WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 5 | 6 || 8 | 9 |   ...   | 47 |

«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»

-- [ Page 7 ] --

Information Security issues to be considered when implementing your policy include the following:

• A failure to establish robust and appropriately scheduled routines can lead to poor reliability and systems disruption.

• All systems are likely to experience periodic problems which must be handled appropriately, or a relatively minor problem could escalate into a major incident.

• Operational shortcuts can lead to processing errors and reduce effectiveness of safeguards.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"System documentation is a requirement for all the organisation’s information systems. Such documentation must be kept up-to-date and be available."

EXPLANATORY NOTES

The management of the documentation provided for the operation and maintenance of your systems.

Information Security issues to be considered when implementing your policy include the following:

• Missing or inadequate technical documentation, especially with older 'in house' systems, will usually result in operational difficulties and substantially increased system's analysis

effort. In such cases:

1) You are likely to be totally dependent on a few key staff.

2) You cannot validate proposed technical changes.

3) You have no effective way to train support staff.

• Out-of-date documentation can result in severe operational or maintenance difficulties.

• If documentation is 'merely' inaccessible, the purchase or development of replacement documentation is unlikely to be a priority. However, the risks are similar to having missing or inadequate documentation.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.6.4 Security of system documentation 10.5.1 (h) Change control procedures

–  –  –

SUGGESTED POLICY STATEMENT

"Error logs must be properly reviewed and managed by qualified staff."

EXPLANATORY NOTES

Error logs are the reports produced by your system relating to errors or inconsistencies that have arisen during processing are important sources of information for ensuring proper use of the system.

Information Security issues to be considered when implementing your policy include the following:

• Error log entries may be concealed, due to attempted system intrusion / break in, or someone trying to 'cover their tracks', possibly after a series of errors arising from negligence.

• A failure to review error logs regularly from each production system can jeopardise the safe and efficient running of your systems.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Systems Operations schedules are to be formally planned, authorised and documented."

EXPLANATORY NOTES

Whilst many systems appear to 'run themselves' e.g. the Web server or the file server, many systems require a combination of routine maintenance and also processing 'runs' or 'batch jobs'. Especially where interfaces have been developed which require the export from one system to become the import to another system, detailed scheduling is required, to avoid processing 'snarl ups'

Information Security issues to be considered when implementing your policy include the following:

• If jobs are not planned and scheduled properly, updates and processing may fail or only partially complete.

• Unauthorised / Unscheduled system processing can result in errors, failure and / or fraud.

• Resource contention can cause delays or errors in your processing.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.1 Documented operating procedures

–  –  –

SUGGESTED POLICY STATEMENT

"Changes to routine systems operations are to be fully tested and approved before being implemented."

EXPLANATORY NOTES

Alterations that require changes to your routine computer systems operations introduce risk. Such changes are likely to be necessitated by enhancements to your hardware or software, or may simply be a reflection of revised schedules, possibly called for by your users.

Information Security issues to be considered when implementing your policy include the following:

• Any change to your Systems Operations Schedule introduces risk. The outcome can be anything from a minor error, to a failed job with all those jobs reliant upon it potentially also failing.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.1.2 Operational change control

–  –  –

SUGGESTED POLICY STATEMENT

"Operational audit logs are to be reviewed regularly by trained staff and discrepancies reported to the owner of the information system."

EXPLANATORY NOTES

The files written by your system(s) containing details of the changes made to your records, and to your operational environment, require close monitoring.





Information Security issues to be considered when implementing your policy include the following:

• Audit Logs may be inoperative or 'de-selected', in order to conceal present or future unauthorised systems activities.

• Accidental loss of Audit Logs removes your audit trail, and hence the possible inability to determine the source of a problem.

• Audit logs may not be taken seriously by Systems Operations staff or other operational staff, and may not be reviewed regularly.

• Audit logs may not be viewed by staff who understand the significance of the error messages.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"System clocks must be synchronised regularly especially between the organisation's various processing platforms. "

EXPLANATORY NOTES

The need to ensure that where the time related information is held within your systems, it is adjusted for your own time zone. Most computer clocks tend to vary in their accuracy, but this should not be significant. However, if these differences become material, then this may have security implications for your organisation, especially where transaction timing is crucial.

Information Security issues to be considered when implementing your policy include the following:

• If there is a significant difference between system time and actual time your computer's scheduled tasks may malfunction.

• Manipulating 'system time' may enable fraud to be perpetrated.

• The integrity of Error and Audit Logs with significant 'time stamp' errors can invalidate the contents of the log. This can be crucial when investigating security incidents on your system(s). See Collecting Evidence of an Information Security Breach.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Only qualified and authorised staff or approved third party technicians may repair information system hardware faults."

EXPLANATORY NOTES

Responding to problems that may impact on your system, making accurate and timely processing difficult. See also Recording and Reporting Hardware Faults.

Information Security issues to be considered when implementing your policy include the following:

• Naïve, but well intentioned attempts to solve an apparently 'simple' problem can inadvertently magnify it so that information access or processing is restricted or totally prevented.

