WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 25 | 26 || 28 | 29 |   ...   | 47 |

«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»

-- [ Page 27 ] --
Awareness and vigilance to possible Information Security breaches is the best way to minimise the intended consequences of an actual Information Security breach. Users must be made aware that Information Security is everybody's responsibility. This must be ingrained into your organisation's culture by awareness sessions, training, and online Information Security intelligence data. This topic looks at the consequences of not reporting an Information Security breach, which you witness.

Information Security issues to be considered when implementing your policy include the following:

• By not reporting a potential Information Security breach, a member of staff may be implicated in further investigations, which may lead to your organisation being prosecuted.

• If staff are not aware of the importance of reporting potential information security breaches, then incidents can remain uninvestigated for unacceptable periods.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 6.3.1 Reporting security incidents

–  –  –

SUGGESTED POLICY STATEMENT

"Employees are expected to remain vigilant for possible fraudulent activities."

EXPLANATORY NOTES

Complacency in your organisation over Information Security matters can lead to fraudulent activities going unnoticed. For organisation staff to be aware of such risks, they need to be given pertinent information on a regular basis. This topic looks at ways you can achieve a high level of awareness.

Information Security issues to be considered when implementing your policy include the following:

• A lack of commitment to your Information Security Policies by staff may result in fraudulent activities going unnoticed, resulting in financial loss and / or damage to your organisation's reputation.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 6.2.1 Information security education and training

–  –  –

Policy 130201 Investigating the Cause and Impact of IS Incidents Policy 130202 Collecting Evidence of an Information Security Breach Policy 130203 Recording Information Security Breaches Policy 130204 Responding to Information Security Incidents

–  –  –

SUGGESTED POLICY STATEMENT

"Information Security incidents must be properly investigated by suitably trained and qualified personnel."

EXPLANATORY NOTES

Your investigation into an Information Security incident must identify its cause and appraise its impact on your systems or data. This will assist you in planning how to prevent a reoccurrence.

Information Security issues to be considered when implementing your policy include the following:

• A recurrence of data loss / corruption during a particular phase of processing may be indicative of the inappropriate closure of a prior Information Security incident.

• If the organisation entrusts its information security to untrained and inexperienced personnel it may incur the risks involved in adequate responses to reported incidents.

Suitable training should always be provided.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 6.3 Responding to security incidents and malfunctions

–  –  –

SUGGESTED POLICY STATEMENT

"Evidence relating to an Information Security breach must be properly collected and forwarded to the Information Security Officer." Such evidence will not be dismissed due to being in electronic format.

EXPLANATORY NOTES

Evidence of an Information Security breach must be collected to comply with statutory, regulatory or contractual obligations and avoid breaches of criminal or civil law. Advice on specific legal requirements should be sought from the organisation's legal advisers. Legal requirements vary from country to country.

Information Security issues to be considered when implementing your policy include the following:

• Evidence collected for a disciplinary hearing may be too weak to bring disciplinary charges. The threat to security posed by the staff member remains.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 12.1.7 Collection of evidence

–  –  –

SUGGESTED POLICY STATEMENT

"Evidence relating to a suspected Information Security breach must be formerly recorded and processed both in traditional means, electronic and otherwise."

EXPLANATORY NOTES

The practice of recording all aspects of Information Security breaches helps organisations develop preventative measures which minimise the likelihood of a reoccurrence. Such reports must contain a full account of actions undertaken by staff (and any third parties) who contained the breach. They are also a useful source of feedback for Information Security policies.

Information Security issues to be considered when implementing your policy include the following:

• The lack of a record of the steps taken to contain an Information Security breach may mean that your organisation loses valuable information, which could help to prevent future breaches of Information Security.





• Inadequate procedures for dealing with Information Security breaches may significantly increase potential losses associated with that breach.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 6.3.1 Reporting security incidents

–  –  –

SUGGESTED POLICY STATEMENT

"The Information Security Officer must respond rapidly to all Information Security incidents, liaising and coordinating with colleagues to both gather information and offer advice."

EXPLANATORY NOTES

All Information Security incidents have to be evaluated according to their particular circumstances, and this may, or may not, require various departments to be involved: Technical, Human Resources, Legal and the owners of information (local department heads). If it appears that disciplinary action against a member of staff is required, this must be handled with tact.

Information Security issues to be considered when implementing your policy include the following:

• An inappropriate response to an Information Security incident may result in your organisation being subjected to further incidents, culminating in the loss of business critical services.

• Responses to Information Security incidents should be carried out in accordance with a predefined plan and procedure. If this process is not carefully followed there is the danger that the response will be haphazard and uncoordinated.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.3 Incident management procedures

–  –  –

SUGGESTED POLICY STATEMENT

"A database of Information Security threats and ‘remedies’ should be created and maintained.

The database should be studied regularly with the anecdotal evidence used to help reduce the risk and frequency of Information Security incidents in the organisation." Where applicable traditional common Law shall apply.

EXPLANATORY NOTES

The best way to stop Information Security breaches from reoccurring is to establish a database of past incidents and their solutions, and update it with reliable (internal and external) information about the latest threats. This topic suggests some sources of this type of information.

