|
IT Security Policies
Many organisations now rely totally on their electronic environment for the day to day processing and the management of their business. The issues of information management, confidentiality, competitive edge and profitability are intrinsically linked, but unfortunately, information in the electronic world is not attributed with the same degree of respect with regard to security as the paper document managed to achieve in its heyday. The first step towards creating a secure electronic environment is to define the rules and guidelines for managing, operating and using the organisation's information systems. This first step is critical and involves developing policies and procedures that document the organisation's intentions to diligently manage electronic information throughout its life cycle and keep it safe from unauthorised persons. To be successful, IT Security Policies must be based on plain old common sense and all staff, contractors and third parties should be required to understand their obligations. Kaon SecurITy Ltd has developed a generic set of policies and procedures that can be specifically tailored for any IT environment and any business situation. Text, graphics and formatting can be customised to suit the culture of the business. The policies are provided in a user friendly, website format that is easily deployed in any intranet environment. They are presented by category of user so that general users do not need to read all the technical jargon to find the policies which affect them. Take the hassle out of IT Policies and deliver a quality solution which continues to evolve. Add links to other organisational policies such as HR, standards, procedures, guidelines and practices, compliance documents, designs and drawings and create a dynamic tool which can be used by all levels of staff in the organisation. This represents the documentation layer at the top of the pyramid and provides the basis for delivering a secure, well managed IT environment as represented at the bottom.
Why Policies Need to be Introduced Organisations exist in an ever changing technological world and to ensure they can continue to operate in this environment and do business they must be aware of security issues and take the appropriate measures that protect key assets, ie:-
Security attacks are increasing all the time and it is important that systems and information can be protected against these threats. The first step in achieving this is to document the rules around system configuration and system use. By complying with these written guidelines management can be sure they are doing everything they can to protect both systems and people from a security threat. It is important to remember that the policies protect staff just as much as they do the organisation. Policies are the first very important step in managing IT system security.
Policies are not a universal panacea for ensuring systems always remain secure. They contribute to a dynamic lifecycle which ensures that an organisation is constantly reviewing and modifying activities and procedures in order to be certain that security controls don't loosen over time. Following the steps outlined below will ensure that system vulnerabilities are identified, policies are reviewed regularly, staff knowledge is updated, procedures and activities are modified, documentation is updated and compliance is monitored. Any loopholes are soon identified if this process is adhered to when managing information systems.
The policies are set out by category of user. In the past with paper versions of information systems policies, the general users found it very difficult to identify which policies related to them and generally had to wade through a lot of technical information that made the policies too difficult to understand. Everyone who uses computer systems, communications systems or networks that make up the computing environment need to be familiar with the policies listed under the category heading of User. Managers should be familiar with both the User policies and the Management Policies and Technical staff need to be familiar with the policies listed under Technical. Using web technology, separation is very easy to achieve and the policies become a friendly, dynamic, useful tool for staff at all levels.
Obligations to Staff Businesses are responsible for educating and training staff on how to use the computer systems and networks correctly and for explaining why security is such an important factor when handling corporate information which may be confidential or sensitive. Writing a suite of information system security policies is an onerous task and few IT Managers have the time, resources or skills to develop a comprehensive set of policies that fully document actual onsite practices, the intentions of management and also help achieve best practice. Organisations now have the opportunity to successfully achieve this objective by installing the Kaon SecurITy Ltd IT Policies and Procedures intranet site on the corporate intranet so that all staff have easy, quick access to guidelines relating to the use of electronic information and information systems.
It is the responsibility of every staff member, temporary employee, contractor and third party user to ensure they read, understand and comply with organisational policies when using business computer systems, electronic information, communications systems and networks. They are only able to do this if the policies are easily accessible, available at all times and are easy to use in a familiar web-based format.
As policies are put in place as a protection mechanism, there is an expectation that they be complied with. The policies provide managers with the means to apply a consistent and fair approach to managing staff activities and also document the checks and balances required to ensure that privileges are not being exceeded, approvals are being obtained and priorities are being set for technical staff. Taking a proactive approach to Information Systems security enables managers to use less of their valuable resources on fighting fires and more on system development and other important issues. Policies give the disciplinary process some teeth and a serious breach of any policy must be treated as a violation of the staff code of conduct, contract for service or agreement and should be handled according to standard corporate disciplinary procedures.
The Policies Included in the Policy System Below is a list of the policies included in the IT Policies and Procedures intranet site:-
Compliance with ISO 27002:2007 Standard ISO 27002 is the code of practice adopted by New Zealand and many other countries around the world as a common basis for developing organisational security standards and sets the criteria for achieving best practice security management. In New Zealand this joint Australian/New Zealand standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology. It was approved on behalf of the Council of Standards Australia and the Council of Standards New Zealand on 4th May 2001 and was published on 8th June 2001. It replaced AS/NZS 4444.1:1999. The standard was subsequently reviewed and updated in June 2005.
Adopting ISO 27002 and the Standard for Information Systems Security assists with achieving ISO 9000 certification and state or national information systems security compliance and provides evidence that security is taken seriously by management. Trading partners, shareholders, stakeholders and other third parties with a vested interest in your organisation can have confidence that it is acting responsibly in protecting itself from the risk of a serious security breach that could potentially affect profitability and viability.
