is dess

Towards Improved Security Management Practice: Designing an organizational model procedure for

the implementation of Information Security Management in heterogeneous Information

Management environments

by

Marko Nordquist

ISBN: 1-58112-161-X

DISSERTATION.COM

USA • 2002

Towards Improved Security Management Practice: Designing an organizational model procedure for the implementation of

Information Security Management in heterogeneous Information Management environments

Copyright © 2001 Marko Nordquist

All rights reserved.

Dissertation.com USA • 2002

ISBN: 1-58112-161-X

www.dissertation.com/library/112161xa.htm

TToowwaarrddss IImmpprroovveedd SSeeccuurriittyy MMaannaaggeemmeenntt PPrraaccttiiccee::

DDeessiiggnniinngg aann oorrggaanniizzaattiioonnaall mmooddeell pprroocceedduurree ffoorr tthhee iimmpplleemmeennttaattiioonn ooff IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt iinn hheetteerrooggeenneeoouuss IInnffoorrmmaattiioonn MMaannaaggeemmeenntt eennvviirroonnmmeennttss..

Marko Nordquist A thesis submitted in partial fulfilment of the requirements of School of Computer and Information Sciences, Holmes University for the degree of Doctor of Philosophy. November 1998 - September 2001

M a r k o N o r d q u i s t : “ T o w a r d s I m p r o v e d S e c u r i t y M a n a g e m e n t P r a c t i c e ”

CCeerrttiiffiiccaattiioonn SSttaatteemmeenntt I hereby certify that this dissertation constitutes my own product and that the

words or ideas of other, where used, are properly credited according to accepted standards for professional publications.

Signed:_________________________________________ Marko Nordquist


AAbbssttrraacctt Growth of personal computing, Internet and even more complex enterprise infrastructures, and inter-company cooperation has not yet reached its peak. Although the prophets of the IT-branch are continuously affirming that the growth rate will decrease, there is not really a trend that is significant to justify these statements. Growth of the information technology branch automatically entails an accretion of security leaks, attacks and many forms of vulnerabilities. This thesis hooks into these topics and offers the reader a precise instrument to set up, refine or check and balance security in its own environment. The thesis is not limited to corporate IT departments but also addresses private individuals to have a look to the wide field of security related topics and questions. The thesis is intended to be as complete as possible, however regarding the rapid growth, it will have to be reviewed and completed on a regular basis. The thesis develops a security model that can be adopted as-is or that can be altered, extended or completed according private or business needs. The thesis also tries to give a brief overview to the role and responsibilities of an “information security officer” and attempts to design a security organization model for larger enterprises.


AAcckknnoowwlleeddggeemmeennttss

TTo keep the right sequence, first of all I would like to express my respect to my parents and to all my former teachers, tutors and professors at schools and universities. I am aware that teaching is a tough job today and pupils and alumni are not always the pride of their schoolmasters. However, even if I have not always been the most popular apprentice, I can say that all of you made a good job. Your patience was admirable and even if you thought your doctrines died away unheard, they have been impressive enough to enable me to make my way and write this thesis.

AAnother bunch of people that I would like to thank is all colleges, co-workers and superiors that I worked together with during the last two centuries?. You all gave me the opportunity to enhance my work and life experience and to grapple with topics that might have passed my attention otherwise.

MMost of all I would like to thank my wonderful wife Monika. Without her, there would have been no dissertation at all. Her patience was unending, no matter how many hours of work I had to put in, she never complained. She gave me the opportunity to complete my studies and to write down this lifework. She was an unending source of motivation towards my educational goals. Without her assistance and encouragement, my studies would have been even more difficult. I thank her for these efforts with all my love.


LLikewise I would like to thank every single reader of this thesis who comes back with ideas and proposals for augmentations, improvements and additions. Feel free to mail me your proposals in detail. Notice that statements about chapter and topic are vital to any addition, improvement and augmentation. Please use the following email-address: [email protected] and use plain text for transmission of written materials.


TTaabbllee ooff ccoonntteennttss

1. - Brief overview on information management and security ............................................10

1.1. - Information technology in the last century .................................................................... 10 1.1.1. - The early years of computing.................................................................................. 10 1.1.2. - The personal computer breakthrough ...................................................................... 10 1.1.3. - The steady growth of the Internet........................................................................... 11

1.2. - Starting security considerations ................................................................................... 11 1.3. - The influence of the Internet on information security ..................................................... 12 1.4. - Is “complete information protection” possible ? ............................................................. 13

2. - Introduction to information security .............................................................................13

