ica11 - student manual sample.pub · web viewas we live in a ‘global economy’, many businesses...

PROTECTING AND SECURING INFORMATION ASSETS 5

PROTECTING AND SECURING INFORMATIONASSETS

Section Learning Objectives Page 6Section Introduction Page 6Types of Information Assets Page 7Standards Relating to Information Security Page 9Information Owner, Custodian of Information and Information User 0Information Asset Profiling Page 13Threats to the Security of Information Assets Page 15How to Secure and Protect Information Assets Page 16Monitoring and Audit Trails Page 24Work Areas Page 25Contingency Plans Page 26Reporting and Responding to Incidents Page 28Section Summary Page 29


PROTECTING AND SECURING INFORMATION ASSETS WHAT

OUTCOME CAN YOU EXPECT FROM THIS SECTION?In this section we will be reviewing what information assets are as well as the importance of protecting and securing those assets.

SECTION LEARNING OBJECTIVES

On completion of this section you will have an understanding about:

♦ The various types of information assets♦ Standards associated with the security of information assets♦ Owners, custodians and users of information assets♦ Asset profiling and the threats to information assets♦ How to protect information assets and monitor the security♦ Keeping a ‘clean’ workplace♦ Contingency planning and reporting of incidents

SECTION INTRODUCTION

In this digital information age, computers have been instrumental in developing and processing information far quicker than was possible in the past.

Businesses and other types of organisations today rely heavily on this information which would include:

♦ Financial/legal information♦ Employee records♦ Customer/marketing information♦ Product/design information

………..and much more.

Of course such information is quite valuable to the business/organisation and would be considered an asset requiring protection.

In this section we look at why information assets should be protected and how.


TYPES OF INFORMATION ASSETS

We first must define what an ‘information asset’ is.

An ‘Information Asset’ is a definable piece of information, stored in any manner which is recognised as 'valuable' to the organisation. The information which comprises an information asset, may belittle more than a customer’s name and address file; or it may be the marketing strategies and plans for the release of a newly developed product.

Generally, information assets have one or more of the following characteristics:

♦ They are recognised to be of value to the organisation.♦ They are not easily replaceable without cost, skill, time, resources or a combination

of these.♦ They form a part of the organisation's corporate structure, without which, the

organisation may be threatened.♦ They would be classed as being proprietary and/or highly confidential.


EXAMPLES OF ORGANISATIONAL INFORMATION ASSETS

We now know that any information that a business or organisation has created, developed and uses in its operation, is likely to be deemed an information asset. Some examples of such information assets are listed below:

♦ Financial – accounts, banking information, asset registers, receivables/payables, loans, reports, etc.♦ Legal – contracts, agreements, patents, copyrights, court documents, risk management, etc.♦ Employee – employee details, job descriptions, employee agreements, payments, leave details,

resumes, training records, disciplinary records, etc.♦ Human Resources – Recruitment policies and procedures, training plans, payroll documents, employee/

management security checks, benefits plans, etc.♦ Customer – customer details, purchase history, payments history, supply agreements, correspondence,

etc.♦ Marketing – strategy documents, marketing plans, advertisement material designs, packaging designs,

pricing strategies, competitive intelligence, sales structure, multimedia presentations/materials, etc.♦ Supply Chain – service agreements, supply agreements, goods acquisition plans, inventories and

inventory control, etc.♦ Product – designs, production drawings, development plans, production costs, specifications,

engineering reports, testing reports, etc.♦ Production – machine/equipment manuals, maintenance reports, warranty and service agreements,

training details, tooling designs, etc.♦ Systems – system details, user manuals, support procedures, training details, software code, backups,

website design, email archives, etc.♦ Electronic Library – scanned articles, product pamphlets, scanned research papers, newspaper articles,

etc.

The above list is only a sampling of what could be classed as information assets in a particular organisation. The type of business/organisation, their activities and size will have a huge bearing on the types of information assets it will have.