ISO 27002 compliance is internationally endorsed and the IT Security Policies System assists in complying with the provisions of:-
The 24 IT Security Policies included have been fully referenced to ISO 27002. Using these references it is possible to ascertain the extent to which the organisation meets internal compliance objectives, adheres to best practice and satisfies the provisions of the standard.
Compliance with Security in the Government Sector (SIGS) PolicyThe Government requires that information important to its functions, its official resources and its classified equipment is adequately safeguarded to protect the public and national interests and to preserve personal privacy. This policy addresses the protection of the Confidentiality [Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes.] Integrity [Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes.] and Availability [Availability - information must be accessible and useable on demand by authorised entities.] of all official information. Official information includes information that is produced, transmitted, and stored in electronic form. This policy also addresses the classified equipment used to produce, transmit and store official information.
The 24 IT Security Policies included in this system have been fully referenced to the SIGS Policy. Using these references it is possible to ascertain the extent to which the Government agency meets internal compliance objectives and satisfies the requirements of the Policy.
SIGS has been fully referenced to the ISO 27002 standard.
Compliance with BS 25999 StandardThe BS25999 Standard was developed by practitioners throughout the business continuity community, drawing upon their academic, technical and practical experiences of business continuity management (BCM). It has been produced to provide a system based on good practice for business continuity management and is intended to serve as a single reference point for most situations where business continuity management is practised and to be used by large, medium and small organisations in industrial, commercial, public and voluntary sectors.
The 24 IT Policy documents included have been referenced to BS25999 where appropriate. Using these references it is possible to ascertain the extent to which the company meets internal compliance objectives and satisfies the requirements of the Policy.
Compliance with Sarbanes Oxley (SOX) Section 404Management Assessment Of Internal Controls (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall-- (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. The 24 IT Policy documents included have been referenced to SOX Section 404 where appropriate. Using these references it is possible to ascertain the extent to which the company meets internal compliance objectives and satisfies the requirements of the Policy.
Compliance with Payment Card Industry Data Security Standard The PCI DSS Standard
describes the 12 Payment Card Industry (PCI) Data Security Standard (DSS)
requirements that apply to organisations who process credit card payments or
hold credit card data. These PCI DSS requirements are organized in 6 logically
related groups, which are “control objectives.” PCI DSS requirements
are applicable if a Primary Account Number (PAN) is stored, processed, or
transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS
requirements do not apply. These security
requirements apply to all “system components.” System components are defined as
any network component, server, or application that is included in or connected
to the cardholder data environment. The cardholder data environment is that part
of the network that possesses cardholder data or sensitive authentication data.
Adequate network segmentation, which isolates systems that store, process, or
transmit cardholder data from those that do not, may reduce the scope of the
cardholder data environment. Network components include but are not limited to
firewalls, switches, routers, wireless access points, network appliances, and
other security appliances. Server types include but are not limited to the
following: web, database, authentication, mail, proxy, network time protocol (NTP),
and domain name server (DNS). Applications include all purchased and custom
applications, including internal and external (Internet) applications.
Why Subscribe to Maintenance? Maintenance is optional. Often there is no one onsite that can be allocated the additional task of maintaining the content of the Information Systems Policies, however IT policies are not a static component in the overall IT framework. In some organisations there is the political issue of who should be allocated the task of keeping the policies up to date – IT or Human Resources. Human Resources usually don’t have the expertise to write IT policy and IT staff don’t have the time or the inclination. Traditionally, IT policies are neglected until they bear no resemblance to what actually occurs onsite and may actually create additional security vulnerabilities. Having no policies at all is sometimes better than having policies that are blatantly incorrect or well past their used by date. New policies should be added when new technologies are introduced into the IT environment. A regular review of policies may be undertaken either annually or as the result of an audit and changes may need to be made to ensure that practice and policy are aligned. IT environments change over time as do the people that manage and administer them and any such changes that result in different onsite practices or a new approach to specific technologies should be assessed and reflected in supporting documentation such as policies and procedures.
What Does Maintenance Provide?
Subscribing to maintenance allows you to outsource maintenance of your policy documentation. If you introduce a new technology and need policies to support it we will write these for you. You may send through your notes for any policy changes and these will be incorporated into your site specific version of the policies. You will be sent a new CD that can be published to the intranet. Every year we provide one major release to the Information System Policies. This may include the addition of new policies, updates or changes to old policies based on newly discovered vulnerabilities or weaknesses, amendments to the compliance pages and updates to the glossary and index pages. We are constantly looking for ways to improve the system and to provide additional functionality which adds value.
Maintenance Options There are three ways of maintaining your Information Systems Policies:- 1. Through a subscription to the SecurITy service 2. A 20% annual subscription charge 3. We can update or edit the policy documents on an ad-hoc basis at our current hourly rate.
How to Get the IT Policies and Procedures intranet system
Contact us at Kaon SecurITy Ltd to discuss your site specific requirements. Initial discussions include:-
A purchase order is all that is required to initiate the process.
|
© 2004 Kaon Security Ltd 20 Nov 2004