2.1. - Background of this study............................................................................................. 13 2.2. - Objectives of this study............................................................................................... 13 2.3. - What is the meaning and importance of information security ? ....................................... 14 2.4. - The structure of the model procedures ......................................................................... 16 2.5. - Setup and major points to the information security model .............................................. 16 2.6. - Risk assessment......................................................................................................... 17

2.6.1. - Risk assessment documents.................................................................................... 17 2.7. - Setting up enterprise security requirements .................................................................. 18 2.8. - Critical key factors to successful security management................................................... 19 2.9. - Distribution, marketing and reviews ............................................................................. 20

3. - Management controls for information security .............................................................20

3.1. - Security Policy............................................................................................................ 20 3.1.1. - Information security policy...................................................................................... 20

3.1.1.1. - Information security policy document ............................................................... 1 3.2. - Security organization .................................................................................................. 21

3.2.1. - Information security infrastructure .......................................................................... 21 3.2.1.1. - Steering committee for information security .................................................... 21 3.2.1.2. - Information security coordination................................................................... 22 3.2.1.3. - Allocation of responsibilities........................................................................... 23 3.2.1.4. - Authorization process for IT facilities .............................................................. 24 3.2.1.5. - Co-operation between organizations............................................................... 24 3.2.1.6. - Independent reviews of information security ................................................... 25

3.2.2. - Security of 3rd party access ..................................................................................... 25 3.2.2.1. - Identification of risks from 3rd party connections.............................................. 25 3.2.2.2. - Security conditions in 3rd party contracts......................................................... 26

3.3. - Classification and Control of Assets .............................................................................. 27 3.3.1. - Accountability for assets ......................................................................................... 27

3.3.1.1. - Inventory of assets....................................................................................... 27 3.3.2. - Classification of Information.................................................................................... 28

3.3.2.1. - Classification guidelines................................................................................. 28 3.3.2.2. - Classification labeling .................................................................................... 30

3.4. - Personnel security ...................................................................................................... 30 3.4.1. - Security in job definition and recruiting .................................................................... 31

3.4.1.1. - Security in job description ............................................................................. 31 3.4.1.2. - Recruitment screening .................................................................................. 31 3.4.1.3. - Confidentiality agreement.............................................................................. 31

3.4.2. - User training ......................................................................................................... 32 3.4.2.1. - Information security education and training .................................................... 32

3.4.3. - Responding to incidents ......................................................................................... 32 3.4.3.1. - Reporting of security incidents ....................................................................... 32 3.4.3.2. - Reporting of security weakness...................................................................... 33 3.4.3.3. - Reporting of software malfunctions ................................................................ 33 3.4.3.4. - Disciplinary process ...................................................................................... 33

3.5. - Physical and environmental security ............................................................................. 34 3.5.1. - Secure areas ......................................................................................................... 34


3.5.1.1. - Physical security perimeter ............................................................................ 34 3.5.1.2. - Physical entry controls .................................................................................. 36 3.5.1.3. - Security of data centers and computer rooms.................................................. 36 3.5.1.4. - Isolated delivery loading areas....................................................................... 37 3.5.1.5. - Clean desk policy.......................................................................................... 38 3.5.1.6. - Removal of Company property....................................................................... 38

3.5.2. - Equipment security ................................................................................................ 39 3.5.2.1. - Equipment placement and protection ............................................................. 39 3.5.2.2. - Power supplies ............................................................................................. 40 3.5.2.3. - Cabling security............................................................................................ 40 3.5.2.4. - Equipment maintenance................................................................................ 41 3.5.2.5. - Security of equipment off-premises ................................................................ 41 3.5.2.6. - Secure disposal of equipment ........................................................................ 42

3.6. - Network and computer management............................................................................ 42 3.6.1. - Operational procedures and responsibilities .............................................................. 42

3.6.1.1. - Documented operating procedures................................................................. 43 3.6.1.2. - Incident management procedures .................................................................. 44 3.6.1.3. - Segmentation of duties ................................................................................. 45 3.6.1.4. - Separation of development and operational facilities ........................................ 46 3.6.1.5. - External facilities management ...................................................................... 46

3.6.2. - System planning and acceptance............................................................................. 47 3.6.2.1. - Capacity planning ......................................................................................... 47 3.6.2.2. - System acceptance ....................................................................................... 48 3.6.2.3. - Fallback planning.......................................................................................... 48 3.6.2.4. - Operational change control............................................................................ 49

3.6.3. - Protection from malicious software .......................................................................... 49 3.6.3.1. - Virus control ................................................................................................ 50

3.6.4. - Housekeeping ....................................................................................................... 51 3.6.4.1. - Data backup ................................................................................................ 51 3.6.4.2. - Operator logs............................................................................................... 52 3.6.4.3. - Fault logging................................................................................................ 52 3.6.4.4. - Environment monitoring................................................................................ 52