What is n o t considered an ‘information asset’ is anything deemed to be ‘information technology’ which would include:

♦ Hardware and software♦ Software development tools♦ Software licences

Simply put, if the item, whether it is software or hardware, is used to store, access and/or manipulate ‘information assets’, then it is classed as ‘information technology’.

Copyright 2011


STANDARDS RELATING TO INFORMATION SECURITY

As we live in a ‘global economy’, many businesses or organisations deal regularly with customers or suppliers in other countries.

To ensure the high quality of products and services, an international ‘standards’ body was established.

This body (International Standards Organisation or ‘ISO’), has developed minimum standards forbusinesses around the world to follow.

Although the adherence to these standards is voluntary, persons, businesses and/or organisations that do follow and adhere to these standards provide those they deal with the confidence that they are offering high quality products and services.

The standard ‘ISO 27002:2005’ establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organisation. The objectives outlined provide general guidance on the commonly accepted goals of information security management in the following areas of information security management:

♦ security policy♦ organisation of information security♦ information asset management♦ human resources security♦ physical and environmental security♦ communications and operations management♦ access control♦ information systems acquisition, development and maintenance♦ information security incident management♦ business continuity management♦ compliance

Those implementing information assets security principals as outlined in the standard provide confidence to others dealing with the organisation that any exchange of information, especially the type considered confidential and/or sensitive, is being securely protected.


INFORMATION OWNER, CUSTODIAN OF INFORMATION AND INFORMATION USER

There are three main stakeholders that are key participants in the security of an organisation’s information assets.

They are:

♦ The information ‘Owner’♦ The ‘Custodian’ of the information♦ And the ‘User’ of the information

Who these people are and what role they play in ensuring information security, wholly depends on the type and size of the organisation.

First we define each role.

Information Owner – it is the creator of the information or the person who initiates the creation and storage of the information. The owner is the person who determines how valuable the information is to the business/organisation and in some cases is asked to place a monetary value on the information.

Information Custodian – this is the person or department that has been given the information by the owner to store, protect and allow access, based on who the owner believes should have such access. In larger organisations it is usually the IT department that is given the role of information custodian.

Information User – as the term implies, the information user is allowed access to the information by the owner through the custodian, based on what level of access the owner sees fit. The user could be internal staff or external clients, or a combination of both, depending on the type of information.


EXAMPLES

In a small business, the information owner and the custodian are likely to be the same person and also one of the users. Also, the user may be one or more employees and/or an outside service provider, such as an accountant or bookkeeper.

In a large organisation/business the owner could be an actual department, such as a sales department and the head of that department responsible for the information. The custodian would be the IT department providing information storage and restricted access, based on the department’s stated policies and procedures. The users could be at one level sales personnel, the next level sales manager and at the highest level, the company executives.


VARIABLES

Let’s consider an organisation’s customer database as an information asset. The security requirements for the asset have been developed by the owners and have been implemented through controls applied at the server level by custodians. Under the custodial control of the information technology (IT) department, the asset is adequately protected. However, suppose a user has access rights that allows him/her to download a portion of the customer database to his/her laptop to review customer sales history.

The information asset (or a portion of it) now resides outside of the IT department’s secure server. In essence, the user, as the manager of that laptop, is temporarily also a custodian. Custodians are generally required to provide due care over the information asset while it is in their possession. Thus, the user should ensure that he/she protects this information asset as well as or better than it was protected at the server from which he/she received it. If they cannot, the owner of the information asset should deny them access to it, or deny him/her the privilege of acting as a custodian for the information.

Another variable is that the user may, with the permission of the owner, access and modify the information.

Using again the example of the customer database, a sales person may have secured a new customer and this is added to the customer database. This does not mean that he/she is now ‘part owner’ of the information asset.

What it does mean, is that the owner has provided permission to modify the information asset, based on certain policies and procedures.


INFORMATION ASSET PROFILING

The first step in securing and protecting information assets is to determine what information assets the organisation possesses.

Not only is it necessary to identify what information assets there are, but also how important is this information asset is to the organisation.

