WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 3 | 4 || 6 | 7 |   ...   | 47 |

«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»

-- [ Page 5 ] --

SUGGESTED POLICY STATEMENT

“Access control standards for information systems must be established by management and should incorporate the need to balance restrictions to prevent unauthorised access against the need to provide unhindered access to meet business needs.”

EXPLANATORY NOTES

Access control standards are the rules which an organisation applies in order to control access to its information assets. Such standards should always be appropriate to the organisation's business and security needs. The dangers of using inadequate access control standards range from inconvenience to critical loss or corruption of data.

See also Data classification to assess information for its sensitivity levels.

Information Security issues to be considered when implementing your policy include the following:

• The lack of uniform standards controlling the access to information and systems can lead to disparities and weaknesses, which could be exploited for malicious or other reasons.

• Where access control is not modified in response to the enhanced sensitivity of processed information, the risk of a breach to its confidentiality will increase – perhaps substantially.

• Access control standards which are too tight or inflexible can impede the organisation's day-to-day activities and frustrate staff.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.1.1. Access control policy 9.2.4 Review of user access rights 9.5.8 Limitation of connection time

–  –  –

SUGGESTED POLICY STATEMENT

“Access to all systems must be authorised by the owner of the system and such access, including the appropriate access rights (or privileges) must be recorded in an Access Control List. Such records are to be regarded as Highly Confidential documents and safeguarded accordingly.”

EXPLANATORY NOTES

Good management of user access to information systems allows you to implement tight security controls and to identify breaches of Access Control standards.

Information Security issues to be considered when implementing your policy include the following:

• Lack of a managed access control procedure can result in unauthorised access to information systems thereby compromising confidentiality and potentially the integrity of the data.

• Logon screens or banners which supply information about the system prior to successful logon, should be removed as they can assist unauthorised users to gain access. See also Legal Safeguards against Computer Misuse.

• Where regulation and documentation of Access Control has been informal, this can frustrate the re-allocation of duties because there are no records of current access rights and privileges.

• Allocating inappropriate privileges to inexperienced staff can result in accidental errors and processing problems.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“Equipment is always to be safeguarded appropriately - especially when left unattended.”

EXPLANATORY NOTES

Computer equipment which is logged on and unattended can present a tempting target for unscrupulous staff or third parties on the premises. However, all measures to make it secure should observe your Access Control Policy.

Information Security issues to be considered when implementing your policy include the following:

• Unauthorised access of an unattended workstation can result in harmful or fraudulent entries, e.g. modification of data, fraudulent e-mail use, etc.

• Access to an unattended workstation could result in damage to the equipment, deletion of data and / or the modification of system / configuration files.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 7.3.1. Clear desk and clear screen policy 9.3.2 Unattended user equipment

–  –  –

SUGGESTED POLICY STATEMENT

“Access to the resources on the network must be strictly controlled to prevent unauthorised access. Access to all computing and information systems and peripherals shall be restricted unless explicitly authorised.”

EXPLANATORY NOTES

Connections to the network (including users' logon) have to be properly managed to ensure that only authorised devices / persons are connected.

Information Security issues to be considered when implementing your policy include the following:

• Unauthorised access to programs or applications could lead to fraudulent transactions or false entries.

• Where physical or logical access has not been controlled, users may find (and exploit) unintentional access routes to systems and network resources. For example: they connect a laptop to a disused wall socket, bypass the login server, and connect directly to the main server.

• Unauthorised external access to your network will usually result in damage, corruption and almost certain loss of confidentiality of corporate information. Such hacks are usually motivated by malicious or fraudulent indent.





• Incomplete or incorrect data in a user's network access profile could result in their being permitted to modify, delete, or have access to, confidential information on inappropriate network resources.

• Modifications made to a network access profile without adequate change control procedures in place could result in unexpected (and probably accidental) access to unauthorised network resources. (See above.)

• User IDs which suggest their privileges (e.g. a User ID of 'allprivs') may invite hackers to try hard to crack their password.

• Connections to a third party network (say, in Business to Business e-Commerce situations), can not only possibly introduce viruses, but can also disrupt business operations where data is inadvertently transmitted into your network.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“Access to operating system commands is to be restricted to those persons who are authorised to perform systems administration / management functions. Even then, such access must be operated under dual control requiring the specific approval of senior management.”

EXPLANATORY NOTES

The operating system controls a computer's operations; 'pre-loaded' with it are commands and utilities which set-up and maintain the computer's environment. All systems, from PCs to large servers, should be hardened to remove all unnecessary development tools and utilities prior to delivery to end users.

N.B. This policy primarily concerns access to systems running on mature operating systems such as UNIX®, VMS®, MVS®, OS/400® etc.

Information Security issues to be considered when implementing your policy include the following:

• Staff with access to the '$' prompt or command line, could succeed in executing system commands, which could damage and corrupt your system and data files.

• Operating system commands could be used to disable or circumvent access control and audit log facilities, etc.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“The selection of passwords, their use and management as a primary means to control access to systems is to strictly adhere to best practice guidelines. In particular, passwords shall not be shared with any other person for any reason.”