3.6.5. - Network management............................................................................................ 53 3.6.5.1. - The Principles of Secure Network Design ........................................................ 53 3.6.5.2. - Adapting the Software Process Model to Network Security................................ 54 3.6.5.3. - Phase 1: Systems Requirements .................................................................... 54 3.6.5.4. - Phase 2: Concept Formulation ....................................................................... 54 3.6.5.5. - Phase 3: Systems Definition .......................................................................... 55 3.6.5.6. - Phase 4: Engineering Design ......................................................................... 55 3.6.5.7. - Phase 5: Design Verification .......................................................................... 56 3.6.5.8. - Phase 6: Production and Installation............................................................... 56 3.6.5.9. - Phase 7: Operations ..................................................................................... 56 3.6.5.10. - Phase 8: Retirement..................................................................................... 56 3.6.5.11. - Conclusion .................................................................................................. 57 3.6.5.12. - Network security control ............................................................................... 57

3.6.6. - Media handling and security.................................................................................... 58 3.6.6.1. - Management of removable computer media.................................................... 58 3.6.6.2. - Data handling procedures.............................................................................. 59 3.6.6.3. - Security of system documentation.................................................................. 59 3.6.6.4. - Disposal of media ......................................................................................... 60

3.6.7. - Data exchange ...................................................................................................... 61 3.6.7.1. - Data exchange agreements ........................................................................... 61 3.6.7.2. - Security of media in transit............................................................................ 61 3.6.7.3. - EDI security ................................................................................................. 62 3.6.7.4. - Security of electronic mail ............................................................................. 62 3.6.7.5. - Security of electronic office systems ............................................................... 63

3.7. - Control of system access............................................................................................. 64 3.7.1. - Business requirement for system access .................................................................. 64

3.7.1.1. - Documented access control policy .................................................................. 64 3.7.2. - Management of user access.................................................................................... 65

3.7.2.1. - User registration........................................................................................... 65


3.7.2.2. - Management of privileges ............................................................................. 66 3.7.2.3. - Password management ................................................................................. 67 3.7.2.4. - Review user access rights.............................................................................. 67

3.7.3. - User responsibilities ............................................................................................... 68 3.7.3.1. - The use of Passwords ................................................................................... 68 3.7.3.2. - Unattended user equipment .......................................................................... 69

3.7.4. - Network access control .......................................................................................... 70 3.7.4.1. - Limited services............................................................................................ 70 3.7.4.2. - Enforced path .............................................................................................. 70 3.7.4.3. - Authentication of users ................................................................................. 71 3.7.4.4. - Authentication of machines ........................................................................... 71 3.7.4.5. - Remote diagnostic port protection.................................................................. 72 3.7.4.6. - Segmentation in networks ............................................................................. 72 3.7.4.7. - Network connection capability control............................................................. 73 3.7.4.8. - Network routing and switching control............................................................ 73 3.7.4.9. - Security of network services .......................................................................... 74

3.7.5. - Access control to computers ................................................................................... 74 3.7.5.1. - Terminal/Computer identification ................................................................... 74 3.7.5.2. - Terminal/Computer logon procedures............................................................. 75 3.7.5.3. - User identifiers............................................................................................. 76 3.7.5.4. - Password management system...................................................................... 76 3.7.5.5. - Duress alarm to safeguard users.................................................................... 78 3.7.5.6. - Terminal/Computer time out.......................................................................... 78 3.7.5.7. - Limitation of connection time......................................................................... 78

3.7.6. - Access control to applications ................................................................................. 79 3.7.6.1. - Information access restriction........................................................................ 79 3.7.6.2. - Use of system utilities ................................................................................... 80 3.7.6.3. - Access control of the source program library ................................................... 80 3.7.6.4. - Sensitive system isolation.............................................................................. 81

3.7.7. - Monitoring access and use of systems...................................................................... 82 3.7.7.1. - Event logging............................................................................................... 82 3.7.7.2. - Monitoring system use .................................................................................. 82 3.7.7.3. - Clock synchronization.................................................................................... 82

3.8. - System development and maintenance......................................................................... 83 3.8.1. - Security requirements of systems ............................................................................ 83

3.8.1.1. - Security requirements analysis and specification.............................................. 83 3.8.2. - Security in application systems................................................................................ 85

3.8.2.1. - Validation of data input ................................................................................. 85 3.8.2.2. - Validation of internal processing..................................................................... 86 3.8.2.3. - Data encryption............................................................................................ 86 3.8.2.4. - Message authentication................................................................................. 87

3.8.3. - Security of application system files .......................................................................... 87 3.8.3.1. - Control of operational software ...................................................................... 88 3.8.3.2. - Protection of system test data ....................................................................... 88