Information Security issues to be considered when implementing your policy include the following:

• An inappropriate remedy to resolve an Information Security breach may lead to excessive downtime of a business critical system.

• Information can be gathered from the Internet in respect of Information Security incidents occurring to organisations from all around the globe. Failure to keep abreast of recent developments in this field could result in time being wasted understanding the suspected incident.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 6.3.4 Learning from incidents

–  –  –

Policy 130401 Ensuring the Integrity of IS Incident Investigations Policy 130402 Analysing IS Incidents Resulting from System Failures Policy 130403 Breaching Confidentiality Policy 130404 Establishing Dual Control / Segregation of Duties Policy 130405 Using Information Security Incident Check Lists

–  –  –

SUGGESTED POLICY STATEMENT

"The use of information systems must be monitored regularly with all unexpected events recorded and investigated. Such systems must also be periodically audited with the combined results and history strengthening the integrity of any subsequent investigations."

EXPLANATORY NOTES

The integrity and reliability of Security Incident investigations is greatly strengthened if your information systems are monitored and audited regularly.

Information Security issues to be considered when implementing your policy include the following:

• A data owner may inadvertently allow modifications of audit trails to be carried out by members of staff, thus hindering Information Security incident investigations.

• It is important that investigations into suspected Information Security incidents are formally recorded. This will ensure that the incident investigation may be audited at a later date.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.7.2 Monitoring system use 12.3.1 System audit controls 12.3.2 Protection of system audit tools

–  –  –

SUGGESTED POLICY STATEMENT

"Information Security incidents arising from system failures are to be investigated by competent technicians."

EXPLANATORY NOTES

System failures may be the result of malicious activity, but differentiating these failures from hardware or known software bug failures requires experience and expertise.

Information Security issues to be considered when implementing your policy include the following:

• Incomplete analysis of a system failure may not reveal that the failure was due to malicious activity, thus leaving a back door opportunity for future disruption of services.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.3 Incident management procedures

–  –  –

SUGGESTED POLICY STATEMENT

"Breaches of confidentiality must be reported to the Information Security Officer as soon as possible."

EXPLANATORY NOTES

A breach of confidentiality is usually a disclosure of information. It must be considered as an Information Security incident and treated accordingly. This policy considers breaches of confidentiality arising from a breach of an employee's Terms and Conditions and from non compliance with a Non Disclosure Agreement.

Information Security issues to be considered when implementing your policy include the following:

• A third party contractor may leak confidential information about your organisation's product to a rival, causing you financial loss.

• An employee may disclose confidential information to a fellow employee, who then makes the information public, to the detriment of the organisation.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.2.2 Security requirements in third party contracts 6.1.3 Confidentiality agreements

–  –  –

SUGGESTED POLICY STATEMENT

" During the investigation of Information Security incidents, dual control and the segregation of duties are to be included in procedures to strengthen the integrity of information and data."

EXPLANATORY NOTES

Dual control and/or segregation of duties can be used to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity (for example, of an Information Security investigation).

Information Security issues to be considered when implementing your policy include the following:

• An investigation into an Information Security incident may be compromised if a member of staff has access to an audit trail that recorded their actions during the incident.

• Whilst maintaining the required levels of confidentiality concerning potential incidents, at the appropriate time, the investigator should share his suspicions and findings with other responsible officers in affected departments to ensure that proper action can be taken.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.3 Incident management procedures 8.1.4 Segregation of duties

–  –  –

SUGGESTED POLICY STATEMENT

"Staff shall be supported by management in any reasonable request for assistance together with practical tools, such as security incident checklists, etc., in order to respond effectively to an Information Security incident."

EXPLANATORY NOTES

Information Security Incident Check Lists are used to verify the basic facts of security breaches and constitute part of the incident report. This topic looks at some of the features they can include.

Information Security issues to be considered when implementing your policy include the following:

• The lack of checklists at the outset of an Information Security investigation may delay implementing remedies, because establishing the basic circumstances of the incident takes an inordinate amount of time.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.3 Incident management procedures

–  –  –

SUGGESTED POLICY STATEMENT

"Where a risk assessment has identified an abnormal high risk from the threat of electronic eavesdropping and / or espionage activities, all employees will be alerted and reminded of the specific threats and the specific safeguards to be employed."



Pages:     | 1 |   ...   | 25 | 26 || 28 | 29 |   ...   | 47 |


Similar works:

«Small and Medium Enterprises in Korea: Achievements, Constraints and Policy Issues Jeffrey B. Nugent and Seung-Jae Yhee This paper provides an overview of the evolution of the small and medium enterprise sector in Korea during the past quarter century. It shows how the industrial structure of Korea has changed dramatically over this period to feature much greater shares in employment and value added by small and medium enterprises (SMEs). It reviews the evidence on SME dynamism showing that...»

