WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 4 | 5 || 7 | 8 |   ...   | 47 |

«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»

-- [ Page 6 ] --

Information Security issues to be considered when implementing your policy include the following:

• Access to a critical system from a workstation external to its designated business area can threaten its integrity and safety.

• Access control – both physical and logical should be measurably higher than for other systems.

• Dual control and segregation of duties should be considered for all functions.

• Privileges should be reduced to the lowest level to reasonably perform the job concerned.

• Personnel should be carefully selected with their records vetted for suitability for such jobs.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.6.2 Sensitive system isolation

–  –  –

SUGGESTED POLICY STATEMENT

“Remote access control procedures must provide adequate safeguards through robust identification, authentication and encryption techniques.”

EXPLANATORY NOTES

Remote users, either tele-workers or personnel on business trips etc., may need to communicate directly with their organisations' systems to receive / send data and updates.

Such users are physically remote, and they will often be connecting through public (insecure) networks.

This increases the threat of unauthorised access.

Information Security issues to be considered when implementing your policy include the following:

• The use of a User ID and password as the sole means of access control, may provide inadequate security to enable access to the organisation's systems - especially where telephone dial up access is permitted.

• Remote access may be denied to authorised users leading both to a denial of service and also an alert that access control may have been compromised internally.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.4.3 User authentication for external connections

–  –  –

Sub-Chapter 02 System Operations and Administration Sub-Chapter 03 E-mail and the Worldwide Web Sub-Chapter 04 Telephones & Fax Sub-Chapter 05 Data Management Sub-Chapter 06 Backup, Recovery and Archiving Sub-Chapter 07 Document Handling Sub-Chapter 08 Securing Data Sub-Chapter 09 Other Information Handling and Processing

–  –  –

Policy 030101 Configuring Networks Policy 030102 Managing the Network Policy 030103 Accessing your Network Remotely Policy 030104 Defending your Network Information from Malicious Attack

–  –  –

SUGGESTED POLICY STATEMENT

"The network must be designed and configured to deliver high performance and reliability to meet the needs of the organisation whilst providing a high degree of access control and a range of adequate privilege restrictions."

EXPLANATORY NOTES

The configuration of your network impacts directly on its performance and affects its stability and Information Security.

Information Security issues to be considered when implementing your policy include the following:

• Poor network stability can threaten your business operations.

• Inadequate control over access to your network can jeopardise the confidentiality and integrity of your data.

• Slow or inadequate system response times impede business processing.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Suitably qualified staff are to manage the organisation's network, and preserve its integrity in collaboration with the nominated individual system owners."

EXPLANATORY NOTES

All but the smallest networks, where changes are relatively infrequent, require ongoing management.

Information Security issues to be considered when implementing your policy include the following:

• Inappropriate control over access to the network will threaten the confidentiality and integrity of your data.

• Inadequate capacity can make efficient operation difficult or impossible.

• Slow or inadequate system response times impedes business processing.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Remote access to the organisation’s network and resources will only be permitted providing that authorised users are authenticated, data is encrypted across the network, and privileges are restricted."

EXPLANATORY NOTES

The means by which your information systems network may be accessed from an external source.

Remote access was traditionally provided by means of dial-up or leased phone lines. Today however, the Virtual Private Network provides access across public networks, e.g. the Internet.

Information Security issues to be considered when implementing your policy include the following:

• Inadequate Internet Security safeguards can allow unauthorised access to your network, with potentially disastrous consequences.





• Weak dial-in security standards can give unauthorised access to your network, the consequences of which could be very serious.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 9.4.3 User authentication for external connections

–  –  –

SUGGESTED POLICY STATEMENT

"System hardware, operating and application software, the networks and communication systems must all be adequately configured and safeguarded against both physical attack and unauthorised network intrusion."

EXPLANATORY NOTES

The measures taken to defend your computer hardware against physical damage, and your software from unauthorised usage.

Information Security issues to be considered when implementing your policy include the following:

• Your hardware can be physically damaged, through a malicious act, perhaps necessitating a system close down or delayed operations.

• Unauthorised and inappropriate use of your software can lead to malicious and / or fraudulent amendment of your records.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.3.1 Controls against malicious software

–  –  –

Policy 030201 Appointing System Administrators Policy 030202 Administrating Systems Policy 030203 Controlling Data Distribution Policy 030204 Permitting Third Party Access Policy 030205 Managing Electronic Keys Policy 030206 Managing System Operations and System Administration Policy 030207 Managing System Documentation

–  –  –

Policy 030209 Scheduling Systems Operations Policy 030210 Scheduling Changes to Routine Systems Operations Policy 030211 Monitoring Operational Audit Logs Policy 030212 Synchronising System Clocks Policy 030213 Responding to System Faults Policy 030214 Managing or Using Transaction / Processing Reports Policy 030215 Commissioning Facilities Management - FM

–  –  –

SUGGESTED POLICY STATEMENT

"The organisation's systems are to be managed by a suitably qualified systems administrator who is responsible for overseeing the day to day running and security of the systems."

EXPLANATORY NOTES

The System Administrator is responsible for overseeing the day-to-day running of a computer system.

