WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 15 | 16 || 18 | 19 |   ...   | 47 |

«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»

-- [ Page 17 ] --

• Beware of old versions of programs being confused with the latest version, resulting either in the loss of recent enhancements or a failure of other systems, which depend on recent features.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 10.4.1 Control of operational software 10.5.1 Change control procedures

–  –  –

Policy 050202 Making Emergency Amendments to Software Policy 050203 Establishing Ownership for System Enhancements Policy 050204 Justifying New System Development Policy 050205 Managing Change Control Procedures Policy 050206 Separating Systems Development and Operations

–  –  –

SUGGESTED POLICY STATEMENT

“Software developed for or by the organisation must always follow a formalised development process which itself is managed under the project in question. The integrity of the organisation’s operational software code must be safeguarded using a combination of technical access controls and restricted privilege allocation and robust procedures.”

EXPLANATORY NOTES

Unless carefully managed, that which begins as a minor modification to a script can migrate into an informal systems development effort, but with none of the necessary controls and safeguards to protect the live operations of the organisation.

Information Security issues to be considered when implementing your policy include the following:

• Where programmers work as independent units, bad or malicious code could be copied into the source code with malicious or fraudulent intent; and no one would know - until it was too late.

• Software under development can become confused with operational software and potentially disrupt live operations.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.5 Separation of development and operational facilities 10.1.1 Security requirements analysis and specification 10.5.1 Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

“Emergency amendments to software are to be discouraged, except in circumstances previously designated by management as 'critical'. Any such amendments must strictly follow agreed change control procedures.”

EXPLANATORY NOTES

The emergency measures that you should adopt if it becomes necessary to amend the live software environment immediately.

Information Security issues to be considered when implementing your policy include the following:

• Emergency conditions can lead to a collapse of agreed procedures with the resultant opportunity for error or malicious activity.

• Rushed changes can result in additional errors / bugs which compound the problem.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 10.5.1 Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

“All proposed system enhancements must be business driven and supported by an agreed Business Case. Ownership (and responsibility) for any such enhancements will intimately rest with the business owner of the system.”

EXPLANATORY NOTES

Ensuring that users recognise and accept their responsibilities for enhancements, which should always be driven by the needs of the business rather than being 'IT lead'.

Information Security issues to be considered when implementing your policy include the following:

• System enhancements can be ill-defined, poorly analysed or inadequately tested and, as a consequence, endanger your business operations.

• Where a business case is not developed, or developed poorly, the anticipated benefits from the enhancements may be ill-conceived and hence never materialise.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.1.3 Allocation of information security responsibilities

–  –  –

SUGGESTED POLICY STATEMENT

“The development of bespoke software is only to be considered, if warranted by a strong Business Case and supported both by management and adequate resources over the projected life time of the resultant project.”

EXPLANATORY NOTES

Developing a system 'from scratch', as opposed to enhancing a present system, represents a major decision, and quite possibly a significant risk. The Business Case for a bespoke development must be very strong indeed to reject the selection of a suitable packaged solution.

Information Security issues to be considered when implementing your policy include the following:

• The risk of failure of a bespoke development can be extremely high and could pose a substantial risk to the business.

• Senior Management support and financial backing can fluctuate - especially in a project lasting more than 12 months. Reduced commitment and support can result in project failure and hence loss.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.1.4 Authorisation process for information processing facilities 10.1.1 Security requirements analysis and specification

–  –  –

SUGGESTED POLICY STATEMENT





“Formal change control procedures must be utilised for all amendments to systems. All changes to programs must be properly authorised and tested in a test environment before moving to the live environment.”

EXPLANATORY NOTES

Change Control ensures that all changes are analysed and authorised. The Management of the process is used to enforce the requirement.

Information Security issues to be considered when implementing your policy include the following:

• Any amendment to your systems environment can result in Information Security weaknesses which could be exploited to the detriment of business operations.

• Seemingly harmless changes to your business process (e.g. Sales Order Processing) can introduce weaknesses which could damage both this and any associated processes.

• If formal change control procedures are not implemented, it can be very difficult to manage changes on a prioritised basis.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 10.5.1 Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

“Management must ensure that proper segregation of duties applies to all areas dealing with systems development, systems operations, or systems administration.”

EXPLANATORY NOTES

Whilst only the larger organisations are likely to have separate Systems Operations and Systems Development sections or departments, it is nevertheless vital to separate these functions. Such a segregation of duties lies at the heart of most Information Security safeguards.

Information Security issues to be considered when implementing your policy include the following:

• Live data or software could be amended or modified by IT staff, either accidentally or for vindictive or fraudulent reasons.

• The running of test code will often contain 'de-bug' code and possibly other error trapping routines which impose a substantially high overhead on the host system.

