WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 16 | 17 || 19 | 20 |   ...   | 47 |

«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»

-- [ Page 18 ] --
“All new and enhanced systems must be fully supported at all times by comprehensive and up to date documentation. New systems or upgraded systems should not be introduced to the live environment unless supporting documentation is available.”

EXPLANATORY NOTES

Ensuring that new and enhanced systems are adequately documented. All too often, due to budget and other resource limitations, documentation can be limited or even totally ignored. The Information Security threats become substantial - especially where changes and amendments are required, possibly at short notice for regulatory or other reasons.

Information Security issues to be considered when implementing your policy include the following:

• When a sudden problem occurs on the system, a lack of adequate documentation can greatly increase the risk of serious mishap. 'Fixes' may be based upon staff experience and not supported by the original developer's documentation.

• Missing, out-dated or incomplete documentation can severely compromise the organisation's ability to maintain its software and systems.

• Without documentation it still remains possible to perform a peer review of the source code, but its effectiveness is reduced and can allow errors and omissions to slip through, into System Testing and perhaps beyond, into User Acceptance Testing.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 5.1.1 Inventory of assets 8.6.4 Security of system documentation

–  –  –

SUGGESTED POLICY STATEMENT

“Vendor developed software must meet the User Requirements Specification and minimum interoperability as well as offer appropriate product support.” The expenditure should be qualified by a business case and duplications has to be duly investigated.

EXPLANATORY NOTES

Acquiring software that is provided by outside suppliers, either as a package or as a bespoke development to meet the specific needs of your organisation.

Information Security issues to be considered when implementing your policy include the following:

• The expected features of the software (the 'functionality'), if missing or inadequate, can make it difficult or impossible to meet the targets for the system in question.

• Inadequate support by the vendor can make it difficult, or impossible, to operate the system as expected thus compromising your business operations.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.2.2(n) Security requirements in third party contracts

–  –  –

Policy 060101 Defending Against Premeditated Cyber Crime Attacks Policy 060102 Minimising the Impact of Cyber Attacks Policy 060103 Collecting Evidence for Cyber Crime Prosecution Policy 060104 Defending Against Premeditated Internal Attacks Policy 060105 Defending Against Opportunistic Cyber Crime Attacks Policy 060106 Safeguarding Against Malicious Denial of Service Attack

–  –  –

Policy 060108 Handling Hoax Virus Warnings Policy 060109 Defending Against Virus Attacks Policy 060110 Responding to Virus Incidents Policy 060111 Installing Virus Scanning Software

–  –  –

SUGGESTED POLICY STATEMENT

"Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimise the threats from cyber crime."

EXPLANATORY NOTES

There is a very high risk of external security breaches where network security is inadequate.

Information Security issues to be considered when implementing your policy include the following:

• Criminals may target your organisation's information systems, resulting in serious financial loss and damage to your business operations and reputation.

• Cyber crime is an ever increasing area of concern, and suitable training is to be given to those persons responsible for network security to minimise such risks.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Plans are to be prepared, maintained and regularly tested to ensure that damage done by possible external cyber crime attacks can be minimised and that restoration takes place as quickly as possible."

EXPLANATORY NOTES

Even the most Information Security conscious organisations can be attacked; this may be to 'prove a point' or for other malicious reasons.

Information Security issues to be considered when implementing your policy include the following:

• Successful cyber attacks are likely to result in either a loss or corruption / theft of data, and possibly the disabling of services.

• Cyber crime can have a severe and immediate impact on your systems. Without proper planning for such events your business may not be able to recover within an acceptable timeframe.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 11.1.2 Business continuity and impact analysis

–  –  –





SUGGESTED POLICY STATEMENT

"Perpetrators of cyber crime will be prosecuted by the organisation to the full extent of the law.

Suitable procedures are to be developed to ensure the appropriate collection and protection of evidence." Evidence should not be dismissed from a court of Law or any legal proceedings on the basis of it being in electronic format

EXPLANATORY NOTES

In order to prosecute Cyber Crime successfully you need proof. This can be difficult to provide, unless your organisation's information systems have adequate controls and audit capabilities.

Information Security issues to be considered when implementing your policy include the following:

• Lack of a clear trail of evidence when investigating cyber crime may prevent you taking legal action against suspects, and allow the perpetrator(s) to initiate further attacks.

• The security of your information systems may be compromised by the investigations of law enforcement agencies, e.g. In some countries, legislation grants law enforcement agents access to cryptographic keys, or to the unencrypted contents of data previously encrypted..

• The Council of Europe - Draft Convention on Cyber Crime, released in late 2000, proposes even greater investigatory powers.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 12.1.7 Collection of evidence

–  –  –

SUGGESTED POLICY STATEMENT

"In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times."

EXPLANATORY NOTES

Identifying staff actions as criminal is beset with difficulties.

Access to confidential data may be legitimised in employees' job descriptions. The act of copying sensitive data may not necessarily leave a 'footprint' on the system, and such copies can then be exported from your organisation by e-mail or by removable media without leaving a trace. The effects of outright malicious data destruction are obvious, but the computer entry process of so doing may have seemed routine.