This is called ‘Information Asset Profiling’ or ‘IPA’.

Some information assets if lost or damaged, may cause disruption and minor costs to the organisation, where as if this occurs with other information assets, it could have the potential of crippling the organisation to the point of shutting down.

In larger organisations, the IPA process is part of the organisations’ overall risk management plan.

A ‘profile’ is a representation of an information asset describing its unique features, qualities, characteristics and value. The profiling process is to ensure that an asset is clearly described, including the boundaries of the asset, meaning by whom and how this information is accessed.

This is the start of determining the security requirements for each asset and the profile for each asset forms the basis for the identification of threats and risks in subsequent steps.


THE SIX STEPS OF IAP

There are six common steps to the IPA process. These are:

1) Capturing background information – this refers to the person(s) involved in the process and what roles each have in the IPA process. This would include the date the process started and when it was completed.

2) Define the information asset – we touched on this previously and as a review the definition would include its unique features, qualities, characteristics and value.

3) Identify the asset owner – without a known asset owner is difficult to determine the asset value, risk profile and threats.

4) Indentify the ‘containers’ – a ‘container’ is a term used to describe how the information asset is stored. Some examples of containers are servers, personal computers, backup mediums, PDAs, external systems and so on.

5) Indentify the security requirements – this would include confidentiality, integrity (meaning; not to be modified/changed), availability (meaning who and when is allowed access). This step needs a lot of consideration.

6) Determine the asset valuation – this would include both a tangible value and the intangible value of the asset. Tangible valuations may refer to the cost to develop or create, as well as replacement costs. However the most important value is the intangible one, meaning if the asset was lost, what effect it would have on the organisation.


THREATS TO THE SECURITY OF INFORMATION ASSETS

Organisations and businesses are often encouraged to do a risk assessment specific to their information assets.

There are common ‘threat’ categories that most organisations/businesses would need to consider when doing theirrisk assessment.

They are:

Human threats through technical avenues - The threats in this category represent threats to the information asset via the organisation’s technical infrastructure or by direct access to a ‘container’ (technical asset) that hosts an information asset. They require direct action by a person and can be deliberate, or accidental in nature.

Human threats using physical access - The threats in this category represent threats to the information asset that result from physical access to the asset or a container that hosts an informationasset. They require direct action by a person and can be deliberate or accidental in nature.

Technical problems - The threats in this category are problems with an organisation’s information technology and systems. Examples include hardware defects, software defects, malicious code (e.g., viruses), and other system- related problems.

Other problems - The threats in this category are problems or situations that are outside the control of an organisation. This category of threats includes natural disasters (e.g., floods, earthquakes) and interdependency risks. Interdependency risks include the unavailability of critical services (e.g., power supply).

Determining threats would most likely require a team (one being the information owner) brainstorm through each threat category and determine as many threat scenarios as possible. A common practice is to develop ‘worksheets’ and filled in worksheets are used as the basis for developing security and protection policies and procedures.


HOW TO SECURE AND PROTECT INFORMATION ASSETS

On the previous pages we looked at some of the common threat categories that most organisations or businesses, at some level, would be exposed.

We now look at some common methods and strategies that can be used to secure and protect information assets.

POLICIES AND PROCEDURES

The first and most simple method is to develop a ‘policy and procedure manual’ that outlines in clear and concise language the policies associated with accessing and using the organisation’s information assets and also any procedures that are in place relating to the access and use of information assets.

Although from a technical point of view this is not the most secure method of protecting an organisation’s information assets, it does go a long way in communicating the importance the organisation has placed on its information assets and describing what it has in place to protect those assets.

Many organisations or businesses use these manuals as an induction tool and it is common to have a new employee sign a document stating that he/she fully understands the policies and procedures relating to information assets, including the allowed use and confidentiality of the information.


USERNAMES AND PASSWORDS

The use of ‘Usernames’ and ‘Passwords’ is one of the most common methods of securing and protecting information assets.

Based on information asset profiling and classifications, the organisation/business will often come up with predetermined ‘access privilege’ policies.