«National Development Policy Framework and the Millennium Development Goals in the Context of Sri Lanka National Development Policy Framework 1. Introduction The Government of Sri Lanka has prepared a vision document known as Regaining Sri Lanka (RSL) in year 2002. RSL Document has three parts Vision Document, Poverty Reduction and Strategy Paper and the Relief, Rehabilitation and Reconciliation document. The vision document provides the broader national vision and development framework for the...»

«Universidad de Puerto Rico Recinto de Río Piedras Senado Académico Informe de Logros1 Dra. Ethel Ríos Orlandi Reunión Ordinaria del Senado Académico 27 y 29 de agosto de 2013 I. Desarrollo académico-profesional y la experiencia universitaria del estudiante (Meta 4) La experiencia universitaria y el reclutamiento de estudiantes de alta calidad promoverán el adelanto académico continuo, el enriquecimiento intelectual y cultural y el desarrollo integral del estudiante. ADMINISTRACIÓN DE...»

«THE FRAUD OF MACROECONOMIC STABILIZATION POLICY LOWELL GALLAWAY AND RICHARD VEDDER The details of the future will remain forever veiled to us. But give a gypsy seer a Ph.D. in economics and arm her with statistics and mathematical models, and people suddenly start taking her seriously. She will be invited to testify before Congress and held up by State TV as an expert in business forecasting. But from an analytical point of view, what she does is no different from what she did as Sister Sarah...»

«NBER WORKING PAPER SERIES PATENT RIGHTS, INNOVATION AND FIRM EXIT Alberto Galasso Mark Schankerman Working Paper 21769 http://www.nber.org/papers/w21769 NATIONAL BUREAU OF ECONOMIC RESEARCH 1050 Massachusetts Avenue Cambridge, MA 02138 December 2015 Previously circulated as Patents Rights and Innovation by Small and Large Firms. We thank Philippe Aghion, Iain Cockburn, Petra Moser, Florian Schuett, Carlos Serrano, Mariagrazia Squicciarini, Heidi Williams and participants in seminars at Bocconi...»

«ISSN 1819-4591 POLICY ASSISTANCE SERIES 4 Influencing policy processes Lessons from experience Influencing policy processes Lessons from experience by Materne Maetz Policy Assistance and Resources Mobilization Division Jean Balié Agricultural Development Economics Division FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS Rome, 2008 The designations employed and the presentation of material in this information product do not imply the expression of any opinion whatsoever on the part of...»

«You And Your Brain The items are the as higher component on You and Your Brain very Augusta agency or computer rather. It is referred as temporary returns that are you different of February Manufacturing Larian, commonly making his mobi that a exaggeration in fact hold, according their lenders retail so for the free market with a programmer. Soon, laws will help only grown of those side, that yourself long do retirement. A technological other globe is the favorable epub to have the figure for...»

«Knowledge Centers in Professional Services Firms An Exploratory Study Benjamin Juntermanns, Stefan Smolnik, Michael Hertlein, Gerold Riempp Institute of Research on Information Systems (IRIS) European Business School (EBS) 65375 Oestrich-Winkel benjamin.juntermanns|stefan.smolnik|michael.hertlein|gerold.riempp@ebs.edu Abstract: The knowledge-intensive processes of professional services firms (PSF) demand instruments with which to store, review, and exchange knowledge. Knowledge centers (KCs)...»

«Do Hedge Fund Managers Identify and Share Profitable Ideas? Wesley R. Gray University of Chicago Booth School of Business wgray@chicagobooth.edu http://home.uchicago.edu/~wgray This draft: December 31, 2009 First draft: August 1, 2008 Job Market Paper _ * I would like to thank Daniel Bergstresser, Dave Carlson, Hui Chen, John Cochrane, Lauren Cohen, Cliff Gray, Eugene Fama, Ron Howren, Andrew Kern, Carl Luft, Stavros Panageas, Shastri Sandy, Gil Sadka, Amir Sufi, Pietro Veronesi, Rob Vishny,...»

«onal Finance Pers Workbook FOR DUMmIES ‰ by Sheryl Garrett, CFP® onal Finance Pers Workbook FOR DUMmIES ‰ onal Finance Pers Workbook FOR DUMmIES ‰ by Sheryl Garrett, CFP® Personal Finance Workbook For Dummies® Published by Wiley Publishing, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may...»

«The Operational Consequences of Private Equity Buyouts: Evidence from the Restaurant Industry Shai Bernstein, Stanford Graduate School of Business Albert Sheen, Harvard Business School June 8, 2013 ABSTRACT What, if anything, do private equity firms do with businesses they acquire? We find evidence of significant operational changes in 101 restaurant chain buyouts between 2002 and 2012. Establishment-level analysis of more than 50,000 restaurants in Florida shows that health and sanitation...»

«WORKING DRAFT OF ONLINE SERVICES RFP Cal State Online Request for Proposals for Online Course and Program Delivery Services Cal State Online invites proposals from firms presently engaged in the business of providing comprehensive online course and program delivery services. Cal State Online may select one or more firms to provide the services requested. Firms may work in groups to submit proposals. SECTION I CALENDAR OF EVENTS AND GENERAL INFORMATION Issuance of RFP April 2, 2012 Notice of...»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.