Profile
Services
Security policy
YSI Security Standard
YSI Security Tool
Security Audit
Success story
Training Workshops
Personnel offered
Contact
Download
e-mail me

Sildenafil In Holland Kaufen || Best prices for excellent quality

 

Most of us are uncomfortable with the status of the security of our information systems and, especially, the security of systems belonging to others, which can endanger ours.

We try here to explain which standards companies should establish to reduce their security risk.

Before we describe the security standards we give a short introduction about one of the most important legal mandates. The Sarbanes Oxley (SOX) Act.

The Connection Between SOX and Security
Section 404 of the Sarbanes-Oxley Act mandates that all publicly-traded organizations demonstrate due diligence in the disclosure of financial information. They must also implement internal controls and procedures to communicate, store and protect that data. They must protect these controls from internal and external threats and unauthorized access, including those that could occur through online systems and networks. Why might this be hard?
1. Budget constraints
2. Security best practices are not well defined
3. Security expertise can be in short demand
4. Difficulties in deploying and managing required technology
5. The need to maintain security during ever-changing technical environments

What should SOX implementers do?
Keep an eye on the prize - security for its own sake. Compliance efforts should complement ongoing security efforts - not overshadow them. They should be designed to address specific risks that are documented as part of your organization's risk plan.
Recognize that your company may face multiple security-related regulations. What's needed is an enterprise security policy and plan that addresses common denominators as well as specific needs.
Ensure that SOX personnel - even those who are not technical specialists - understand risks and the implications of security measures. They need to be able to articulate how levels of security build upon each other (e.g., how application security builds on database security, which builds upon operating system security).
Ensure that the appropriate level of security testing is included in SOX 404 compliance efforts. Consider fast, scalable risk assessments performed on a regular basis. Bring in outside expertise if needed.
Ensure that key security controls are defined, documented, and proved, and that they demonstrate accountability and transparency. Map them to COSO, COBIT, and/or ISO frameworks

1. Security Policy
A policy is required; it should be set and approved and have the commitment and support of management. It also should include procedures for review and management of the policy itself. The policy document should be available to all employees and should include information such as:

Importance of information security.
Scope of the policy and support of management.
Explanation of organizational security policies, how to comply with them, and the result of non-compliance.
Specific information on tasks such as incident reporting.
References to supporting documentation.

2. Organizational Security
Information security should be managed via a management framework that establishes how policy is approved, how security roles are assigned, and how security is implemented. Because all management shares responsibility, a forum or committee should be established to ensure clear direction, adequate funds and resources, and visible management support for the policy. This forum approves security policy; monitors changes in information system exposure (for example, changes to the Internet presence); reviews incidents and their handling; and approves security initiatives and their funding.

The forum may also approve access to external sources of security expertise and restrict contact to appropriate law enforcement, regulatory bodies and so on.

Other areas of organizational security include evaluating the risks of third-party access, including physical access to computer rooms and logical access to resources like databases. On-site contractor information access, third-party contracts and outsourcing are also relevant here.


3. Asset Classification and Control
All assets should be accounted for and have a nominal owner who’s responsible for it. Accountability should be assured. Assets include:

Data in databases and files, system documentation, manuals, training materials, procedures and continuity plans.
Software.
Computer and communication equipment, tapes and disks, and auxiliary equipment.
Services.
Information should be classified, labeled and handled appropriately according to classification.


4. Personnel Security
This doesn’t address user safety. Instead, it addresses the organization’s protection against user error, intentional abuse and fraud. It includes instructions on security responsibility definition, beginning at the recruitment stage and encompassing credit and background checks. Discussed is the need for confidentiality agreements, terms and conditions of employment, and user training on security policies and procedures.


5. Physical and Environmental Security
The goal here is protection from unauthorized access, damage and interference. The establishment of a physical security perimeter around business locations; entry controls; isolated delivery and loading areas; and the securing of cabling, UPSs, offices, rooms and facilities is discussed. Control requirements are listed for equipment so as to mitigate the risk of environmental issues, theft, electrical and chemical damage, secure disposal and offsite use.


