Organisational aspects in security design
From: networkRe-design (networkRe-design@gmx.net)
Date: 11/27/02
- Next message: Barry Margolin: "Re: Bank Of America - sign on process - how is this secure?"
- Previous message: Zachary Uram: "Re: Software Watermarking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: networkRe-design@gmx.net (networkRe-design) Date: 27 Nov 2002 10:20:25 -0800
Hi,
we are a group of 4 scholars from Austria, studying at the High
Technical School for Informatics in Vienna, working on a guideline for
network re-design with special focus on the general, applicable
aspects of security design.
The project will be finished in May 2003.
Topic Organisation is already finished and will be posted here now. By
this we will invite YOU -- as a professional, interested person or
native speaker -- to give us our FIRST FEEDBACK!
Thanks,
Claudia, Alexandra, Nina and Rupert alias networkRe-design
======================================================================
1 Universal aspects of security design
1.2 Organisation
======================================================================
This topic is concerned with the general, needed measures in the
organisational field, to achieve a minimum protection standard.
Main objective of this topic is, to establish the general
organisational standards of the company, which are one basic part of
the fundament of IT security.
1.2.1 Organisational shortcommings
1.2.1.1 Lack of rules or insufficient rules
The importance of organisational rules increases with the required
protection of the processed information as well as the amount of
information processed within the organisation.
The spectrum of rules is usually very broad, starting from the
assignment of responsibilities through to the distribution of control
functions.
Often existing rules are not modified after technical, organisational
or personnel changes, which can result in a significant decrease of IT
security. Out-of-date rules and rules, which can be misunderstood are
also causing problems.
1.2.1.2 Insufficient knowledge of rules
Creating rules does not of itself guarantee the smooth flow of IT
operations. Each person in the organisation must be aware of the
rules. Inadequate or insufficient knowledge can result in heavy
damages in the company like a spread of virus, because a new employee
"didn't know" the handling of incoming floppy disks.
1.2.1.3 Lack of resources or unsuitable resources
Discontinuity of services can result from an insufficient amount of
required resources, for instance, using a graphical user interface on
a computer with insufficient memory or the failure to provide them at
the right time.
1.2.1.4 Lack of maintenance or inadequate maintenance
The availability of the whole IT system must be ensured by regular
maintenance. The general lack or insufficient maintenance can result
in incalculable damage or late effects like overheating of laser
printer because the ventilation grid was not be cleaned.
1.2.1.5 Unauthorised admission to rooms requiring protection
Once non-authorised persons enter protected rooms, hazards can result
from deliberate as well as inadvertence acts. This potential damage
has always to be checked after unauthorised access to rooms requiring
protection.
1.2.1.6 Unauthorised use of rights
Rights of admission and of access to hardware and software are applied
as organisational measures to ensure secure and proper use of IT
systems and processes. If such rights are granted to the wrong
employee or is abused by this, possible damage ranges from the loss of
data to the availability of services or resources.
1.2.1.7 Uncontrolled use of resources
Any type of resource should only be used for the purpose they are
designed for. The correct use of resources should be monitored within
the organisation, for instance to prevent damages, resulting from
cleaning a monitor with a wrong product or using wrong type of ink for
an ink jet printer.
1.2.2 Recommended Countermeasures
1.2.2.1 Specifications of responsibilities and of requirements for
the use of IT
Initiation responsibility: Company management
Implementation responsibility: Head of IT section
For the areas "IT use" and "IT security" responsibilities as well as
authorities must be specified.
Persons who are responsible for "IT use" are mainly working on the
operational responsibility of an IT system, which covers typically the
following task: data acquisition, work scheduling and preparation,
data processing, post-processing of data output and data media
management.
Regulations concerning "IT security" as one basic aspect of IT use,
should be laid down in a binding form for the following topics:
o Data backup
o Keeping data archives
o Transport of data media
o Data transmission
o Destruction of data media
o Documentation of IT procedures, software, IT configuration
o Use of passwords
o Entry rights
o Access rights
o Resource control
o Resource management
o Purchase and leasing of hardware and software
o Maintenance and repair work
o Software: acceptance and approval
o Software: application development
o Data privacy
o Protection against computer viruses
o Emergency precautions
o Approach in case of infringement of the security policy.
These regulations should be written, announced and kept up to date by
the IT security responsible person/s.
