FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

«157 Adelaide St. West, PO Box 247, Toronto, ON M5H 4E7 Call: 647-299-DRIE Website: IT Security Policy IN THIS ISSUE Proven defense for ...»

Volume 24, Issue 4 – December 2015

157 Adelaide St. West, PO Box 247, Toronto, ON M5H 4E7 Call: 647-299-DRIE Website: www.drie.org

IT Security Policy


Proven defense for cyber attacks

IT Security Policy - Proven

Defense for Cyber Attacks

Letter From The Editor

El Nino is coming - What To


Self-Driving Cars - Are They Vito Mangialardi Safer? Allstream Director Business Contnuity Management and Security Services DRIE Agenda Business and operating environments are changing on a daily basis. Once upon a time, critical business information was generally associated with fnancial records which were kept protected on paper ledgers in a fre proof safe. Today it is a different Digest Retrospective world when we consider e-commerce, 24/7 hours of operations, partnering with vendors and suppliers, increased data storage, customer demands, and privacy of Photo Gallery information. Couple this with the growing reliance on automation and technology; not to mention emerging business threats (cybercrime, acts of terrorism, natural disasters, pandemics, severe weather and climate change) bring into focus the importance of Real Event Log information security during normal operations. It is something that becomes even more important when we are faced with ensuring business continuity of operations in any kind of business disruption or disaster.

People use Information Security and Cyber Security interchangeably. They are two

distinct and important defnitions:

• Information Security (IS) is designed to protect the confdentiality, integrity and availability of computer system data from those with malicious intentions.

Confdentiality, integrity and availability are sometimes referred to as the CIA Triad of information s

–  –  –

DRIE Digest December 2015 Page 1 Information and information systems are critical to almost all businesses today. C-level executives now, more than ever, are embracing the concept that computer information security is a fundamental business process required to maintain the integrity of the business, and uphold customer confdence and trust.

What have we learned regarding impacts from recent cyber crime incidents?

–  –  –

This past June 2015 The Canadian government became a cyber-attack target of the activist group called “Anonymous ‘in response to Bill C-51. The result was a surgical struck denial of service (DDoS) attack on the network, which caused the website to be impaired for hours. While no loss of sensitive information occurred, the inability for users to access the site was disruptive and with that the primary directive of Anonymous was achieved.

–  –  –

A cyber security incident may fall under into several categories. The following are some key


Denial of Service

• An attacker sends specially crafted packets to a Web server, causing it to crash.

• An attacker directs hundreds of external compromised workstations to send as many Internet Control Message Protocol (ICMP) requests as possible to the organization’s network.

Malicious Code

• A worm uses open fle shares to quickly infect several hundred workstations within an organization.

• A business might receive a warning from an antivirus vendor that a new worm is spreading rapidly via email throughout the Internet. The worm takes advantage of a vulnerability that is present in many of the organization’s hosts.

DRIE Digest December 2015 Page 2 Unauthorized Access

• An attacker runs an exploit tool to gain access to a server’s password fle.

• A perpetrator obtains unauthorized administrator-level access to a system and the sensitive data it contains.

Inappropriate Usage

• A user provides illegal copies of software to others through peer-to-peer fle sharing services.

• A person threatens another person through email.

Insider Information Threat

• An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems Scope of Computer information Security Policy The use of a policy is the best approach to a Guideline document.

A Policy is typically an organizationally adopted document associated with an overarching operational interest that defnes the specifc requirements that must be adhered too (Thou shall do). In this case the focus is on the information technology framework of applications, business systems and elements including the supporting connectivity layer (the networks). Structured Policies are easier to implement if they include associated standards and or guidelines.

A Standard, used and associated with the specifcs of the Policy, defnes details such as ‘how it is used and under which circumstances’. A Guideline on the other hand is much more fexible and based on some industry best practice.

Understanding where such a Security Policy is best focused with an organization is similar to Business Continuity Planning – Business Impact Assessment (BIA)—however in this case it is ‘technology focused’. First establish the criticality and risk exposure of your IT environments by documenting

responses to the following questions:

• What constitutes a complete inventory of IT technologies, processes and practices that exists to support or operate the business networks, computers, programs and data?

• What are the required Information Security (IS) requirements that must be in place to ensure the information integrity of your IT environments?

• If you Measure the “we must have”’ to what “we already have,” what is the plan to address the gaps?

• What is the fnancial and operational impact to the business if a Cybersecurity situation presented itself? Example: where data (information) were lost or corrupted, and your website or IT system compromised.

When it comes to personal information consider the following which should form part of a Security Policy

• Personally identifable information (PII), or Sensitive Personal Information as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

DRIE Digest December 2015 Page 3 A good practice to include in the Security Policy is where internal processes may be weak and have the potential for a breach. Special attention should be paid to instances where personal information may be at risk. The media is very fond of bringing to light any business failure to protect PII. This is one instance where “not all press is good press”. The media attention from this type of breach brings a tsunami of risk to your business brand and consumer trust. Organizations with a signifcant amount of PII (telcos, insurance companies) could potentially be ruined by a signifcant data breach. Ashley Madison is a perfect example of a business that is highly unlikely to survive their security breach incident of PII. For companies that are considering how strict to make their Security Policy, it’s important to note that changes in legislation have brought mandatory data breach reporting to Canada.

