|Sildenafil In Holland Kaufen || Best prices for excellent quality
Most of us are uncomfortable
with the status of the security of our information systems and, especially,
the security of systems belonging to others, which can endanger ours.
We try here to explain
which standards companies should establish to reduce their security risk.
Before we describe
the security standards we give a short introduction about one of the most important
legal mandates. The Sarbanes Oxley (SOX) Act.
The Connection Between
SOX and Security
Section 404 of the Sarbanes-Oxley Act mandates that all publicly-traded organizations
demonstrate due diligence in the disclosure of financial information. They must
also implement internal controls and procedures to communicate, store and protect
that data. They must protect these controls from internal and external threats
and unauthorized access, including those that could occur through online systems
and networks. Why might this be hard?
1. Budget constraints
2. Security best practices are not well defined
3. Security expertise can be in short demand
4. Difficulties in deploying and managing required technology
5. The need to maintain security during ever-changing technical environments
What should SOX
Keep an eye on the prize - security for its own sake. Compliance efforts should
complement ongoing security efforts - not overshadow them. They should be designed
to address specific risks that are documented as part of your organization's
Recognize that your company may face multiple security-related regulations.
What's needed is an enterprise security policy and plan that addresses common
denominators as well as specific needs.
Ensure that SOX personnel - even those who are not technical specialists - understand
risks and the implications of security measures. They need to be able to articulate
how levels of security build upon each other (e.g., how application security
builds on database security, which builds upon operating system security).
Ensure that the appropriate level of security testing is included in SOX 404
compliance efforts. Consider fast, scalable risk assessments performed on a
regular basis. Bring in outside expertise if needed.
Ensure that key security controls are defined, documented, and proved, and that
they demonstrate accountability and transparency. Map them to COSO, COBIT, and/or
1. Security Policy
A policy is required; it should be set and approved and have the commitment
and support of management. It also should include procedures for review and
management of the policy itself. The policy document should be available to
all employees and should include information such as:
Importance of information
Scope of the policy and support of management.
Explanation of organizational security policies, how to comply with them, and
the result of non-compliance.
Specific information on tasks such as incident reporting.
References to supporting documentation.
Information security should be managed via a management framework that establishes
how policy is approved, how security roles are assigned, and how security is
implemented. Because all management shares responsibility, a forum or committee
should be established to ensure clear direction, adequate funds and resources,
and visible management support for the policy. This forum approves security
policy; monitors changes in information system exposure (for example, changes
to the Internet presence); reviews incidents and their handling; and approves
security initiatives and their funding.
The forum may also
approve access to external sources of security expertise and restrict contact
to appropriate law enforcement, regulatory bodies and so on.
Other areas of organizational
security include evaluating the risks of third-party access, including physical
access to computer rooms and logical access to resources like databases. On-site
contractor information access, third-party contracts and outsourcing are also
3. Asset Classification and Control
All assets should be accounted for and have a nominal owner who’s responsible
for it. Accountability should be assured. Assets include:
Data in databases
and files, system documentation, manuals, training materials, procedures and
Computer and communication equipment, tapes and disks, and auxiliary equipment.
Information should be classified, labeled and handled appropriately according
4. Personnel Security
This doesn’t address user safety. Instead, it addresses the organization’s
protection against user error, intentional abuse and fraud. It includes instructions
on security responsibility definition, beginning at the recruitment stage and
encompassing credit and background checks. Discussed is the need for confidentiality
agreements, terms and conditions of employment, and user training on security
policies and procedures.
5. Physical and Environmental Security
The goal here is protection from unauthorized access, damage and interference.
The establishment of a physical security perimeter around business locations;
entry controls; isolated delivery and loading areas; and the securing of cabling,
UPSs, offices, rooms and facilities is discussed. Control requirements are listed
for equipment so as to mitigate the risk of environmental issues, theft, electrical
and chemical damage, secure disposal and offsite use.