1.2.2.2 Resource management
The management of resources is concerned with all the items needed for
IT use, such as
o hardware (computers, keyboards, printers),
o software (system or individual software, standard programs,
o consumerables (paper, toner, printer cartridges) and
o data media (floppy disks, hard disks, CD ROMs).
>From these items the following tasks directly result:
o Purchase/procurement of resources,
which is an important point for cost-effectiveness considerations
in each company.
o Testing prior to use,
which checks whether a new hardware was delivered complete, tests
new software on special test systems or checks whether new hard- or
software components are compatible to the existing ones.
o Identification marking,
means that all serial numbers of hard- and software should be
documented to enable identification.
o Stock control
is needed, because only by the control of the resources used,
consumption requirements can be determined and reorders made.
1.2.2.3 Maintenance/repair regulations
To safeguard the system against failure the interval of maintenance on
the IT equipment has to be set up properly. Maintenance work itself
should be carried out only by trustworthy persons or companies,
regarding the instructions provided by the manufactorers of the IT
equipment.
All hardware should be cleaned at least once a year.
Maintenance and repair work carried out by external parties should be
supervised by in-house technicians.
1.2.2.4 Division of responsibilities and separation of functions
The functions to be performed by the company must be laid down.
Two layers of functions do exist and must be clearly separated:
o Functions which provide for, or support, IT system uses for data
processing purposes, such as programming, network administration,
administration of permissions.
o Functions which apply to the IT procedure available for task
performance, such as an IT application supervisor for example.
The separation of functions has to take place, when the functions are
not compatible with each other, especially when operational functions
correspondence with controlling functions, for instance
o Administration of permissions and auditing
o Network administration and auditing
o Programming and test of self-developed software.
1.2.2.5 Granting of site access authorisations
First of all the rooms requiring protection must be defined as well as
their protective requirement, which depends on the IT equipment kept
in this room.
Next step is, to define who needs which access permissions.
Access rights granted and withdrawn must be documented.
1.2.2.6 Granting of (system/network) access rights
This kind of access authorisations allows the person granted rights
to, to use IT systems, system components and networks after
identification and authorisation.
Access rigths depend on the function, whether the person is system
administrator or application user. All granted rights must be
documented and sporadic checked for compliance.
1.2.2.7 Granting of (application/data) access permissions
This kind of access permission determine which person will be
authorised to use applications or data. Profiles and group privileges
have to be set, regarding the function of the person or group. In any
case, the amount of access permissions should be sized by the
"need-to-know" principle. All granted rights and all changes must be
documented.
1.2.2.8 Correct disposal of resources requiring protection
Resources with sensitive data stored on, which are not longer needed
or usable, must be disposed in such a way, that no conclusions can be
drawn to previously stored data. As long as sensitive data are not
destroyed, the resources like floppy disks, magnetic tapes or CD-ROMs
for example, should be kept locked.
1.2.2.9 Key management
The manufacture, storage, management and issue of keys must be
organised on a centralised basis and according to the functions of the
staff.
1.2.2.10 Clean desk policy
To prevent unauthorised access to data (diskette, hard disk), services
(via unlocked pc) and documents (prints), all employees have to leave
their desks clean.
1.2.2.11 Response to violations of security policies
The response to violation of security policies should be laid down in
advance, to ensure a clear and prompt response. The action, which has
to take place after this, depends on the nature of violation and the
person who has done it and is the result of an investigation of this
case.
1.2.2.12 Timely involvement of the staff council
Keeping records of employees requires often the approval of staff
council. Members of staff council should be timely informed about new
implementations of IT security measures.
1.2.2.13 Security during relocation
During relocation of an office, personnel that has not been authorised
move data media and IT systems. The IT security management should be
involved in the planning timely and specify the IT security
requirements for the relocation.
1.2.2.14 Assignment of responsibility for information, applications
and IT components
To achieve an extensive level of overall security it is necessary that
every employee know, that he or she is acting on security measures.
What responsibilities correspond to this action, should clearly known
by each person. Generally every person is responsible for anything in
his or her area of influence unless it is explicitly directed to
others.
==============================================================================
- Next message: Barry Margolin: "Re: Bank Of America - sign on process - how is this secure?"
- Previous message: Zachary Uram: "Re: Software Watermarking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