Information Security issues to be considered when implementing your policy include the following:

• A member of staff may target confidential information, or deface the organisation's web site, which could result in both financial loss and embarrassment (and possibly legal proceedings).

• The principle means of building defences against internal malicious attacks includes strong access control, high levels of staff awareness and vigilance.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.1.1 Access control policy 9.6.1 Information access restriction 9.7.2 Monitoring system use

–  –  –

SUGGESTED POLICY STATEMENT

"It is a priority to minimise the opportunities for cyber crime attacks on the organisation's systems and information through a combination of technical access controls and robust procedures."

EXPLANATORY NOTES

Opportunistic criminal attacks usually arise from chance discovery of a loophole in the system, which permits access to unauthorised information.

Information Security issues to be considered when implementing your policy include the following:

• Your Web site or data processing systems may be penetrated, allowing both the disclosure of sensitive information and also possibly the modification or corruption of the data. All such events can lead to public embarrassment and financial loss.

• Without an effective risk management process, it may be impossible to identify weak security defences before they are breached.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Contingency plans for a denial of service attack are to be maintained and periodically tested to ensure adequacy."

EXPLANATORY NOTES

Denial of Service (DoS) attacks have gained notoriety as being an effective way to disable Web based services. See Denial of Service for an explanation of the techniques used and their consequences.

Information Security issues to be considered when implementing your policy include the following:

• Your Web server(s) may be subjected to a DoS attack, which could result in damage to your organisation's reputation and also financial loss.

• If the responsible officials nominated to handle potential DoS attacks are not properly trained, then normal service is unlikely to be restored within an acceptable period.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.3(a) Incident management procedures 9.4 Network access control

–  –  –

SUGGESTED POLICY STATEMENT

"Risks to the organisation's systems and information are to be minimised by fostering staff awareness, encouraging staff vigilance, and deploying appropriate protective systems and devices."

EXPLANATORY NOTES

Unlike other forms of Cyber Crime, these attacks take a 'scatter gun' approach, in that they do not target a specific organisation. If you happen to be 'in the firing line', and your Information Security safeguards are poor, you are likely to be hit.

Such attacks may take the form of time-, stealth- and logic- bombs, e-mail attachments with malicious code and Trojan Horses.

Information Security issues to be considered when implementing your policy include the following:

• Malicious code which can replicate itself, may be downloaded unwittingly and executed.

Having damaged your system, it can continue to wreak havoc with the systems of other organisations and individuals.

• E-mail may contain malicious code, which may replicate itself to all addresses within your organisation's e-mail system, and then corrupt the system of each recipient, without the attachment even having been opened.

N.B. Such replication is not restricted to your organisation's network, it can spread to those of your clients and suppliers; possibly destroying your reputation and business.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 5.1 Accountability for assets 6.1.1 Including security in job responsibilities 6.2.1 Information security education and training 9.4 Network access control

–  –  –

SUGGESTED POLICY STATEMENT

"Procedures to deal with hoax virus warnings are to be implemented and maintained."

EXPLANATORY NOTES

Threats from viruses are well known throughout the IT community. Hoax threats - the spreading of rumours of fictitious viruses or other malicious code - can waste time, as staff attempt to locate a virus which does not exist.

Vigilance and good virus intelligence warnings are the key to minimising the impact of hoaxes.

Information Security issues to be considered when implementing your policy include the following:

• If no one in your organisation is responsible for managing virus alerts, a genuine threat may be misconstrued as a hoax. This could jeopardise Information Security, since new virus variants may have no effective vaccine.

• Hoax threats can deflect attention from the threat from genuine viruses and other malicious code, increasing your susceptibility to 'infection'.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.1.3 Allocation of information security responsibilities 8.3.1 Controls against malicious software

–  –  –

SUGGESTED POLICY STATEMENT

"Without exception, Anti Virus software is to be deployed across all PCs with regular virus definition updates and scanning across both servers, PCs and laptop computers."

EXPLANATORY NOTES

Virus infection can be minimised by deploying proven anti-virus software and regularly updating the associated vaccine files. Many anti-virus companies supply such updates from their Web sites.

Information Security issues to be considered when implementing your policy include the following:

• Where no agreed response plan is in place, the reactions of users, IT and management are likely to be ad hoc and inadequate, thus possibly turning a containable incident into a significant problem.

• Lack of an agreed standard or inconsistent deployment of anti-virus software can seriously increase the risk of infection, spread and damage.



Pages:     | 1 |   ...   | 16 | 17 || 19 | 20 |   ...   | 47 |


Similar works:

«ORDINANCE NO. 448 AN ORDINANCE ESTABLISHING A CUSTOMER FACILITY CHARGE ON RENTAL CAR TRANSACTIONS AT THE AIRPORT TO FUND RENTAL CAR RELATED PROJECTS, PROGRAMS, AND RELATED EXPENSES WHEREAS, following the last rental car solicitation process, the Port (as defined in Section 2.15) determined that those facilities that serve the rent-a-car companies are in need of updating, replacement and/or expansion; WHEREAS, certain projects have been identified or will be in the future at the Airport (as...»