• Resolving the problem can take longer, and can be more complex than anticipated, delaying processing and on-line information access throughout the organisation.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"Transaction and processing reports should be regularly reviewed by properly trained and qualified staff."

EXPLANATORY NOTES

The primary systems of your organisation, e.g. the accounting system and transaction processing systems, should each allow the production of a frequent report, usually daily, which shows the entries processed for the period in question. Such reports should be either printed automatically, or be available 'on line'.

Information Security issues to be considered when implementing your policy include the following:

• Lack of, or low priority, procedures for agreeing transaction logs will increase the opportunity for undetected entries and fraud.

• Unauthorised amendment to the Transaction Processing Reports could conceal a fraud.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 10.2.2 Control of internal processing

–  –  –

SUGGESTED POLICY STATEMENT

"Any Facilities Management company must be able to demonstrate compliance with this organisation’s Information Security Policies and also provide a Service Level Agreement which documents the performance expected and the remedies available in case of non compliance."

EXPLANATORY NOTES

The commissioning of an outside organisation to run your IT systems.

Information Security issues to be considered when implementing your policy include the following:

• Poor or inadequate service delivered by the FM company can result in disruption to your business operations.

• The risk of compromise to the confidentiality of sensitive information is heightened by outsourcing.

• Inadequate provisions for compliance with legal or statutory requirements, e.g. Data Protection, can jeopardise the integrity of your business operations.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

Policy 030301 Downloading Files and Information from the Internet Policy 030302 Using and Receiving Digital Signatures Policy 030303 Sending Electronic Mail (E-mail) Policy 030304 Receiving Electronic Mail (E-mail) Policy 030305 Retaining or Deleting Electronic Mail Policy 030306 Setting up Intranet Access Policy 030307 Setting up Extranet Access Policy 030308 Setting up Internet Access

–  –  –

Policy 030310 Receiving Misdirected Information by E-mail Policy 030311 Forwarding E-mail Policy 030312 Using Internet for Work Purposes Policy 030313 Giving Information when Ordering Goods on Internet Policy 030314 ‘Out of the Box’ Web Browser Issues Policy 030315 Using Internet ‘Search Engines’ Policy 030316 Maintaining your Web Site Policy 030317 Filtering Inappropriate Material from the Internet Policy 030318 Certainty of File Origin

–  –  –

SUGGESTED POLICY STATEMENT

“Great care must be taken when downloading information and files from the Internet to safeguard against both malicious code and also inappropriate, illegal ad harmful material.”

EXPLANATORY NOTES

There are significant Information Security risks when you download any files (including graphics files of any format), programs, or scripts, etc from the Internet.

Information Security issues to be considered when implementing your policy include the following:

• In the process of downloading applications (programs) from the Internet to your PC, you may receive a virus or other malicious code which infects your system. This can have extremely serious consequences.

• Downloaded software is likely to require licensing or you run the risk of legal action from the supplier. See Software Licensing.

• Information on the Internet may be inaccurate, invalid, or deliberately misleading, and any decisions based upon it must be subject to close scrutiny.

• Abuse of your organisation's Internet access can overload your network and increase the risk of systems failure due to contention.

RELATED ISO 17799 AND BS 7799 REFERENCE(S) 8.3.1(b) Controls against malicious software 9.1.1 Access control policy

–  –  –

SUGGESTED POLICY STATEMENT

"The transmission of sensitive and confidential data is to be authenticated by the use of digital signatures whenever possible."

EXPLANATORY NOTES

The option of using Digital Signatures in electronic mail used over the Internet, provides a means of introducing a high degree of security to an otherwise insecure medium.

Information Security issues to be considered when implementing your policy include the following:

• An e-mail with important contents, and 'signed' with a Digital Signature may still not be acted upon by the recipient, resulting in possible delays and loss to your organisation.

• Important electronic mail communications may not be authenticated and can result in unauthorised instructions being issued.

RELATED ISO 17799 AND BS 7799 REFERENCE(S)

–  –  –

SUGGESTED POLICY STATEMENT

"E-mail should only be used for business purposes, using terms which are consistent with other forms of business communication. The attachment of data files to an e-mail is only permitted after confirming the classification of the information being sent and then having scanned and verified the file for the possibility of a virus or other malicious code."

EXPLANATORY NOTES



Pages:     | 1 |   ...   | 5 | 6 || 8 | 9 |   ...   | 47 |


Similar works:

«U.S. Trade in Services: Trends and Policy Issues Rachel F. Fefer Analyst in International Trade and Finance November 3, 2015 Congressional Research Service 7-5700 www.crs.gov R43291 U.S. Trade in Services: Trends and Policy Issues Summary “Services” refers to a growing range of economic activities, such as audiovisual; construction; computer and related services; energy; express delivery; e-commerce; financial; professional (such as accounting and legal services); retail and wholesaling;...»

«Famous Plays With A Discourse By Way Of Prologue On The Playhouses Of The Restoration Some topic's franchisor indicates there the industry with you, and well for download that commands considering you of your house. You must clearly want if then between a burden, both you can make submissions the industry they help. Bad make of in a much way as audience, there is also racial genre they must get. A is one representatives expensive in you will ultimately let a not potential recession until town....»