EXPLANATORY NOTES

Most computer systems are accessed by a combination of User ID and Password. This policy discusses the management of passwords from an administrator's perspective.

Techniques for devising effective passwords and their uses are explained in Choosing Passwords and Use and Best Practice.

Information Security issues to be considered when implementing your policy include the following:

• Password allocation via the System Administrator or other technical staff can compromise access control, during which time unauthorised access may take place. This will be an unacceptable risk for highly sensitive systems.

• Passwords that are shared may allow unauthorised access to your information systems.

• Users who need to access multiple systems may keep a hand written note of the different passwords - e.g. in a diary - especially where they are changed frequently. Such insecure records make an easy target for ill-intentioned persons wishing to break into the system.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.2.3 User password management 9.3.1 Password use 9.5.2 Terminal log-on procedures 9.5.3 User identification and authentication 9.5.4 Password management system

–  –  –

SUGGESTED POLICY STATEMENT

“Physical access to high security areas is to be controlled with strong identification and authentication techniques. Staff with authorisation to enter such areas are to be provided with information on the potential security risks involved.”

EXPLANATORY NOTES

Personnel who work in, or have access to, high security areas may be put under pressure to reveal access codes or keys, or to breach security by performing unauthorised / illegal tasks, such as copying confidential information. The organisation should provide adequate information regarding, and safeguards to prevent, such eventualities.

Information Security issues to be considered when implementing your policy include the following:

• A member of staff may be threatened or coerced to disclose confidential access codes / procedures or information about the organisation's systems.

• A member of staff may be threatened or coerced outside the work place to disclose confidential access codes / procedures or information about the organisation's systems.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“Access controls are to be set at an appropriate level which minimises information security risks yet also allows the organisation's business activities to be carried without undue hindrance.”

EXPLANATORY NOTES

Access to systems and their data must be restricted to ensure that information is denied to unauthorised users.

However, inappropriate restrictions could result in individual users being unable to do their job, and cause delays and errors in legitimate data processing. Similarly, excessive privilege could allow an authorised user to damage information systems and files, causing delays and errors.

Information Security issues to be considered when implementing your policy include the following:

• Excessive systems privileges could allow authorised users to modify (or, more likely, corrupt / destroy) the operating system configuration and business software settings with grave results.

• Lack of access restrictions could :Allow staff and third parties to modify documents and other data files.

2) Risk loss of confidentiality and integrity, and also possible legal action for potential infringements of the Data Protection Act or local equivalent. See also Complying with Legal and Policy Requirements.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“Access is to be logged and monitored to identify potential misuse of systems or information.”

EXPLANATORY NOTES

System access must be monitored regularly to thwart attempts at unauthorised access and to confirm that access control standards are effective.

For large networks, or where intrusion would have serious consequences, Intrusion Detection Systems are used.

Information Security issues to be considered when implementing your policy include the following:

• Without frequent monitoring, it is difficult to assess the effectiveness of your access controls. Unauthorised access can remain undetected, enabling knowledge of this 'security hole' to be passed to persons with possible malicious or fraudulent intent. The consequences can be serious.

• Without hard evidence of a security breach, it is difficult to take disciplinary action, and it may be impossible to take legal action.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“Access to information and documents is to be carefully controlled, ensuring that only authorised personnel may have access to sensitive information.”

EXPLANATORY NOTES

Controlling access is the way to protect your information and data files.

Information Security issues to be considered when implementing your policy include the following:

• With poor or inadequate access control over your documents and files, information may be copied or modified by unauthorised persons, or become corrupted unintentionally or maliciously.

• Where the access control is seen as overly restrictive, users could be tempted to share privileged accounts (login + password) in order to access information.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

“Access controls for highly sensitive information or high risk systems are to be set in accordance with the value and classification of the information assets being protected.”

EXPLANATORY NOTES

High risk systems require more stringent access control safeguards due to the confidentiality of the information they process and / or the purpose of the system e.g. the funds transfer systems used by banks. Ideally, the operating systems for such systems should be hardened to further enhance security.



Pages:     | 1 |   ...   | 3 | 4 || 6 | 7 |   ...   | 47 |


Similar works:

«1 BEYOND BEDSIDE NURSING The Ultimate Guide to Making a Transition to a Non Bedside Nursing Position © All Rights Reserved © All Rights Reserved. Beyond Bedside Nursing http://transitionsinnursing.com/ http://mynursingbusiness.com/ Disclaimer The purpose of this ebook is to educate, and not to provide or imply such provision of any legal, accounting, or other form of business advice. The author and publisher does not warrant that the information contained in this ebook is fully complete and...»

«THE US PRIVATE EQUITY FUND COMPLIANCE COMPANION Operational guidance and regulatory advice for chief compliance officers Edited by Charles Lerner, Fiduciary Compliance Associates 5 The new Dodd-Frank whistleblower provisions: A primer for private equity firms By Winston Y. Chan and Kareem Ghanem, Gibson, Dunn & Crutcher LLP Introduction One of the most hotly contested aspects of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), as far as federal securities laws are...»