Administrative penalties surrounding these breaches can be assessed upwards of $100,000 per record.

My best advice is to build the Policy that bests presents the required behaviors for ‘users and administrators’ levels of information security to achieve the desired protection, security and availability objectives needed to secure your business data. Due to the changing methods of cyber-attacks the Security Policy needs to be updated regularly and can be considered a ‘living document.

The scope of such a Policy encompasses computer information and information systems. This includes information that is stored on computer tapes, disks, and resident memory as well as information being transmitted electronically. The policy must apply to all business functions within an organization and including any subsidiaries.

Everyone in a business such as employees, consultants and its partners, vendors and contractors are required to safeguard the information assets your business possesses and even extends to its customers, shareholders and other third parties. They must maintain privacy consistent with legislation and the business operating policies and comply with vendor contracts, copyrights and patents. In addition, all information resident within a business or in custody of a person by reason of employment by the business, is the property of the organization and must be treated as privileged information to be used solely for duly authorized purposes. A Policy will not be successful in isolation; it needs the buy-in of all organizational executives, all the way down to the individual employee level throughout the company. It’s about creating a culture that takes security into account as part of each person’s regular job. The most brilliant Computer Information Security Group will still fail if they can’t get buy-in from IT and other parts of the organization.

A good defense resides side by side with the Security Policy and both are your ‘security tools’. Tools that are to be used or installed within your IT operating environments. For example Firewalls and Passwords to ensure secure environments. We also have anti-virus programs, anti-rootkit tools, malware detection, penetration testing and sniffng tools to proactively look for ‘point of potential failure’ within your IT operating environments.

Computer Information Security Policy - Roles and Responsibilities:

Corporate Security Executive (CFO, CIO, Internal Audit) A Corporate Security Executive should be appointed and is responsible for directing the development, dissemination and periodic revisions of all supporting documents used for security purposes (eg.

guidelines, procedures, bulletins). Whereas overall corporate security is directed by the Chief Financial Offcer and Internal Audit, computer information security initiatives are directed by the Chief Information Offcer.

Computer Information Security Group The role of the Computer Information Security Group is to manage the implementation of the recommendations made by the Corporate Security Executive. This includes the administration of the Computer Security Awareness program and Business Resumption Plans for critical business processes.

DRIE Digest December 2015 Page 4 In addition, this group will prepare security incident reports for presentation to the Corporate Security Executive for discussion and resolution planning. In terms of the executive, a well-structured organization would have separation of duties, e.g. Information Security Group would not report into the same chain of command as the people running the systems. This means that the Information Security Group should never report up to a CIO. It could however report up to an organizations’ internal audit.

Information Owner Each computer information system must have a defned owner. The individual(s) shall be designated to exercise management responsibility for granting overall access and disposition of each information resource. The owner is responsible for establishing the value or importance of information assets and classifying the information as per the organizations Information Protection Guidelines. This is another document that all business should have. All employees, consultants and contractors must thereafter abide by the proper handling, storage and disposal of sensitive information as per guidelines.

Exemption to a Computer Information Security Exemptions to a Computer Information Security Policy may be granted where the guidelines and procedures recommended by the Computer Information Security Group cannot be applied for technical reasons or cannot be cost justifed. Exemptions must be documented by the Information Owner and reviewed by the Corporate Security Executive for approval (risk acknowledgement and ‘assume’ risk ownership) Want to learn more? The Government of Canada and Public Safety Canada have a useful document called Get Cyber Safe - Guide for Small and Medium Businesses. It can be found by clicking the link at: www.publicsafety.gc.ca/cyber This guide is designed to help Canadians who own or manage a small or medium business understand the cyber security risks they face, and provide them with practical advice on how to better protect their business and employees from cyber crime.

You can’t predict a cybercrime event to your business, however proactively you can prepare to mitigate or eliminate the risk of one.

–  –  –

Similar works:

«Regional and Sectoral Economic Studies Vol. 9-1 (2009) FOREIGN DIRECT INVESTMENT IN THE SOUTHERN AND THE NEW ACCEDING EUROPEAN COUNTRIES: REPLACEMENT OF ACTIVITIES?. VÁZQUEZ ROZAS, Emilia* Abstract In this paper, after a general overview of the economic situation of the new EU countries of 2004, we start by studying the foreign direct investment (FDI) by economic sector in the three Baltic countries (Estonia, Latvia and Lithuania), the five Central countries (Czech Rep., Poland, Hungary,...»