6. Communications and Operations Management
Required documentation on procedures and processes should include:

Documentation of all operations procedures.
Documentation of all changes to equipment configuration and programs (change control).
Incident management.
Segregation of duties to reduce the risk of accidental or intentional system abuse or fraud.
Separation of development and operational facilities.
External facilities management.
Systems planning and acceptance.
Capacity planning.
Protection and controls against malicious software.
Information backup.
Operator logs.
Fault logging.
Network management and controls.
Media handling.
Information handling.
The security of documentation and specific areas is also covered, including:
System documentation.
Electronic commerce security.
E-mail security, including compliance with data-protection legislation.
Publicly available systems and how to protect them from modification using digital signatures.

7. Access Control
This is a long section of the document and one of the more specific. You may be doing many of these things already. For a complete listing you’ll need to read the standard, but here’s a sampling.

Documentation and enforcement of access controls for each user or group should be defined. Use the rule “what must be generally forbidden unless expressly permitted.” A few of the items discussed include the following:

Use unique user IDs and make sure the level of access given to users is appropriate for the business purpose. There should be no sharing of accounts and no auto logon.
Provide users with a written notice of their access rights and have them sign a statement indicating they understand access conditions.
Immediately remove the rights of users that have changed jobs or left the country.
Identify the privileges of each product, such as “OS” or “application.” Make sure they’re allocated on a need-to-use basis and, where possible, on an event-by-event basis.
Assign privileges to different user identities based on the task performed. For instance, users should be doing normal business with a normal account and administrative functions with another.
Temporary passwords should be communicated in a secure manner; no clear text.
Review user access rights and privilege allocation at regular intervals.
Change passwords regularly and when a possible compromise is indicated.
The minimum length of a password should be six characters.
Log off of a session before leaving the computer.
Log off of the mainframe session when finished.
Secure PCs with a key lock or other control (a password may be adequate in many cases).
Allocate dedicated lines or telephone numbers.
Prevent unlimited network roaming.
Enforce the use of application and security gateways for external users.
Use a firewall.
Set up separate logical domains or a virtual private network for user groups.
Remote connections should be protected by a cryptographic-based technique, token or challenge-response protocol.
Use dial-back controls.
Don’t use call forwarding.
Ensure that disconnection on the organization side occurs.
Authenticate access to the remote computer system.
For a failed attempt, don’t indicate which part of the logon information is incorrect.
Limit the number of unsuccessful attempts.
Retain password history.
Store passwords using a one-way encryption algorithm.

8. System Development and Maintenance
A development projects requirements statement should include necessities for controls, as well as the business value of information assets and the potential business damage due to the failure or absence of security.

Input data validation should include checks for out-of-range values, invalid characters in data fields, missing or incomplete data, the exceeding of upper and lower data volume limits, unauthorized or inconsistent control data, and the procedures for responding to these issues. Data balances should be validated, and data should be validated within the program.

The integrity of data and software (is the data received that which was requested?) should be checked. Message authentication (detecting corruption or changes to the contents of a transmitted message) should be performed.

An encryption/cryptographic/digital signature policy should exist that details when it’s necessary and how it will be accomplished.

Test data, wherever possible, should not consist of real data. Where real data must be used, it should be depersonalized before use, access controls should restrict access, the copy should be logged to provide an audit trail, and it should be removed immediately after use.

A system of change control, both to software and operating system configuration, should be established. This should include the evaluation of recommended changes such as operating system patches and provisions for updating business-continuity plans.


9. Business Continuity Management
A company should seek to identify the consequences of disasters, security failures and loss of service and should develop contingency plans. Risks should be understood in the terms of their likelihood. Regular testing, documentation and updates are required. Updates are required if there are changes in personnel, addresses or telephone numbers, business strategy, location, legislation and changes in contractors, suppliers and key customers.


10. Compliance
A company should avoid breaches of any criminal or civil law or contract. It should ensure the compliance with legal restrictions on the use of material, such as those protected by copyright, trademark or other restrictions. This includes the proper purchase and management of software licenses.

Provisions should be made for the safeguarding of organizational records, privacy of personnel information and the prevention of misuse.