.0010.3.4Nonrepudiation servicesStays; non-repudiation services can be used, where it might be necessary, to resolve disputes about occurrence or non-occurrence of an event or action.
0.0010.3.5Key managementGoes; As encryption will not be required there will not be a need for a management system is in place to support the organization’s use of cryptographic techniques.
1.0010.4.1Control of operational softwareStays; As mentioned there will be controls in place for the implementation of software on operational systems to minimise the risk of corruption of operational systems.
1.0010.4.2Protection of system test dataStays; system test data will need to be protected and controlled, to ensure the integrity of the tests, and while testing there is no need potentially leak information.
1.0010.4.3Access Control to program source libraryStays; There should still be strict controls in place over access to program source libraries to reduce the potential for corruption of computer programs.
1.0010.5.1Change control proceduresStays; as mentioned strict control procedures will need to be in place over implementation of changes to the information system to minimise the corruption of information systems.
1.0010.5.2Technical review of operating system changesStays; again as part of any development life cycle there is a need for processes or procedures to be in place to ensure application system is reviewed and tested after change in operating system.
1.0010.5.3Technical review of operating system changesStays; again restrictions in place to limit changes to software packages is a component of change control, and all changes will still need to be clearly tested and documented, so they can be reapplied if necessary to future software upgrades.
0.0010.5.4Covert channels and Trojan codeGoes; there will not be any covert channels and Trojan codes will not be introduced into new or upgraded systems.
1.0010.5.5Outsourced software developmentStays; there will still be a need for Licensing arrangements, escrow arrangements, and contractual requirement for quality assurance controls in place when outsourcing software.
1.0011.1.1Business continuity management processStays; as addressed already a managed process in place for developing and maintaining business continuity throughout the organization is a large component of what will stay as the business will still be needed for continuity.
1.0011.1.2Business continuity and impact analysisStays; events that could cause interruptions to business process are a major component of the security program and will still need to be identified. A risk assessment will need to be conducted to determine impact of such interruptions, as well as a strategy plan based on the risk assessment results to determine an overall approach to business continuity will help the organization prioritize events in the continuity planning as an electrical outage or flood would be just as disasterous in this environment.
1.0011.1.3Writing and implementing continuity planStays; plans will need to be developed to restore business operations within the required time frame following an interruption or failure to business process, as an outage could be just as fiscally devastating.
1.0011.1.4Business continuity planning frameworkWhether there is a single framework of Business continuity plan. Whether this framework is maintained to ensure that all plans are consistent and identify priorities for testing and maintenance. Whether this identifies conditions for activation and individuals responsible for executing each component of the plan.
1.0011.1.5Testing, maintaining and re-assessing business continuity planStays; Business continuity plans will need to be tested regularly to ensure that they are up to date and effective for the same reason as above.
1.0012.1.1Identification of applicable legislationStays; Business will still take place in the frameowrk of contracts and these will need to be reviewed to ensure all relevant statutory, regulatory and contractual requirements were explicitly defined and documented for each information system.
1.0012.1.2Intellectual property rightsStays; again as there will still be laws and legal restrictions ensuring compliance with legal restrictions on use of material in respect of which there may be intellectual property rights such as copyright, design rights, trade marks, will need to be carried out to ensure that any coincidental similarities can be resolved.
1.0012.1.3Safeguarding of organisational recordsStays, it will still be important that records of the organization are protected from loss or accidental destruction.
1.0012.1.4Data protection and privacy of personal informationStays; as mentioned there is a need for a management structure and controls to be in place to protect data from accidental loss or disclosure.
1.0012.1.5Prevention of misuse of information processing facilityStays; the guideline of using information processing facilities for any non-business or unauthorised purpose, without management approval is treated as improper use of the facility is still applicable for a drawing of the boundries.
0.0012.1.6Regulation of cryptographic controlsGoes, the regulation of cryptographic control per the sector and national agreement will be a non issue, as nobody will be trying to crack encryption.
1.0012.1.7Collection of evidenceStays, as there still may be business disagreements to settle the process involved in collecting the evidence will need to be in accordance with legal and industry best practise.
1.0012.2.1Compliance with security policyStays; it will still make sense to ensure the comprehensiveness of compliance with the defined Security policies.
1.0012.2.2Technical compliance checkingStays; it will still make sense to ensure the comprehensiveness of compliance with security implementation standards as defined above.
1.0012.3.1System audit controlsStays; Maintaining audit requirements and activities involving checks on operational systems will still need to be carefully planned and agreed to minimise the risk of disruptions to business processes.
1.0012.3.2Protection of system audit toolsStays; Ensuring that system audit tools such as software or data files are protected to prevent any possible misuse or compromise will also ensure the integrity of the files against corruption, such as errors in distribution.

Read more!