6. Communications and Operations Management
Required documentation on procedures and processes should include:
all operations procedures.
Documentation of all changes to equipment configuration and programs (change
Segregation of duties to reduce the risk of accidental or intentional system
abuse or fraud.
Separation of development and operational facilities.
External facilities management.
Systems planning and acceptance.
Protection and controls against malicious software.
Network management and controls.
The security of documentation and specific areas is also covered, including:
Electronic commerce security.
E-mail security, including compliance with data-protection legislation.
Publicly available systems and how to protect them from modification using digital
7. Access Control
This is a long section of the document and one of the more specific. You may
be doing many of these things already. For a complete listing you’ll need
to read the standard, but here’s a sampling.
enforcement of access controls for each user or group should be defined. Use
the rule “what must be generally forbidden unless expressly permitted.”
A few of the items discussed include the following:
Use unique user
IDs and make sure the level of access given to users is appropriate for the
business purpose. There should be no sharing of accounts and no auto logon.
Provide users with a written notice of their access rights and have them sign
a statement indicating they understand access conditions.
Immediately remove the rights of users that have changed jobs or left the country.
Identify the privileges of each product, such as “OS” or “application.”
Make sure they’re allocated on a need-to-use basis and, where possible,
on an event-by-event basis.
Assign privileges to different user identities based on the task performed.
For instance, users should be doing normal business with a normal account and
administrative functions with another.
Temporary passwords should be communicated in a secure manner; no clear text.
Review user access rights and privilege allocation at regular intervals.
Change passwords regularly and when a possible compromise is indicated.
The minimum length of a password should be six characters.
Log off of a session before leaving the computer.
Log off of the mainframe session when finished.
Secure PCs with a key lock or other control (a password may be adequate in many
Allocate dedicated lines or telephone numbers.
Prevent unlimited network roaming.
Enforce the use of application and security gateways for external users.
Use a firewall.
Set up separate logical domains or a virtual private network for user groups.
Remote connections should be protected by a cryptographic-based technique, token
or challenge-response protocol.
Use dial-back controls.
Don’t use call forwarding.
Ensure that disconnection on the organization side occurs.
Authenticate access to the remote computer system.
For a failed attempt, don’t indicate which part of the logon information
Limit the number of unsuccessful attempts.
Retain password history.
Store passwords using a one-way encryption algorithm.
8. System Development
A development projects requirements statement should include necessities for
controls, as well as the business value of information assets and the potential
business damage due to the failure or absence of security.
Input data validation
should include checks for out-of-range values, invalid characters in data fields,
missing or incomplete data, the exceeding of upper and lower data volume limits,
unauthorized or inconsistent control data, and the procedures for responding
to these issues. Data balances should be validated, and data should be validated
within the program.
The integrity of
data and software (is the data received that which was requested?) should be
checked. Message authentication (detecting corruption or changes to the contents
of a transmitted message) should be performed.
signature policy should exist that details when it’s necessary and how
it will be accomplished.
Test data, wherever
possible, should not consist of real data. Where real data must be used, it
should be depersonalized before use, access controls should restrict access,
the copy should be logged to provide an audit trail, and it should be removed
immediately after use.
A system of change
control, both to software and operating system configuration, should be established.
This should include the evaluation of recommended changes such as operating
system patches and provisions for updating business-continuity plans.
9. Business Continuity Management
A company should seek to identify the consequences of disasters, security failures
and loss of service and should develop contingency plans. Risks should be understood
in the terms of their likelihood. Regular testing, documentation and updates
are required. Updates are required if there are changes in personnel, addresses
or telephone numbers, business strategy, location, legislation and changes in
contractors, suppliers and key customers.
A company should avoid breaches of any criminal or civil law or contract. It
should ensure the compliance with legal restrictions on the use of material,
such as those protected by copyright, trademark or other restrictions. This
includes the proper purchase and management of software licenses.
be made for the safeguarding of organizational records, privacy of personnel
information and the prevention of misuse.