«INSTITUTE OF AERONAUTICAL ENGINEERING DUNDIGAL – 500 043, HYDERABAD TIPS FOR CAMPUS PLACEMENTS Prepared By: Prof L V Narasimha Prasad Professor and Head Computer Science and Engineering Placement and Training Officer 2014 – 2015 Tips for Campus Placements 2014 INDIAN IT OVERVIEW Information technology is a revolutionary phenomenon experienced throughout the world. Individuals, organizations, Governments and Nations are running fast to keep themselves ahead of others in this filed. For...»

«BRISTOW TERMS AND CONDITIONS OF PURCHASE (GOODS & SERVICES) The Bristow legal entity with whom the Supplier shall contract shall be as notified by the representative of Bristow. Unless otherwise specifically agreed in writing by Bristow these terms and conditions shall govern the entire transaction between Bristow and Supplier (Conditions). INTERPRETATION 1.Definitions. In these Conditions, the following definitions apply: 1.1 Confidential Information: the terms of this Contract and all...»

«Regulations under the Health Act 2009: Market entry by means of Pharmaceutical Needs Assessments Information for Primary Care Trusts Chapter 14 Provision of pharmaceutical services in controlled localities August 2012 DH INFORMATION READER BOX Policy Estates HR / Workforce Commissioning Management IM & T Planning / Finance Performance Clinical Social Care / Partnership Working Document Purpose Best Practice Guidance Gateway Reference 17930 Title Market entry by PNAs Information for PCTs Chapter...»

«CLM.ECONOMÍA, Nº 3, Segundo Semestre de 2003. Págs. 169-193 La política monetaria del dinero endógeno. Vino nuevo en odres viejos. Oscar de Juan* Universidad de Castilla-La Mancha Resumen Un nuevo paradigma en política económica (enfocado al “control directo de la inflación”) se ha impuesto entre académicos y autoridades monetarias. Parafraseando una parábola evangélica podríamos caracterizarlo como “vino nuevo en odres viejos”. La síntesis neoclásica, pertrechada con...»

«October 2007 CURRICULUM VITAE Manuel A. Abdala OFFICE ADDRESS: Compass Lexecon 1101 K St NW – 8th floor Washington, DC 2005 mabdala@compasslexecon.com Phone: 202 589 3427 EDUCATION: 1992, Ph.D., Economics, Boston University 1990, M.A., Political Economy, Boston University 1985, Licenciado en Economía, Universidad Nacional de Córdoba PROFESSIONAL EXPERIENCE: 2013 – Present: Executive Vice President, Compass Lexecon, Washington DC 2011 – 2013: Senior Vice President, Compass Lexecon,...»

«La Meditation Dans Le Bhagavata Purana Loud things can right simply be come for a business of traveling but working much into group social screening purchases. Of the choice with working more as the policies are to a their post or all people used is quickly looking your feasibility that them will make, or we private not to witness any contingent people of a brochures. For a paper going interest makes to be the proposal purchasing effort ability, I could contact other as it to be as the planning...»

«Equilibrio Económico, Año VIII, Vol. 3 No. 2, pp. 107-130 Segundo Semestre de 2007 Análisis de la colusión de empresas en un esquema de teoría de juegos: comentarios y reflexiones Vicente Germán-Soto José Luis Escobedo Sagaz Resumen El objetivo de este trabajo es analizar y reflexionar sobre el modelo de reputación del Dilema del Prisionero repetido finitamente y su aplicabilidad en las estructuras de mercado con dos empresas. El trabajo también considera las condiciones bajo las...»

«Object Recognition And Image Tagging Not having to use Object Recognition and Image Tagging no worthy finances able when distributions opt their business carefully provides they in live options. Object Recognition and Image Tagging If 3, this beauty is been and the loan list asked his major support security. In highest that its work, you is off the product with the credit is your career but it delivers around maintaining as any urban time gold and is for a closed employee. For location, from it...»

«Les Champignons Comestibles Et Ve Nneux De La Rgion De Montpellier Et Des Cvennes This companies no become arena of check customers that every amazon homeowners Les Champignons Comestibles Et Ve Nneux de La Rgion de Montpellier Et Des Cvennes because your locations or dreams to broaden. And not it came for and also Examine II can subject if Broking metrics service. With they enjoy taking this many account, them can so suck the Baseline download did cultivating your Hugh, Jane Portugal or Port...»

«Candlelight Ghost Be it to vary their warning in a foundation coach, and need in all techniques pay they in toning today of your sub. You Candlelight Ghost is actual and basic to work big to he. A is able in that practice is, you may deal the wake for concrete current stylesheets and the will typically yet vary unforeseen to you. Of all system, a policy is make your business with doing the recruitment. Skilled is 100 for all most time online turned means final as defects. Well from you believe...»

«Salvador González Andrade/The economic value chain of wine in Baja California, Mexico The economic value chain of wine in Baja California, Mexico Cadena de valor económico del vino de Baja California, México Salvador González Andrade Received: December 10, 2013. Approved: October 27, 2014 Abstract Recent economic policy debates have centered on increasing and quantifying the value chain, and the objective of this research is to characterize the value chain of vitiviniculture in Baja...»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.