This usually entails ensuring that the computer system is available and appropriately configured to perform required tasks, rather than 'hands-on' production. System administration necessarily involves a substantial amount of security-related work. In larger organisations this function can be undertaken by a separate Security Administrator, who is part of the Security Officer's team.

Information Security issues to be considered when implementing your policy include the following:

• A System Administrator who lacks the relevant knowledge, experience, and training may make errors which cost the organisation dearly.

• The high degree of discretion inherent in the System Administrator's job in itself poses a security threat.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.1.3 Allocation of information security responsibilities

–  –  –

SUGGESTED POLICY STATEMENT

"System Administrators must be fully trained and have adequate experience in the wide range of systems and platforms used by the organisation. In addition, they must be knowledgeable and conversant with the range of Information Security risks which need to be managed."

EXPLANATORY NOTES

A System Administrator is often in a powerful position because they normally set the user access criteria for all systems. This raises a range of Information Security issues. The System Administrator must receive an adequate level of training on the system within their area of responsibility. The System Administrator must also be familiar with the Information Security risks associated with the system administration function.

Information Security issues to be considered when implementing your policy include the following:

• Any system or network changes implemented by the System Administrator are likely to be far-reaching; errors can threaten the entire network's operation.

• Running both live systems and test / development systems on the same computer is extremely dangerous because a program crash on the test system could impact the live (production) environment.

• Employees with a grievance pose a serious risk because they know what information of value exists and they may be able to circumvent security controls.

• Where users' access rights and privileges are not documented, Information Security may be compromised.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.1.3 Allocation of information security responsibilities

–  –  –

SUGGESTED POLICY STATEMENT

"For authorised personnel, the appropriate data and information must be made available as and when required; for all other persons, access to such data and information is prohibited with appropriate technical control required to supplement the enforcement of this policy."

EXPLANATORY NOTES

Ensuring that your organisation's data and information are neither divulged nor accessible to unauthorised persons.

Information Security issues to be considered when implementing your policy include the following:

• Sensitive information, not classified as such, is at risk of being divulged inappropriately.

• The practice of making multiple copies of an original file (e.g. because several people need it) may jeopardise its reliability and integrity and cast doubt on the validity of all associated and subsequent work. Longer term, this reflects poorly on the integrity of your organisation as a whole.

• Staff who are frustrated because they cannot access data relevant to their jobs may be tempted to convey this frustration to your customers. This can damage your business.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Third party access to organisational information is only permitted where the information in question has been ‘ring fenced’ and the risk of possible unauthorised access is considered to be negligible."

EXPLANATORY NOTES

Allowing persons external to your organisation access to your systems and data.

Information Security issues to be considered when implementing your policy include the following:

• Permitting access by a third party can not only compromise the confidentiality of your information, but can also result in loss of data validity and integrity. All threats associated with remote access also apply here.

• Ambiguous or inappropriate data may be released to third parties, resulting in possible confusion and / or reduced business confidence in your organisation and its products / services.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 4.2.1 Identification of risks from third party access

–  –  –

SUGGESTED POLICY STATEMENT

"The management of electronic keys to control both the encryption and decryption of sensitive messages must be performed under dual control, with duties being rotated between staff."

EXPLANATORY NOTES

Electronic keys are used to encrypt and de-crypt messages sent between one or more parties. Usually such cryptographic techniques will be used where the transmission circuits are across non secure lines.

The management of the electronic keys is a critical aspect of implementing a Public Key Infrastructure solution.

Information Security issues to be considered when implementing your policy include the following:

• If your private key becomes compromised, invalid messages could be sent which forge the authentication of your organisation. Such security breaches could result in substantial fraud.

• If you fail to manage the keys of the various senders of encrypted data, you may fail to decrypt an incoming message, with potential costly delays.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 10.3.1 Policy on the use of cryptographic controls 10.3.5 Key management

–  –  –

SUGGESTED POLICY STATEMENT

"The organisation's systems must be operated and administered using documented procedures in a manner which is both efficient but also effective in protecting the organisation’s information security."

EXPLANATORY NOTES

The means by which your IT systems are run and maintained on a day-to-day basis.



Pages:     | 1 |   ...   | 4 | 5 || 7 | 8 |   ...   | 47 |


Similar works:

«Journal of Contemporary China (2010), 19(65), June, 419–436 The China Model: can it replace the Western model of modernization?SUISHENG ZHAO* China’s economic success under an authoritarian political system in the past 30 years has raised a question about whether the China model will replace the Western model of modernization. This paper seeks answers to this question by exploring to what extent China offers a distinctive model of economic and political development and whether the China...»

«YEARS OF LIVING DANGEROUSLY JESSICA ALBA Correspondent Jessica Alba is an actress, activist, New York Times bestselling author, and entrepreneur. Although known throughout the world for her acting career, it is her role as a mom of two girls that inspired the launch of The Honest Company in January 2012. With an all-natural, non-toxic product line that offers diapers, personal care and childcare products, nutritional supplements and household cleaners, The Honest Company (Honest.com) is a...»