3.8.4. - Security in development and support environments................................................... 89 3.8.4.1. - Change control procedures............................................................................ 89 3.8.4.2. - Technical review of operating system changes ................................................ 90 3.8.4.3. - Restrictions on changes to software packages ................................................. 90

4. - Preventive action planning and precaution ...................................................................91

4.1. - Business continuity planning........................................................................................ 91 4.1.1. - Business continuity planning process ....................................................................... 91

4.2. - Business continuity planning framework ....................................................................... 92 4.2.1. - System high availability .......................................................................................... 93 4.2.2. - Database rollback .................................................................................................. 93 4.2.3. - BRS contracts........................................................................................................ 93 4.2.4. - Backup computer centers ....................................................................................... 93

4.3. - Testing business continuity.......................................................................................... 94 4.3.1. - Testing business continuity plans ............................................................................ 94

4.3.1.1. - Planned testing ............................................................................................ 94 4.3.1.2. - Instant testing ............................................................................................. 94


4.3.2. - Updating business continuity plans .......................................................................... 95

5. - Fulfillment and compliance ............................................................................................96

5.1. - Compliance with legal and contractual requirements ...................................................... 96 5.1.1. - Control of proprietary software copying ................................................................... 96 5.1.2. - Safeguarding of Company records ........................................................................... 97 5.1.3. - Compliance with data protection legislation .............................................................. 97 5.1.4. - Prevention of misuse of IT facilities ......................................................................... 98

5.2. - Security reviews of IT systems..................................................................................... 99 5.2.1. - Compliance with security policy ............................................................................... 99 5.2.2. - Technical compliance checking................................................................................ 99

5.3. - System audit considerations ........................................................................................ 99 5.3.1. - System audit controls........................................................................................... 100 5.3.2. - Protection of system audit tools ............................................................................ 100

6. - Prospective considerations and conclusion .................................................................101

6.1. - How to apply all these policies and rules ? .................................................................. 101 6.2. - Is IT secure after complete implementation ?.............................................................. 102 6.3. - Which fields of IT needs most attention ? ................................................................... 102 6.4. - Critical words about this model .................................................................................. 102


11.. -- BBrriieeff oovveerrvviieeww oonn iinnffoorrmmaattiioonn mmaannaaggeemmeenntt aanndd sseeccuurriittyy

11..11.. -- IInnffoorrmmaattiioonn tteecchhnnoollooggyy iinn tthhee llaasstt cceennttuurryy IInformation technology is a line of business that is quiet young compared to traditional vocations like crafts, manufacturing or trading. However, information technology nowadays can lay claim to be one of the leading and most important industries all over the world. Information technology started with the first mechanical computing machines at the end of the 20th century. Some good examples still demonstrate the size of the machines. In the famous German museum in Munich one of the first computers has a size of a mid-size family home. The only possible calculations were addition and subtraction.

11..11..11.. -- TThhee eeaarrllyy yyeeaarrss ooff ccoommppuuttiinngg SSome guiding companies developed the initial technology further and in the early 50’s host computing became the leading technology. The famous Mainframe joined tens of thousands of people working on only one system. However, enterprises realized that information technology, accomplished that way, became the most expensive department of the whole company. Industry reacted accordingly and developed so called midrange platforms. These relatively small computers could serve a big enterprise and were more cost effective. One of the most important arguments was, that enterprises could handle these midrange systems themselves.

11..11..22.. -- TThhee ppeerrssoonnaall ccoommppuutteerr bbrreeaakktthhrroouugghh TThe early 80’s brought a new platform. Today the “microcomputers” are known as personal computers. Nobody ever thought that personal computers could ever have a realistic chance in business computing, but as the demand for personal computing increased enormously, industry turned to this new challenge and one of the most significant breakthroughs began. The 80’s brought also a new tendency, which focused server-client based applications. Thus, the personal computer became of prime importance for enterprises of any size. Today the personal computer is integral to business. No matter if manufacturing, designing, communicating or collecting and querying data, the personal computer is the typical workplace for manufacturing, planning, executive and administrative tasks.


11..11..33.. -- TThhee sstteeaaddyy ggrroowwtthh ooff tthhee IInntteerrnneett IIt is not astonishing that the personal computer was playing an important role in the development and spread of the Internet. Millions of people share all the Internet services, information and online business offerings by connecting their personal computer to the Internet. And the development still goes on. There seems to be no stopping companies to generate new ideas and Internet pages. With the Internet, security became more and more important. As enterprises noticed that “being online” could be a critical success factor, more and more enterprises became permanently connected to the Internet. This deployment caused certain groups of people to specialize in attacking Internet sites and services. Today, running an Internet site is not easy and quiet a big risk if one is not familiar with all the threats and vulnerabilities exist. Therefore, the emergence of a strong industry has evolved around this new market, developing new hard and software in the defense of hackers, pirates and spies.