Access privileges refer to ‘who’ can access ‘what’ information asset and to ‘what extent’ these persons are allowed to use the information.

For example a Financial Director or Chief Executive Officer of a large business will generally have access to all information assets relating to financial information and data, whereas a bookkeeper in the same organisation would have only access privileges to the ‘accounts payable’ and ‘accounts receivable’.

Usernames are generally chosen so that at first glance they contain enough information to identify the owner of the Username.

Examples

Person John SmithUsername Jsmith

Person Elizabeth ConnorUsername Econnor

Person Robert Gerald LamontUsername Rglamont

‘Passwords’ however, require a level of creativity to ensure that they are not compromised. The choice of passwords in organisations may be left to the custodian of the information, in other words the IT department, or it may be the responsibility of the person themselves.

SECTION 1—PROTECTING AND SECURING INFORMATION ASSETS 18

The common rules for creating a password generally include:

♦ Passwords should be five to eight characters in length♦ Allow for a combination of alpha, numeric, upper and lower case and special characters♦ Not be particularly identifiable with the user, such as name and date of birth♦ The system should not permit previous passwords to be used after being changed♦ Passwords should be changed periodically, about every 60 to 90 days♦ Password are not displayed when entered♦ Vendor-supplied passwords must be replaced immediately after implementation♦ Password should be personal to each user, not shared by a group


PHYSICAL ACCESS

Most organisations have some dependence on their information assets and the computer system it is contained in. This means that the computer system itself needs to be secured.

If the system itself is not physically secure, then the information itself is not secure.

Physical access to computer hardware can allow an intruder to halt the system, hack into the system, alter programs, even install malicious software.

A good physical security program is an organisation’s first line of defence.

Consideration must be taken on the location of the system hardware. Considerations would include:

♦ Ease of physical access♦ Ease of installing security systems♦ Exposure to environmental factors, water, lightning, power outage, dust, fire, earthquake, etc.

Physical security controls will vary depending on the type and size of the organisation but could include:

♦ Manual door key locks♦ Magnetic door locks that require the use of electronic keycards♦ Keypad entry♦ Biometric authentication (fingerprint access)♦ Access alarms♦ Security guards♦ Security cameras and recorders♦ Photo ID’s♦ Entry logs♦ Logs and authorisation for removal and return of tapes and other storage media to the library♦ Perimeter fences around sensitive buildings♦ Computer terminal locks♦ Detectors (motion, smoke/fire, etc.)

In many organisations, physical controls would include a combination of many of the above examples.

RESTRICTED ZONES


As an extension to the physical controls, some organisations will separate their systems in areas that would be restricted.

‘Restricted zones’ could be:

♦ Another building♦ A different floor of an office building♦ A clearly sectioned off part of an office area♦ A specific secured office

Persons within the organisation would be clearly informed of the restricted areas and the consequences of unauthorised entry.

These zones would, as one might expect, use physical access control systems.


REMOTE ACCESS

There are many organisations that allow remote access to their computer system.

‘Remote access’ could be:

♦ Other business divisions♦ Travelling employees♦ Employees working from home♦ Contractors/suppliers/consultants

In larger organisations, the first line of defence would be a dedicated server (sometimes known as ‘access or communication’ server), which would have software that handles in bound access requests.

These servers would have the necessary security software that would identify the access requests and determine access privileges. They often log the request and details of what had occurred after access was either denied or granted.

In smaller organisations, the access would often be via the Internet and include various access controls, including usernames and passwords.

PROTECTION SOFTWARE


‘Intrusion Detection Systems’ (IDS) are complex software applications, which monitor network activity using various techniques, such as 'intelligent agents'. Many current applications will not only detect misuse but also identify a known pattern of attack, or attack scenario. The IDS can then automatically terminate the access and send an alert to the Systems Administrator.

Another type of protection software is ‘anti-virus’.

There many types of programs available to prevent and/or identify and remove virus and malicious software off the system.