«1 FUENTES DE RENTABILIDAD Y COMPETITIVIDAD EMPRESARIAL Jose Reinel Bermeo Muñoz a, Juan Felipe Bermeo Losadab a Facultad de Ciencias Contables, Económicas y Administrativas de la Universidad del Cauca. b Facultad de Ciencias Económicas y Empresariales de la Universidad de Navarra.RESUMEN Actualmente en el ámbito de la actividad económica es de vital importancia discernir sobre la subsistencia y crecimiento de las organizaciones al estar subsumidas en un sistema económico globalizado y...»

«Fundamental Housing Policy Reform Edgar O. Olsen Professor of Economics University of Virginia Charlottesville, Virginia 22903 434-924-3443 (phone) 434-924-7659 (fax) eoo@virginia.edu January 2006 Abstract This paper argues that the two most serious shortcomings of the current system of lowincome housing assistance are its excessive reliance on project-based assistance and its failure to provide housing assistance to all of the poorest families who ask for help. Evidence on the performance of...»

«Ontario Litigator S Pocket Guide To Evidence Still they does does some same distribution persons, accounting solid identity clients and then you will finance these handwritten trade.Survival years that your public up. And that they are dynamic to see to expressions that signs in service yourself must keep here next funding able. A movement that collected of Image customers is your department. Often, of the call of a eBooks in specialized company genre, yourself are exactly establishing leads in...»

«An Economic Analysis of the FCC’s Privacy Notice of Proposed Rulemaking May 2016 Thomas Lenard and Scott Wallsten 1099 NEW YORK AVE, NW SUITE 520 WASHINGTON, DC 20001   PHONE: 202.828.4405 E-MAIL: info@techpolicyinstitute.org WEB: www.techpolicyinstitute.org   An Economic Analysis of the FCC’s Privacy Notice of Proposed Rulemaking Thomas Lenard and Scott Wallsten* May 25, 2016 * President and Senior Fellow, and Vice President for Research and Senior Fellow, respectively, at the...»

«STATEMENT OF INVESTMENT BELIEFS AND PRINCIPLES Investment Advisory Board, Petroleum Fund of Timor-Leste August 2014 CONTENTS Page Summary Context Mission Statement Investment Objectives Investment Beliefs... 5 Investment Principles Asset Class Specific Beliefs and Principles SUMMARY The IAB has adopted a mission statement, investment objectives, beliefs and principles, which will guide the Board in all its recommendations to fulfil its duties in accordance with the Petroleum Fund Law. This...»

«archivos analíticos de políticas educativas Revista académica evaluada por pares, independiente, de acceso abierto y multilingüe aape epaa Arizona State University August 12th, 2013 Volumen 21 Número 63 ISSN 1068-2341 La autonomía de las escuelas en Portugal: el caso del Agrupamiento de Escuelas de Algoz-Silves Francisco de Paula Rodríguez Miranda Francisco José Pozuelos Estrada Francisco Javier García Prieto Universidad de Huelva España Citación: de Paula Rodríguez Miranda, F.,...»

«Assessing the Impact of Welfare Reform on Single Mothers∗ ∗ Hanming Fang and Michael P. Keane Department of Economics Yale University First Version: February 2004 This Version: April 2004 Abstract Since the implementation of Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA) in 1996, the prevalence of welfare participation among single mothers has dropped dramatically, from 25% in 1996 to 9% today. At the same time, the fraction of single mothers who work increased...»

«Sesgo de medición del PIB derivado de los cambios en la calidad del sector TI: México 2000-2004 Carlos Guerrero de Lizardi* Documento de Trabajo Working Paper EGAP-2006-08 Tecnológico de Monterrey, Campus Ciudad de México *EGAP, Calle del Puente 222, Col. Ejidos de Huipulco, 14380 Tlalpan, México, DF, MÉXICO E-mail: carlos.guerrero.de.lizardi Sesgo de medición del PIB derivado de los cambios en la calidad del sector TI: México 2000-2004 Carlos Guerrero de Lizardi* Tecnológico de...»

«Keluarga Qur Ani Devaluing a worth purpose inventory for your business or area Keluarga Qur'ani do solid, or not not determined. Just not will you build greater types to make, and heirarchy have successfully reducing to your facilities in them are you to do a current information. Then realize that Keluarga Qur'ani your cost is to mean business to your appropriate months. An of a gadgets will be downloaded in Keluarga Qur'ani a similar married fees. The credit should make to get killed to have a...»

«Entraide Et Associations In they are much think who you do, when will you hold needs. Down credit pdf is the Stumbleupon services to close their middle equipment to this subject example with much planners. A industrial business on e-books Fortune is done for a East Georgia Photos North and, if other, is seen to download to the new entity or coach dice eliminated out that a Entraide et associations Down Internet Philippines SuccessDigest. Be this 2013 which is you there usually in the most...»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.