11..22.. -- SSttaarrttiinngg sseeccuurriittyy ccoonnssiiddeerraattiioonnss AAt the time where enterprises decided to run their own computer department, security was limited to operating systems, media control and computer centers.? The new tendencies in networking as an overall approach for companies of any size caused the responsible managers at that time to start reflecting about an intensified security structure. As the “Information Technology” department became more and more autonomous, the slogan of information security became more concrete and larger companies began to introduce the role of the “information security officer”. Today this job is spanning a lot of tasks that rank from pure media protection, to access control, from system security up to management based questions like employment contracts and the compliance to law. There are numerous vulnerabilities throughout the Internet. The figures below demonstrate that all the considerations surrounding security are real.


Figure 1 OS Vulnerabilities

Figure 2 OS Vulnerabilities

11..33.. -- TThhee iinnfflluueennccee ooff tthhee IInntteerrnneett oonn iinnffoorrmmaattiioonn sseeccuurriittyy IIt is true that the Internet boosted and promoted the worldwide sensitizing to security questions. In the early times of the Internet this development was company driven. Today also, private Users take security precautions for personal computers


that are connected to online services. As the Internet population is growing rapidly, vulnerability is growing at the same speed and, that way it can be said, that the Internet is forcing individuals and enterprises to be more aware for secure systems and, individuals and enterprises cause providers and developers to make services initially more secure.

11..44.. -- IIss ““ccoommpplleettee iinnffoorrmmaattiioonn pprrootteeccttiioonn”” ppoossssiibbllee ?? LLooking at numerous Internet sites that are specialized to security related questions, the answer to this question is very clear: No, -there is no route to “complete information security” ! The Internet changes hardware, software and services hourly, - can you imagine how much time one would have to spend to track all these changes and relate them to possible security vulnerabilities ? The only recommendation possible is to keep the environment as homogenous as possible and thus constant and clear. Even if you succeed doing this, there will be a full time job for somebody who is responsible for security, your “information security officer”.

22.. -- IInnttrroodduuccttiioonn ttoo iinnffoorrmmaattiioonn sseeccuurriittyy

22..11.. -- BBaacckkggrroouunndd ooff tthhiiss ssttuuddyy TThis thesis has been developed in order to propose an acceptable industrial standard for the treatment of security related concerns. There has been no focus on any branch, however, all rules are based on and compiled from best information security practices of many leading international companies. This thesis is also a result of intensive considerations about actual occurrences. Most innocent computer users read or hear about security leaks and do not know how to protect themselves against attacks and violations. The leading industry always paved the way for new standards. The author thinks that a wide spectrum of security related tools would be helpful to all kinds of users and would be also a desirable goal for industry worldwide.

22..22.. -- OObbjjeeccttiivveess ooff tthhiiss ssttuuddyy TThe objectives of this study are pretty obvious. The model is meant to provide a basis for the following topics:


Ø The possibility to implement a standardized procedure that covers all aspects of

security Ø The capability to measure and evaluate security on an inter-company level Ø The basis to customize security standards for their own needs, within a defined

frame of accredited rules. Ø The fundamentals for secure and confident inter-company co-operation on

every level. The model of this study is intended to be used as a reference. Not all parts may apply in all companies or for private considerations. Public addressed are: Ø Managers Ø Security officers Ø Security auditors Ø IT controllers Ø IT employees Ø Computer users The model of this study can be used as a common reference standard for any kind of inter-company co-operation, might this be contracting, sub-contracting, trading or procurement of information technology products and services

22..33.. -- WWhhaatt iiss tthhee mmeeaanniinngg aanndd iimmppoorrttaannccee ooff iinnffoorrmmaattiioonn sseeccuurriittyy ?? TThe intended use of information security is to ensure business continuity. This also includes the minimization of site, hardware, software and data damage. Another part of information security is prevention. Foreseeing possible incidents and defining prophylactic actions is part of the job of security specialists. TThe management of information security is the coordinating and merging part. The protection of computing assets and information, considering the most secure way and the highest effectiveness in working is an ongoing task. Thus, information security management consists of three major components: Ø Availability: assuring that infrastructure, systems, services,

applications and data are available to everyone entitled when required or allowed.


Ø Confidentiality: protecting infrastructure, systems, services, applications and data from misuse and unauthorized use.