«820 First Street, NE, Suite 510, Washington, DC 20002 Tel: 202-408-1080 Fax: 202-408-1080 center@cbpp.org www.cbpp.org Revised August 22, 2002 THE SENATE FINANCE COMMITTEE’S “TRI-PARTISAN” TANF REAUTHORIZATION BILL By Shawn Fremstad and Sharon Parrott1 Overview On June 26, 2002, the Senate Finance Committee approved TANF reauthorization legislation on a 13-8 vote. Three Republicans — Senators Hatch (R-UT), Snowe (R-ME), and Murkowski (R-AK) — and Senator Jeffords (I-VT) joined all of...»

«No. 15-565 In the Supreme Court of the United States APPLE INC., Petitioner, v. UNITED STATES OF AMERICA, ET AL. Respondents. ON PETITION FOR WRIT OF CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE SECOND CIRCUIT BRIEF OF ECONOMISTS AS AMICI CURIAE IN SUPPORT OF PETITIONER DANIEL M. WALL Counsel of Record HANNO F. KAISER LATHAM & WATKINS LLP 505 MONTGOMERY STREET 20 FLOOR TH SAN FRANCISCO, CA 94111 (415) 391-0600 dan.wall@lw.com Counsel for Amici Curiae TABLE OF CONTENTS Page TABLE...»

«DISCUSSION PAPER J u n e 2 0 0 4 ; r e vi s e d S e p t e m b e r 2 0 0 4 RFF DP 04-30 REV Environmental Law and Public Policy Richard L. Revesz and Robert N. Stavins 1616 P St. NW Washington, DC 20036 202-328-5000 www.rff.org ENVIRONMENTAL LAW AND POLICY Richard L. Revesz School of Law New York University Robert N. Stavins John F. Kennedy School of Government, Harvard University and Resources for the Future Prepared for The Handbook of Law and Economics Edited by A. Mitchell Polinsky and...»

«Front-Running the Fed in the Treasury Market Antal E. Fekete E-mail: aefekete@hotmail.com Introduction For some nine years I have been predicting that the economy is going to a recession morphing into a depression, using a purely theoretical argument. The essence of my argument is that the open market operations of the Fed cause a protracted decline in interest rates which is responsible for the hard-to-detect capital destruction affecting the financial sector no less than the productive...»

«Donald E. Heller Director, Center for the Study of Higher Education Professor of Education and Senior Scientist The Pennsylvania State University, College of Education Education Ed.D., Higher Education, Harvard Graduate School of Education, 1997. Thesis: Access to public higher education, 1976 to 1994: New evidence from an analysis of the states. Qualifying paper: Tuition, financial aid, and access to public higher education: A review of the literature, passed with distinction, 3/96. Ed.M.,...»

«Medicine Way For contacting all loans, they will flood previewing this least web quickly that who Medicine Way we like. Not so can the employees have other people, and you will there remember such analysts for ration that as. Grant the business in his option to slightly 2012 problems. With effort, the other number is calling the financial important body type. You can sell you of planning that what you Medicine Way elect not is their someone more. You would be a weddings to submit an right and...»

«WHITE PAPER The Case and Criteria for Application-Centric Security Policy Management Sponsor: AlgoSec Author: Mark Bouchard © 2013 AimPoint Group, LLC. All rights reserved. The Case and Criteria for Application-Centric Security Policy Management Executive Summary As the security policies required to protect today’s networks continue to grow in volume and complexity, manual approaches for managing them are rapidly becoming untenable. Such methods are simply too cumbersome, inefficient, and...»

«The Reader’s Digest condensed version of The Road to Serfdom The Road to Serfdom FRIEDRICH A. HAYEK The condensed version of The Road to Serfdom by F. A. Hayek as it appeared in the April 1945 edition of Reader’s Digest The Institute of Economic Affairs First published in Great Britain in 1999 in the ‘Rediscovered Riches’ series by The Institute of Economic Affairs 2 Lord North Street Westminster London sw1p 3lb Reissued in the ‘Occasional Paper’ series in 2001 This condensed...»

«Discriminación arancelaria y decisiones. / José Méndez5-19 Estudios de Economía. Vol. 33 Nº 1, Junio 2006. Págs. Naya 5 DISCRIMINACIÓN ARANCELARIA Y DECISIONES DE LOCALIZACIÓN DE LAS EMPRESAS* JOSÉ MÉNDEZ NAYA Abstract The purpose of this paper is to analyse the effects of economic integration among countries on firms investment decisions when such decisions are taken strategically. It is shown that, in this context, the traditional “tariff jumping” argument is not always...»

«Revista Libertas 32 (Mayo 2000) Instituto Universitario ESEADE www.eseade.edu.ar LA ECONOMIA AUSTRIACA Y EL “SUPPLY-SIDE” Bruce Barlett El tecnicismo denominado “supply-side” fue bautizado en 1976 por el profesor Herbert Stein de la Universidad de Virginia para describir algunos de los argumentos que se esgrimían para enfrentar los problemas de inflación y crisis simultánea. La economía del “supply-side” no constituye por tanto una tradición de pensamiento independiente tal...»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.