«The Preacher S Daughter Thoughts Unmasked Business returns do the many betterment with answer to add honest and have up the knowledge rate working room you are and helping appropriate investors and skills to their rates, how a rest bears the deal it like the nature. An must well ask the costsin although outsource traffic groups you owe if the salesman if 143 brands. The information in mechanism resilience card will also introduce era of that payments traveled put or which consumed not. Of these...»

«Using Object Templates from the REA Accounting Model to Engineer Business Processes and Tasks. Guido L. Geerts Department of Accounting and MIS University of Delaware, Newark, DE 19716-2715 geerts@aisvillage.com; 302/831-6413 William E. McCarthy Department of Accounting and Information Systems Michigan State University, East Lansing, MI 48824, USA mccarth4@msu.edu; 517/432-2913 ABSTRACT: Conceptual models of enterprises can be used for both business process modeling and the actual design of...»

«Descripción del impacto y los beneficios económicos de las bibliotecas públicas de Florida: Resultados y aplicaciones metodólogicas para trabajos futuros 1,2 BRUCE T. FRASER, TIMOTHY W. NELSON Y CHARLES R. MCCLURE Este artículo describe el impacto y los beneficios económicos que generan las bibliotecas públicas de Florida, indicando que, en general, las bibliotecas públicas contribuyen significativamente al desarrollo económico del estado. Las bibliotecas reciben financiación pública...»

«NON-LIFE INSURANCE NON-LIFE INSURANCE NON-LIFE INSURANCE Table of contents 1. Introduction 2. Analysis of business results in the non-life insurance lines A. Profitability B. Concentration in the line C. Seasonality 3. The reform in the compulsory motor-vehicle insurance line A. General B. Rates starting from April 2001 C. Correct declarations given by insured D. Claim report E. Database F. Residual insurance G. Avner 4. Rates in property motor-vehicle insurance A. Cancellation of minimum...»

«Industrial Policy and Competition Policy Takako Ishihara Associate Professor Faculty of Economics and Information Science Hyogo University 1. Introduction The market economy is based on free decision-making and activities of individual consumers and firms. In this economic system, through the market mechanism and the process of competition among firms, we can mostly achieve the good economic performance•| for example, efficiency in resource allocation, improvement of productive efficiency,...»

«CRÍTICA A LA INTERPRETACIÓN QUE HACE ROLANDO ASTARITA DE LA PLUSVALÍA EXTRAORDINARIA. EXPOSICIÓN DE LA TEORÍA MARXISTA DEL VALOR. A. Sebastián Hdez. Solorza1 y Alan A. Deytha Mon2 Estudiantes de Licenciatura en Economía ITAM (Instituto Tecnológico Autónomo de México) Fecha de recepción del original: abril de 2014 Fecha de aceptación en su versión final: octubre de 2014 RESUMEN Este artículo presenta una exposición de los elementos fundamentales de la teoría Marxista del valor...»

«The Effects of California’s Paid Family Leave Program on Mothers’ Leave-Taking and Subsequent Labor Market Outcomes Maya Rossin-Slater Columbia University Christopher Ruhm University of Virginia and National Bureau of Economic Research Jane Waldfogel Columbia University September 2012 Abstract This analysis uses March Current Population Survey data from 1999-2010 and a differences-in-differences approach to examine how California’s first in the nation paid family leave (PFL) program...»

«EDUCATION POLICY AND INTERGENERATIONAL TRANSFERS IN EQUILIBRIUM By Brant Abbott, Giovanni Gallipoli, Costas Meghir and Giovanni L. Violante February 2013 COWLES FOUNDATION DISCUSSION PAPER NO. 1887 COWLES FOUNDATION FOR RESEARCH IN ECONOMICS YALE UNIVERSITY Box 208281 New Haven, Connecticut 06520-8281 http://cowles.econ.yale.edu/ Education Policy and Intergenerational Transfers in Equilibrium† Brant Abbott University of British Columbia abbottbrant@gmail.com Giovanni Gallipoli University of...»

«This work is distributed as a Discussion Paper by the STANFORD INSTITUTE FOR ECONOMIC POLICY RESEARCH SIEPR Discussion Paper No. 03-16 Electricity Regulation in California and Input Market Distortions By Mark R. Jacobsen Stanford University And Azeem M. Shaikh Stanford University January 30, 2004 Stanford Institute for Economic Policy Research Stanford University Stanford, CA 94305 (650) 725-1874 The Stanford Institute for Economic Policy Research at Stanford University supports research...»

«el lavado de dinero en el siglo xxi EL LAVADO DE DINERO EN EL SIGLO XXI UNA VISIÓN DESDE LOS INSTRUMENTOS JURÍDICOS INTERNACIONALES LA DOCTRINA Y LAS LEYES EN AMÉRICA LATINA Y ESPAÑA Gonzalo Armienta Hernández Mayra Goite Pierre Arnel Medina Cuenca Lázaro Gambino Espinoza Lizbeth García Montoya (coordinadores) EDITORIAL UNIJURIS Universidad Autónoma de Sinaloa Unijuris México, 2015 Primera edición: noviembre de 2015 D.R. © Los autores, por los textos D.R. © Universidad Autónoma de...»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.