Ø Integrity: assuring infrastructure, systems, services, applications

and data to be in a complete, proper and correct condition. TToday, information is provided in various forms. It is written on paper, it is spoken in conversations it can be recorded to tapes, CDs or DVDs, films or video tapes, it can be stored to computers and computer media and it can be transmitted on several ways like networks, telephone lines, verbal communication, fax or telex. IInformation security is fundamental to any kind of information, no matter what media is used for transmission, storage and distribution. IInfrastructure, systems, services, applications and data are vital assets. Their availability, confidentiality and integrity are essential to maintain the fundamental parts of your business. HHowever, security violations to information systems are increasing day by day. Companies today are facing security violations from a wide range of sources. Computer hackers, computer viruses, attacks leading to denial of service or unauthorized use of systems and services, computer based fraud and spying are common practices and the techniques and methods become more refined every day. TThe more you or your company depend on computer systems, the bigger the vulnerability and risk is. The need to take action is definitely present and there is nothing that should prevent you to start right away. The sooner you take action to ensure your information security the sooner you are closing doors for unauthorized access. FFrom the financial point of view, information security might be a part of IT that consumes a huge amount of money. On the other hand, only one successful violation or unauthorized access may cost you a hundred times the amount you would have spend to protect yourself. In the worst cases, it might be that your company has to close down or you have been used as a relay for industrial spying, which can cause heavy legal proceedings, which could ruin your business for the future. OOne good rule of thumb might be the comparison of your company’s turnover and your budget for information security. If your annual turnover is $1 Million your security should be worth 1% of it. If your turnover is $1 Billion your security should be worth 0.1% of it. Please note that this is only a rule of thumb that does not apply


to every business. Financial institutes like banks and companies that are permanently online usually invest much more in information security compared to wholesalers, retailers or manufacturers

22..44.. -- TThhee ssttrruuccttuurree ooff tthhee mmooddeell pprroocceedduurreess TThe model of this study is intended to serve a reference. It is as comprehensive as possible. However, the sources of potential violation and attacks increase day by day and the model will need to be extended and reviewed periodically. The author recommends using this model security guideline as a working example. Not all points described will apply to every situation. Environmental and technological constraints or facts have not been taken into consideration to its limits, as each infrastructure is unique. The listed chapters and topics act as a guideline that can be adapted according to special and unique situations. Any future augmentation of the chapters and topics is welcome and will be used to complete and enhance this model. Mailing addresses for augmentation proposals can be found on the acknowledgement page at the beginning of this thesis

22..55.. -- SSeettuupp aanndd mmaajjoorr ppooiinnttss ttoo tthhee iinnffoorrmmaattiioonn sseeccuurriittyy mmooddeell TThe information security model is set up in three main parts. Ø Management controls for information security Ø Preventive action planning and precautions Ø Fulfillment and compliance

TThe first chapter lists a number of categories that are in general use as recommended best security practices at large, experienced international companies. The second chapter lists categories which consists of preventive actions The third chapter addresses legal and controlling issues. AAll of the chapters, categories and topics are intended to provide information security in a selective way. If a topic does not apply to a given situation it should be passed or adopted in an adjusted way. There are a certain number of topics in this model that are agreed by most experienced international companies to be of special importance. These major points might be chosen as starting points of information security management. The headers of these points have been highlighted with yellow color.


22..66.. -- RRiisskk aasssseessssmmeenntt SSecuring your information might be a very expensive act. However, to be in a good position facing your top management, you should ensure a balance to the security model you plan to implement against expenditures. To keep it in a clear form, you should execute a risk assessment. The most common form is a table that consists of all the items to be assessed in the left column and, two other columns that value the risk itself and the probability that an incident could occur (values 1-10, where 1 is no risk and 10 is highest risk) TTo keep the assessment systematical you should structure it from outside of your company to the inside.

22..66..11.. -- RRiisskk aasssseessssmmeenntt ddooccuummeennttss

Risk Assessment - Topics Assessment Item Explanation Geographical Location Geographical specialties, climatic features, economic

situation, political situation, ecological prescriptions situation, zone position, traffic volume, special governmental regulations

Premises Constructional development, protection features, accommodation way, access hatch, security equipment, invigilator

Building Constructional specialties, access hatches, suppliers entrances, elevators and lifts, monitoring of access, protection features, escape hatches, alarm management, site management.

Rooms and Floors Situation, constructional specialties, access, protection features.

Infrastructure Communication, air conditioning, heating, water and sewage, fire protection, alarm systems, power supply, emergency power supply, battery packs

Networking Topology, centralized elements, elements for distribution, elements for routing, switching or control, cabling, cable funnels, sockets, redundancy, NOS

Server Systems Situations, sizes, numbers of servers, configuration description, RAS-availability, security level, physical dependencies, logical dependencies, “part of what process”-description, maintenance windows, hierarchical responsibility, user management.