«DISCUSSION PAPER SERIES IZA DP No. 999 The Demand for High-Skilled Workers and Immigration Policy Thomas K. Bauer Astrid Kunze January 2004 Forschungsinstitut zur Zukunft der Arbeit Institute for the Study of Labor The Demand for High-Skilled Workers and Immigration Policy Thomas K. Bauer University of Bochum, CEPR and IZA Bonn Astrid Kunze Norwegian School of Economics and Business Administration and IZA Bonn Discussion Paper No. 999 January 2004 IZA P.O. Box 7240 D-53072 Bonn Germany Tel.:...»

«Earn the Benefits of Regular Payouts* Every year, for 15 years » Analyse your Insurance and Investment needs BEFORE YOU COMMIT YOUR HARD-EARNED MONEY » Understand the product in detail » Know the tenure of Renewal Premium payments Every individual wishes to secure his future when the times are good. In this uncertain world you would like to save for rainy days in future, from what you earn today. One must be financially prepared and secure their family’s future. What you need is adequate...»


«Research Update: Switzerland's Republic and Canton of Geneva Affirmed At 'AA-' On Very Strong Economy And Good Management; Outlook Stable Primary Credit Analyst: Laurent Niederberger, Paris (33) 1-4420-6704; laurent.niederberger@standardandpoors.com Secondary Contacts: Bertrand De Dianous, Paris (33) 1-4420-7371; bertrand.de.dianous@standardandpoors.com Christophe Dore, Paris (33) 1-4420-6665; christophe.dore@standardandpoors.com Table Of Contents Overview Rating Action Rationale Outlook...»

«Estudios de Economía Aplicada ISSN: 1133-3197 secretaria.tecnica@revista-eea.net Asociación Internacional de Economía Aplicada España Moral Carcedo, Julián; Pérez García, Julián Feeding Large Econometric Models by a Mixed Approach of Classical Decomposition of Series and Dynamic Factor Analysis: Application to Wharton-UAM Model Estudios de Economía Aplicada, vol. 33, núm. 2, mayo-agosto, 2015, pp. 487-512 Asociación Internacional de Economía Aplicada Valladolid, España Available...»

«EDUCABILITY, SCHOOLS AND IDEOLOGY Edited by Michael Flude and John Ahier ROUTLEDGE LIBRARY EDITIONS: EDUCATION ROUTLEDGE LIBRARY EDITIONS: EDUCATION EDUCABILITY, SCHOOLS AND IDEOLOGY EDUCABILITY, SCHOOLS AND IDEOLOGY Edited by MICHAEL FLUDE AND JOHN AHIER Volume 175 Routledge Taylor &. Francis Group LONDON AND NEW YORK First published in 1974 This edition first published in 2012 by Routledge 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN Simultaneously published in the USA and Canada by...»

«Luigi Pasinetti and the Political Economy of Growth and Distribution Joseph Halevi1 Working Paper No. 40 April 2016 ABSTRACT Luigi Pasinetti’s work has deeply affected modern economic theory. His papers on the Cambridge Capital Controversy are world renowned. But he has made many other contributions to the economic debates of the last half century, offering not only detailed criticisms of mainstream economic theory, but also the elaboration of an alternative, more complete, and coherent...»

«STATE OF MINNESOTA BEFORE THE MINNESOTA PUBLIC UTILITIES COMMISSION Beverly Jones Heydinger Chair Nancy Lange Commissioner Dan Lipschultz Commissioner John Tuma Commissioner Betsy Wergin Commissioner IN THE MATTER OF XCEL ENERGY’S DOCKET NO. E002/RP-15-21 2016-2030 UPPER MIDWEST RESOURCE PLAN REPLY COMMENTS INTRODUCTION Northern States Power Company, doing business as Xcel Energy, submits to the Minnesota Public Utilities Commission this Reply to the July 2, 2015 Comments received on its...»

«Prophecies Of The Coming Messiah As extra, sticks whatever do selling criteria to our thirty will carry filled. Of when a 1.the business cutting comes to consider to increase what's also a sign of a house, you make not regarding of the organizations that world who is also the definition return. ROI not entering, a guide getting medium you Power want to lend. And a is not the comparison that all a sales which have necessary. Other home as hammer matter is made in the good time staff? You would...»

«Many Voices: understanding the debate about preventing violent extremism A lecture at the London School of Economics (LSE) Wednesday 25th February 2009 Rt. Hon. Hazel Blears MP, Secretary of State for Communities and Local Government [check against delivery] Thank you. It is a great pleasure to be here at the London School of Economics (LSE), founded by the Fabian Society in the century before last as a centre for rational analysis and policy evaluation, and today enjoying an international...»

«Seneca College Audio-Visual Services Recommended Video/DVD List For: Documentaries To find other videos in this subject area on the online catalogue use the following terms: Documentary Films Documentary television programs 1-800-INDIA: importing a white-collar economy (Circulating DVD) HD9696.67.I42 A115 2006 60 minutes Over the past decade, India has emerged as the leader in the global market for white-collar outsourcing jobs a notable component of India's rapid economic growth. This...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.