Manage systems

problems

relating to

security and long

term support

Identify the security requirements of a system and

introduce appropriate procedures and precautions

INFORMATION SECURITY

• Information systems security is the protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.

• The first process in developing any information security program is identification, you need to understand what needs to be protected and why.

WHY IS IT IMPORTANT?

Most modern organizations

in the public and private

sector depend on their

information systems in order

to be able to operate reliably

We are all affected in our

daily lives by computer

failures in trans- port

systems, utility companies,

banks and other financial

institutions, hospitals,

ambulance dispatching

systems, supermarkets and

government offices

WHAT INFORMATION

SECURITY AIMS TO DO:

• Confidentiality. The only people to see the data are those authorised to see it. Private data is kept private; personal privacy is respected.

• Integrity. There are limits on who can change the data.

• Availability. Data is available at all times to authorised users.

• Accountability. It should be possible to discover after the event who has modified what data.

PROCEDURES AND

PRECAUTIONSAnti-Virus Policy

The computer will have an anti-virus program installed. The anti-virus program and all its supporting files – virus signatures, etc. – will be updated regularly, based on the schedule set by the software vendor. Further, the program will be configured to provide maximum protection, except where to do so would affect overall system performance.

Backup Policy

All data files rated Critical or High risk will be backed up to tape frequently weekly. Two alternating sets of tapes will be used; if one set of tapes should be corrupted, the other can be used to restore the data. For safety, the backup tapes will be stored in a separate room in a fireproof box or safe.

Conti….

Computer Recovery Policy –

The homeowner’s insurance policy will be amended by adding a rider covering the replacement cost of the computer system hardware and software. This rider will be reviewed annually and updated to reflect changes in the cost of replacement.

Firewall Policy –

A small office/home office (SOHO) firewall will be installed and configured to block unauthorized access to the computer from the Internet. At a minimum, the firewall will provide network address translation (NAT) and dynamic host configuration protocol (DHCP) services.

Audit trial

Serious study and revision of the system

must be done, checking for any loophole

which could be a possible weak point into

system.

Password Policy

Access to the computer will be controlled by

the use of system passwords. Individual user

accounts will be created and a password

assigned to that account

Password characteristics

Passwords must be no less than eight

characters in length

o small letters, capital letters, numbers,

and/or punctuation marks.

Should not be predictable

Changed frequently

Should not be written down

Should not be shared

PROCEDURES AND

PRECAUTIONSAccess Policy –

The logs files shall be used to keep record

on which each individual accessed the

system at what time what the individual

accessed and modified. The individuals

shall only access the system resources using

their passwords.

Only persons who maintain data will be

allowed to run or access the files.

Conti…

Confidentiality Policy –

All documents that are no longer of use,

particularly those containing credit card

numbers or other personally identifiable

information, should be properly discarded.

They can be shredded prior to being

disposed of or burnt.

Conti..

Infrastructure Environment Policy –

An uninterruptible power supply will be

installed and the computer, monitor, and

firewall will be plugged into it. The printer,

speakers, and other hardware will be

plugged into a surge protected power strip,

which will be plugged directly into the

wall socket.

Conti..

Data security measures

During data transmission data should be encrypted and decrypted at the backup centre.

Access privileges shall be enacted to control access of users to valuable data and information to uphold data security.

Burglar proof windows should be installed on data storage and backup rooms.

Guards should be employed to watch over both hardware and software resources

Alarm systems should be installed to detect and alarm the security of unauthorized entry into the information storage rooms.

Direct capture (CCTV) cameras should be used for surveillance +

Conti..

Management Policies

The system analyst should recommend that the management should enforce certain policies to ensure that there is maximum security such as:

• No transfer of the organization information from the system at any time under any circumstances without written permission from the management.

• No opening of any mail attachment without scanning for viruses and threats.

Develop procedures to manage the maintenance

aspects of an operational system

4 TYPES OF MAINTENANCE

Corrective maintenance

Perfective maintenance

Adaptive maintenance

Preventative maintenance

Maintenance of an operational

system

• Re-examine all policies and procedures about security. Are all employees aware of security policies?

• Carry out audits internally and use occasional penetration surveys.

• Allocate resources to securing systems according to the degree of risk.

• Use the latest versions of anti-virus software and firewall protection

Conti….

• Continuous security training

• Continuous risk assessment

• Perform peer review

• Develop security test data

• Test backup, contingency and disaster

recovery plan