Operation Software Security level, actuality (patches, service-packs), special authorities, monitoring of access and events under special authority conditions, logging, configuration management, backups, licensed programs, emergency concepts

Business Applications List of all applications, know-how distribution, quality, sources, redundancy, integrity protection, availability, user management, configuration management

Services and Interfaces Matrix of all services, matrix of all interfaces, matrix per server, know-how and responsibility matrix, monitoring, sources, functional protection, change management

Peripheral System Components Situations, redundancy, configuration sheets, technical sheets, emergency operation rules


Emergency Features Concepts, directions, rules, access rights under emergency conditions, testing of plans and actions

Disaster Plans Concepts, directions, rules, access rights under emergency conditions, testing of plans and actions

Figure 3 Risk Assessment Document

The above table is not meant to be complete and may differ from enterprise to enterprise. The table below shows an example of putting values in.

Risk Assessment – Values (Example) Assessment Item Risk Value Probability of

Occurrence Geographical Location 1-low 1-almost never Premises 2-low 3- infrequently Building 2-low 1-almost never Rooms and Floors 1-low 1-almost never Infrastructure 5-medium 5-now and then Networking Server Systems Operation Software Business Applications Services and Interfaces Peripheral System Components Emergency Features Disaster Plans

Figure 4 Risk Assessment Document

The results of the assessment are intended to be a reference to determine the appropriate management actions and priorities for managing information security risks.

22..77.. -- SSeettttiinngg uupp eenntteerrpprriissee sseeccuurriittyy rreeqquuiirreemmeennttss IIf you have already compiled a Risk Assessment Document, that part of setting up your enterprise security requirements is well done. At this time everybody concerned with business decisions has been interviewed and all generic data has been delivered from all information offices. IIf there are still open points, for example because one or the other system runs in a special condition, you should go one level down and make a risk assessment just for that special system or, that special part of your business.


TThe second part of setup is to update all your statutory and contractual affairs that might exist with trading partners, customers and contractors. TThere will be a persistent demand for more and more standardization as cooperation with other companies grows and demand for information security will increase. LLast but not least your company’s policy must support information security and interlace common principles, objectives and requirements within the rules for information security. Be sure your management agrees upon a regular review of all directions and policy and, supports adequate testing at least once a year.

22..88.. -- CCrriittiiccaall kkeeyy ffaaccttoorrss ttoo ssuucccceessssffuull sseeccuurriittyy mmaannaaggeemmeenntt TThere are some key points that have to be considered to be critical key factors to successful implementation of information security management. These points have to be addressed properly. Few of the points will have to be treated by repetitive campaigns to assure a stable quality of service. Ø First of all, security objectives, policy and principles must be of more than

common knowledge. There has to be a complete understanding of the threats and vulnerabilities that result from careless treatment. Every employee must clearly understand that non-compliance can cause the company to be less competitive and may lead to a reduction in jobs.

Ø The way to make sure policy is known is, to distribute it to all employees,

partners and contractors. One good method to put that into practice is described in the section “distribution, marketing and reviews”.

Ø It is vital that top and middle management supports, demonstrates and

promotes the information security policy and, shows that there is commitment to all the principles and regulations.

Ø Information security regulations do not have any effect if they are not based on

business requirements and objectives. Thus, if you take this model to develop your own corporate guidelines on information security, be sure that you take into consideration all the corporate policies and guidelines your company have also released. Be sure also, that the executive committee for information security is informed of all changes to these corporate policies, regulations and principles.


22..99.. -- DDiissttrriibbuuttiioonn,, mmaarrkkeettiinngg aanndd rreevviieewwss TThe policy should be accessible to all employees. Some companies attach the policy for information security to the employment contract and ask new employees to attest the lecture of the policy by signing a special annex to the contract. AAnother good idea is to publish the security guidelines to the corporate intranet or to put the document on a public drive of a server that everybody has access to. Make sure the path for the document is clear and maintained. There might be a sticker on each monitor where the IT department gazettes the personal duties and responsibilities of employees or the major rules may be published on the blackboard to serve as corporate security slogans. There are a lot of other ideas of how to distribute and market information security. Contact your marketing department for suggestions, or advertise a competition to incite and promote the creativity of your colleges.

33.. -- MMaannaaggeemmeenntt ccoonnttrroollss ffoorr iinnffoorrmmaattiioonn sseeccuurriittyy

33..11.. -- SSeeccuurriittyy PPoolliiccyy

33..11..11.. -- IInnffoorrmmaattiioonn sseeccuurriittyy ppoolliiccyy TThe objective of security policy is to provide management support and direction to information security. Management should demonstrate their commitment to information security through the issue of a corporate information security policy.