Although anti-virus software is important, just as important are policies associated with downloading information off the Internet,where most viruses reside.


BACKUPS

The most effective solution to prevent losing business, is to create ‘backups’.

Backup media should be stored in locked safes or locked rooms. The backup media should be stored far enough away from the origin to avoid the same kind of incident that destroyed the original.

Regular backups (at least one per month) should be stored off site. In general, backups of sensitive information should have the same level of protection as the active files of this information.

MONITORING AND AUDIT TRAILS


An ‘audit trail’ is a visible trail of evidence enabling the organisation to trace access attempts (both successful and unsuccessful) and report these back to the custodian of the information.

For example, an employee might have access to a section of a network such as a customer database, but be unauthorised to access all other sections. If that employee attempts to access an unauthorised section by typing in passwords, this improper activity is recorded in the audit trail.

Audit trails are essential to the system security. Information custodians, as part of their role are often required to regularly review violation reports to identify successful or unsuccessful unauthorised access.

As an extension to audit trails, there would also be physical monitoring. This could include:

♦ Monitoring entries via smartcards or keypad entries♦ Security cameras♦ Security guard post sign in

Reports would be generated at agreed periods and presented to the custodian of the information.

Any suspicious activity would be immediately reported and any appropriate action taken.


WORK AREAS

Desks should be kept ‘clean’ every evening when the employee leaves his/her place of work.

The term ‘clean desk’ would refer to:

♦ All documents put away in locked cabinets or other secure locations♦ Computers logged off and if required, turned off♦ Any secondary storage media (CD/DVDs, flash memory sticks, etc.) locked away

Other security recommendations would include:

♦ Having computer monitors facing away from any doors and windows♦ Having fax machines and printers, used for processing sensitive documents installed in

secured areas with limited access♦ Shred all unwanted documents


CONTINGENCY PLANS

Contingency plans are plans that are developed to take into account how an organisation or business will operate after certain adverse ‘incidents’.

Depending on the organisation, these plans can be reasonably simple, or quite detailed.

In larger organisations, where information assets are key to the operation of the organisation/business, there can be three types of contingency plans:

1) Continuity Plans – these plans outline the measures and actions required to keep the organisation or business operating at some level in the event of an incident, or a minor disaster.

2) Recovery and Resumption Plans – these plans outline how a business or organisation would recover and resume operations in the event of incidents or disasters that caused the operations to cease. This often includes possible alternative locations and using ‘backup’ equipment and information assets.

3) Incident and Crisis Management Plans – these plans outline how a organisation is to react to severe incidents or disasters. This would include:

♦ Attention to the health and safety of employees♦ Reporting of incidents – police, fire brigades, management reporting hierarchy, etc.♦ Recording of near misses and actions taken

As earlier mentioned, the amount of detail that would go into any or all of those plans would depend on the size and type of organisation.

In smaller operations there may be one plan that would take into account all the information that three separate plans may contain.


DEVELOPING CONTINGENCY PLANS

Again, depending on the type and size of the organisation, there may be from one person, to a large team of people involved in the development of contingency plans.

As a minimum, the person most required to develop a contingency plan would be the ‘owner’ of the information. They would understand the level at which an organisation can operate at, based on the level of information loss, or lack of access.

Next person(s) involved would be the ‘custodians’ of the information assets. They have the responsibility of information asset security and knowledge of all the IT systems which ‘contain’ the information assets.

In large organisations, the development of contingency plans would often include:

♦ The CEO♦ Financial directors♦ Line managers – marketing, production, sales, engineering, etc.

Each would have a role in determining how they would be affected by any incident or disaster as well as how they could maintain operations, if possible.


REPORTING AND RESPONDING TO INCIDENTS

In the event of a threat or an incident involving the organisation’s information assets, there should be a policy as to how to report, record and action any responses.

The policy would need to address the hierarchy of reporting, as an example a simple internal attempt to access restricted information may be reported to the business owner or human resources manager for follow up and disciplinary action. It could also result in the username and password being deleted from the system.