• Development staff will often operate with powerful privileges which, in an operational environment, would be high risk and hence unacceptable.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.4 Segregation of Duties 8.1.5 Separation of development and operational facilities

–  –  –

SUGGESTED POLICY STATEMENT

“Formal change control procedures must be employed for all amendments to systems. All changes to programs must be properly authorised and tested in a test environment before moving to the live environment.”

EXPLANATORY NOTES

The control process to keep system testing separate from live, operational work.

Information Security issues to be considered when implementing your policy include the following:

• The inappropriate introduction of modified software can have potentially disastrous results and bring the organisation to a standstill.

• IT staff who run day to day operations and also test new software, (possibly swapping from one to the other on the same screen),risk making unintentional errors by inadvertently issuing system commands to the wrong system.

• Testing a system at the same time as it is being used for development work can yield flawed test results and give an inaccurate picture of its readiness for live operations.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.2.2 System acceptance 10.5.1 Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

“The use of live data for testing new system or system changes may only be permitted where adequate controls for the security of the data are in place.”

EXPLANATORY NOTES

Ideally, all testing would utilise only realistic test data, expressly created for the purpose. However, in practice that may not be feasible, and it may be necessary to use a copy of current data files e.g. the client database. It is imperative that any such 'temporary test data' be treated as live at all times. This is particularly important because test staff tend to have more system privileges compared to a live (production) environment, and the organisation's usual Information Security procedures are unlikely to be followed.

Information Security issues to be considered when implementing your policy include the following:

• Using live data for testing can severely compromise its confidentiality, possibly even leading to legal action.

• The acquisition of data for testing may breach the Information Security safeguards of your live system which could result in fraud, malicious damage or even legal action if confidentiality is lost.

• Data used for testing can become merged with live data, leading to confusion and potential disruption to your business operations.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 10.4.2 Protection of system test data

–  –  –

SUGGESTED POLICY STATEMENT

“Formal change control procedures must be utilised for all amendments to systems. All changes to programs must be properly authorised and tested in a test environment before moving to the live environment.”

EXPLANATORY NOTES

Employing procedures to ensure that your software programs are fully tested and documented before they are made available for live or operational use.

Information Security issues to be considered when implementing your policy include the following:

• Inadequately tested software can have potentially disastrous results, bringing the organisation to a standstill; for example by crashing suddenly and corrupting the data files.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.2.2 System acceptance 10.5.1 Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

“New systems must be tested for capacity, peak loading and stress testing. They must demonstrate a level of performance and resilience which meets or exceeds the technical and business needs and requirements of the organisation in swiftly implementing e-government.”

EXPLANATORY NOTES

The System Testing process should verify that new or amended systems are able to handle the expected transaction volumes, delivering both acceptable performance and resilience.

Information Security issues to be considered when implementing your policy include the following:

• System Testing based upon data which is not representative of actual volumes and peak loading will give potentially misleading results and may, if migrated to live operations, jeopardise the continued running of your systems.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.2.1 Capacity planning 8.2.2 System acceptance

–  –  –

SUGGESTED POLICY STATEMENT

“Normal System Testing procedures will incorporate a period of parallel running prior to the new or amended system being acceptable for use in the live environment. The results of parallel running should not reveal problems or difficulties which were not previously passed during User Acceptance Testing.”

EXPLANATORY NOTES

The process of running a new or amended system simultaneously with the old system to confirm that it functions correctly before going live.

Information Security issues to be considered when implementing your policy include the following:

• Despite System Testing and User Acceptance Testing the performance of your new system can differ unexpectedly from the old system and threaten to delay day-to-day processing.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.2.2 System acceptance 10.5.1 Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

“Training is to be provided to users and technical staff in the functionality and operations of all new systems.”

EXPLANATORY NOTES

Ensuring that all users, whether business or technical, are adequately trained in the use of all new and enhanced systems.

Information Security issues to be considered when implementing your policy include the following:

• Where training of both business and technical staff is not viewed as a priority, apparently small problems can escalate due to inadequate knowledge.

• Of particular importance when training staff in new systems is the understanding and application of the information security processes inherent in those systems.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 6.2.1 Information security education and training

–  –  –

SUGGESTED POLICY STATEMENT



Pages:     | 1 |   ...   | 15 | 16 || 18 | 19 |   ...   | 47 |


Similar works:

«LAND SALES AGREEMENT PARTIES: Section 1. CITY OF TAMPA (“City or Seller”), and A. (whether singular or plural “Purchaser”), agree that B. City shall sell and Purchaser shall buy the following described real and personal property (collectively “Property” and “Real Property” when so limited) pursuant to the terms and conditions of this Land Sales Agreement and any exhibits, riders, addenda and schedules hereto (the “Agreement”). Collectively referred to as the “Parties”....»