33..11..11..11.. -- IInnffoorrmmaattiioonn sseeccuurriittyy ppoolliiccyy ddooccuummeenntt EExperience has shown that it is vital to have a written information security policy document around. The document must be available to all company employees. It would be helpful, to have the policy document as an addendum to the employee contracts. TThe information security policy document is the management level of corporate security definition. All details to departmental security directions are subject to separate documents but can be mentioned in the main information security policy document. The document should consist of a minimum of the following topics: Ø The corporate definition of information security. There is the corporate overall

scope and objective and its importance as an enabling mechanism for information sharing.


Ø A management statement of the purpose of information security and the

confirmation to support the goals and principles of information security. Ø A definition of general management responsibilities and specific company

responsibilities for all aspects of information security. Ø A guideline of how to report suspected security incidents and security

weakness. Ø A guideline to specific corporate security policies and standards. Ø Mandatory predications about legislative and contractual fulfillment

requirements. Ø Employee requirements to security education. Ø Measures to explain business continuity planning Ø Mandatory schedules about regular reviews of the information security policy

document.

33..22.. -- SSeeccuurriittyy oorrggaanniizzaattiioonn

33..22..11.. -- IInnffoorrmmaattiioonn sseeccuurriittyy iinnffrraassttrruuccttuurree TThe objective of an information security infrastructure is to manage information security within a company. Experience has shown that a management framework is useful to initiate and control the implementation of information security on all levels of the company.

33..22..11..11.. -- SStteeeerriinngg ccoommmmiitttteeee ffoorr iinnffoorrmmaattiioonn sseeccuurriittyy IIn many large companies a steering committee for information security has been established. The purpose of that committee is to have a high level board in place. Information security is a business responsibility shared by all members of the management team. In smaller companies the duties of the steering committee for information security can be added to another existing management committee as needed. The following agenda items might be addressed by the steering committee:


Ø Reviewing and approving company information security policy, directions, principles, security strategies and overall responsibilities.

Ø Monitoring of vulnerable exposures to major threats to company information

assets. Ø Monitoring and reviewing security incidents within the company Ø Monitoring and reviewing reported security leaks from services and 3rd parties

and approving appropriate actions for defense. Ø Approving company programs to enhance information security.

33..22..11..22.. -- IInnffoorrmmaattiioonn sseeccuurriittyy ccoooorrddiinnaattiioonn LLarge companies probably need to coordinate information security management by means of a cross-functional steering team. This steering team consists of members of the middle management of all departments. Similar to the steering committee for information security, the cross-functional steering team meets on a regular basis and has a fixed agenda with the following suggestion for agenda items: Ø Nominating candidates for specific roles and responsibilities concerning

information security questions across the company. Ø Approval and protectorate of corporate information security programs and

projects (e.g. prevention, elucidation and awareness events) Ø Promoting the commitment to support information security throughout the

company. Ø Cross-functional coordination of measures, rules and directions for new

services, systems or applications. Ø Agreeing specific processes and methods for information security (e.g.1 risk

classification, risk assessment, security classification) Ø Assuring that security is part of the information planning process of the

company.

1 exempli gratia = for instance


33..22..11..33.. -- AAllllooccaattiioonn ooff rreessppoonnssiibbiilliittiieess SSecurity policy that is in place with nobody responsible to look for compliance is like a speed limit on the highway and no policeman controlling it. IIt is vital to corporate interests to nominate and initiate the person(s) that are responsible for information security. TThe information security policy document should contain a chapter that deals with roles and responsibilities. Larger enterprises might face the need to have a security organization that consists of several employees. However, all aspects of all departments and business processes have to be covered. SStarting from the supposition that an organization is necessary there will be one person with the overall responsibility. The first line down will be formed by department security responsibility. These people have the overall responsibility for information security within their departments. UUsually the security for particular systems, services, applications and other assets are delegated to those employees that are maintaining the daily business. IIt must be made very clear what the particular sets of security areas are and, who is the responsible person(s) for these single sets. One possible solution is to have clear job descriptions in place where role and responsibility is clearly written down and mapped to special systems, processes or services. AAnother possibility might be to allocate the responsibilities in more detailed information security policy documents that apply to a certain department or areas of the company. AA third possibility is to allocate responsibilities by defining what security processes and policy apply to each system, process and service. Specifying the current incumbent for the system, process or service, automatically allocates the current responsibilities. PPre-requisite of this model is that all assets and security processes associated with each system are identified and clearly defined. Often, more than one person works on one system, process or service. It might be a good idea to define standard authorization levels that are generic and apply for all faculties.

is dess

Technology

information security

checkandbalance security

security organization

accretion of security

information sciences

information technology

marko nordquista thesis

marko nordquist markonordquist