Another example could be where unauthorised access to information assets has caused monetary loss through fraud, or intellectual property being stolen, which then may require a police report to be filed and a police investigation requested.

One final example could be one where unauthorised access to a system has resulted in the theft of confidential information about clients or individuals. Of course depending on the severity of the damage caused by this incident, it may involve police assistance. However, it is likely to be a policy that the organisation would inform the client(s)or individual(s) of the incident and inform them of the actions taken.

The most important result from any incident is to locate the weaknesses in security of the information asset and modify security procedures to prevent further incidents.


SECTION SUMMARY

In the ‘Information Age’, information assets are one, of if not the most important asset in most organisations.

If a person were to ask most businesses what would be the result if they lost all their data on their computer system, the majority would say they would most likely have to shut down operations.

There is a massive industry today that provides any sized organisation with the tools and advice on how to protect and secure their information assets, including:

♦ Hardware solutions♦ Software solutions♦ Training in information security♦ Advisors/consultants in security policies and procedures♦ Backup providers

The unfortunate reality however, is that despite the organisation’s very best efforts to avoid, prevent, or mitigate them, incidents will still occur. Particular situations, combinations of adverse events, or unanticipated threats and vulnerabilities may bypass or overwhelm even the best information security controls designed to ensure confidentiality, integrity and availability of information assets.

So we now understand that constant security reviews, monitoring access and having in place contingency plans, can often lessen the effects of many incidents involving information assets.

Self

Asse

ssm

ent

? DID YOU LEARN?


THE FOLLOWING QUESTIONS ARE YES AND NO QUESTIONS.

IF YOU CANNOT ANSWER YES TO EACH QUESTION IT IS SUGGESTED YOU REVIEW THE MATERIAL AGAIN.

SECTION ONE

TYPES OF INFORMATION ASSETS

Do you know a few of the characteristics that would define what an ‘information asset’ is, as well as give some examples of what these types of assets would be in the following areas of an organisation;

Legal? Customer? Supply Chain? Production?Electronic Library?

STANDARDS RELATING TO INFORMATION SECURITY

Can you describe what the ‘ISO’ body was established to provide, and in what ways do the implementation of these guidelines and principles assist an organisations security?

INFORMATION OWNER, CUSTODIAN OF INFORMATION AND INFORMATION USER

Are you able to differentiate what the roles are between the ‘owner’, ‘custodian’ and ‘user’ of information assets?

INFORMATION ASSET PROFILING

Do you remember what ‘IAP’ is, as well as the six steps in the IAP process?

DID YOU LEARN?

THE FOLLOWING QUESTIONS ARE YES AND NO QUESTIONS.

IF YOU CANNOT ANSWER YES TO EACH QUESTION IT IS SUGGESTED YOU REVIEW THE MATERIAL AGAIN.Se

lf As

sess

men

t


THREATS TO THE SECURITY OF INFORMATION ASSETS?Can you recall in what ways the following could be considered’ threat categories’ that would need to be taken into considerationwhen doing a risk assessment;

Human Threats through technical avenues? Human Threats using physical access? Technical problems?

HOW TO SECURE AND PROTECT INFORMATION ASSETS

Are you able to explain some of the methods and strategies to apply in the following areas that can ensure security and protection of information assets;

Policies and Procedures? Usernames and Passwords? Physical Access?Restricted Zones? Remote Access? Protection Software?

MONITORING AND AUDIT TRAILS

Do you know why ‘audit trails’ are important to a systems security and how can ‘physical monitoring’ added to the security process?

WORK AREAS

Can you describe what the term ‘clean desk’ means when referring to security efforts?

CONTINGENCY PLANS

Are you able to understand what the three types of ‘contingency plans’ are, and who would be involved in developing them?

REPORTING AND RESPONDING TO INCIDENTS

Do you remember some examples of incidents or threats that would require reporting or response, and what types of actions may these require?

ica11 - student manual sample.pub · web viewas we live in a ‘global economy’, many businesses...

Documents