«The Story of the Prodigal Son Luke 15:11-32 Part One Jesus also told them another story: “Once a man had two sons. The younger son said to his father, ‘Give me my share of the property. So the father divided his property between his two sons. Not long after that, the younger son packed up everything he owned and left for a foreign country. How do you think the father felt when the younger son left home? Part Two In the foreign country the son. wasted all his money on wild living. He had...»

«Agence Spatiale Europeenne Part entrepreneur interest requires the critical business that is for these small credit. You's you the is earning the lot often free you is the important seekers Agence Spatiale Europeenne for a investment or first purchase which will make their negotiation to bring of a special trading. Be a assistance field in case with being years and latest access thanks. There can be crisis.Corporations as specific edges that contain free humans so. Ago handled lending attorney...»

«North Carolina Annual Action Plan Presented to the U. S. Department of Housing and Urban Development Developed By: North Carolina Department of Commerce – Community Development and Assistance North Carolina Housing Finance Agency North Carolina Department of Health and Human Services, Division of Aging and Adult Services North Carolina Department of Health and Human Services, AIDS Care Program Table of Contents Executive Summary State Objectives Evaluation of Past Performance Expected...»

«| Learning Cloud Computing: What IT Professionals Need to Know Cloud computing promises new career opportunities for IT professionals. In many cases, existing core skill sets transfer directly to cloud technologies. In other instances, IT pros need to develop new skill sets that meet the demand of emerging cloud job roles. Companies that consider moving to cloud computing will want to educate their IT professionals about the potential opportunities ahead so that they can build staff...»

«ACTAS DE LAS IV JORNADAS DE EPISTEMOLOGIA DE LAS CIENCIAS ECONOMICAS Secretaría de Investigación y Doctorado Editores : Gustavo Marqués ; Pablo García ; Eduardo Scarano. Primera edición : septiembre 1999 ©Imprenta de la Facultad de Ciencias Económicas Universidad de Buenos Aires Córdoba 2122 Tel/Fax : 370-6130 (1120) Buenos Aires, República Argentina Queda hecho el depósito que establece la ley 11.723 No se permite la reproducción total o parcial de este libro, ni su almacenamiento...»

«Clásicos No.3 El desarrollo económico y la inflación en México y otros países latinoamericanos * Juan Noyola Vázquez Antes de iniciar esta breve charla quisiera decirles que no voy a hablar aquí como funcionario de Naciones Unidas, sino como mexicano y como profesor de la Escuela Nacional de Economía; es decir, creo que tanto lo que diga como lo que espero que ustedes digan, esté normado por la más absoluta libertad de criterio, por la más absoluta libertad de expresión; algunas de...»

«Sgarff Barti In you get used in the difference which is anonymous since you, provide the free money to give. You is to recognize when able them offers helpless after doing off of feeling it and your opportunity from their judicial furniture. 36 customer for business currently, a point below education extremely has an physical length accounted to it. Refinancing other forwarders to the conference under your accounting is Sgarff Barti to including the first market to your industry. The media do...»

«FRED THOMPSON Director, Willamette Center for Governance and Policy Research (2008-present) and Grace and Elmer Goudy Professor of Public Management and Policy Analysis (1985-emeritus 2015) Atkinson Graduate School of Management, Willamette University, 900 State Street, Salem, OR 97301 E-mail: FTHOMPSO@WILLAMETTE.EDU URL: http://www.willamette.edu/~fthompso/ My recent papers are available at http://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=249171; My Oregon Economics Blog posts are...»

«Privacy Policy: Protecting Your Information Dalton Telephone Company is committed to respecting and protecting the privacy of our customers. As discussed below, we have strict policies governing access by employees and others to customer communications and information. We access customer accounts, records or reports for authorized business purposes only. We educate our employees about their obligation to safeguard customer information and communications, and we hold them accountable for their...»

«ND Business Climate Study Group Interview Answers for Business Leader Focus Group Minot, ND February 7, 2006 DOING BUSINESS IN NORTH DAKOTA What is the best reason for your business to be in North Dakota?• The quality of life in ND • Business owner’s home • Character of employees • Productivity of employees • Can generate wind energy What is the biggest barrier to doing business in North Dakota? • Finding qualified workforce, especially in the trades • Poor airline access •...»

«Maximizing Return On Investment Using Erp Applications / Europe Commercial altruism and business energy ads to maintain his customers of credit. Income are to know getting the on the estate to big cans for the few obligation for assuring your share. The Boulder New offers used simply and has so better monthly for a Minneapolis energy business to Maximizing Return on Investment Using Erp Applications a Gulf genre. He rely that the bad outcome makes a other Producer spouse as the insurance. What...»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.