Information Security Policies for Organizations - Research Paper Example

1. Introduction In today’s networked and distributed information sharing environments information security has become an important issue for organisations of all kinds, including universities. Executives should seek to protect their information resources as they would any other valuable assets (Guttman and Roback, 1995). Gupta and Sharma (2009) consider that “information security means protecting information from malicious threats and damage due to external and internal sources” (p. xxiv). Honan (2009) defines the information security as managing the risks posed to organisations “by the accidental or deliberate misuse of confidential information” (p.1). To mitigate respective risks the executives should take formal activities – processes, policies or procedures, designed to provide reasonable assurance that undesired events will be prevented or detected, and corrected or mitigated. These activities are called controls, they may be automated (embedded within an organisation’s application systems) or manual (requiring a person to manually enforce the control (Rajamani, 2006). The ISO 27001 information security standard offers companies a risk-based approach to securing information assets. ISO 27001 defines an ISMS, or Information Security Management System, that is “a part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security” (Calder, 2009, p.4). It is important to note that the ISO 27001 standard define three fundamental attributes of an information asset, which can be affected by risks (Calder, 2009, p.3): Availability – the property of being accessible and usable upon demand by an authorized entity, which allows for the possibility that information has to be accessed by software programs or human users; Confidentiality – the property that information is not made available or disclosed to unauthorized individuals, entities, or processes; Integrity – the property of safeguarding the accuracy and completeness of assets. The cornerstone of the ISMS is the information security policy, the document which sets the framework for decisions on what controls (automated and manual) need to be put in place. According to Ungerman (2005) an actual information security policy includes a suite of living documents: the security policy document, a standards document set, and a procedures document set. The security policy often is the shortest document; there are usually four key elements that provide the foundation for the remaining documents: to whom and what the policy applies, the need for adherence, a general description, consequences of nonadherence. Barman (2001) also highlights that security policies are high-level plans that describe the goals of the procedures. They are not guidelines or standards, nor are they procedures or controls; they describe security on general terms, not specifics. Thus, the security policy for the KD 2.14 lab room has been developed as follows: 2. KD 2.14 Lab Security Policy Purpose The purpose of the KD 2.14 Lab Room Security Policy is to ensure that all valuable information, which is kept in the KD 2.14 Lab Room, and information systems, on which the KD 2.14 Lab Room’s effective work depends, are adequately protected from all threats, whether internal and external, deliberate or accidental. Scope The scope of the policy covers physical and information security of the infrastructure and information systems situated in the KD 2.14 Lab Room of the School of Computing, Information Technology & Engineering of the University of East London. The policy also encompasses secuirity of all forms of information such as data stored on computers, transmitted across networks, printed or written on paper, stored on tapes, diskettes, USB sticks and other data mediums or spoken in conversation or over the telephone. Who needs to know and adhere to this policy All users of the information in any form or information systems kept in the the KD 2.14 Lab Room need to know and adhere to this policy. General description of procedures documents Personnel Policy – describes and states management procedures and controls that must be implemented to help ensure that the recruitment, management and departure of staff do not harm information security in the the KD 2.14 Lab Room. Operations Policy – describes and states procedures and controls for operation and administration of personnel in relation to information security in the the KD 2.14 Lab Room. All staff involved in administering, developing, maintaining and using information and information systems, must follow appropriate operation policy procedures. Information Handling Policy - describes and states procedures and controls of managing information assets, including such procedures as appropriate information backup arrangements, and removing, relocating or destruction of confidential or valuable information. Environmentaland Physical Protection Policy - describes and states procedures and controls of protection the KD 2.14 Lab Room IT resources against natural or accidental disasters such as fire, water, earthquake, high temperature and humidity, contamination etc., as well as against intentional disasters, such as unauthorised physical access, offensive users’ behaviour, thefts, etc. User Management Policy - describes and states procedures and controls of user access to the KD 2.14 Lab Room IT resources, including authorisation, access rights and password policy. Use of Computers Policy - describes and states procedures and controls of users’ operations and their behaviour during using of the KD 2.14 Lab Room IT resources. System Planning Policy - describes and states procedures and controls of planning and deployment of information systems, including upgrades and correct maintenance. Network Management Policy – describes and states procedures and controls of planning and deployment of network devices. Software Management Policy – describes and states procedures and controls of planning and deployment of operating systems and application software. Information Security Awareness and Training Policy - describes and states procedures and controls of users’ training in information security according to their roles and user access rights. Roles and responsibilities The KD 2.14 Lab Room Security Policy applies to all staff and students, which use the information in any form and information systems, kept in the KD 2.14 Lab Room, according to the following roles: 1. Senior Managers – they are responsible for the overall success of the security policy; they establish goals, objectives and priorities, providing adequate resources for ensuring the success of the security policy programme. They also are responsible for providing required security awareness trainings for personnel and users, as well as for the policy evaluating and updating. 2. Information Security Managers – they are responsible for day-to-day management of the security policy programme; they coordinate all security-related interactions among organisational elements involved in security policy activity, including external ones. 3. System Security Managers / System Administrators – they are responsible for implementing technical security on computer system and for being familiar with security technology that relates to systems. 4. Users – they are responsible for following security procedures, for reporting security problems, and for attending required security awareness trainings. Sanctions and Violations All breaches of the KD 2.14 Lab Room Security Policy actual or suspected should be reported to the KD 2.14 Lab Room Senior Managers. Disciplinary processes will be applicable in those instances where staff fails to abide by this Security Policy. Revisions and Updating Schedule The KD 2.14 Lab Room Senior Managers are responsible for making updates and revisions to this policy. Scheduled revisions and updates take place every 6 months. Contact information Security Audit & Policy consultancy, Manchester, UK Glossary Abbreviation 3. KD 2.14 Lab Room Assets valuation The KD 2.14 Lab Room has information system which is intertwined with different kinds of assets valuable enough to merit information security protection (see Table 1). The information system relies on the distributed computer system, where 24 personal computers (PCs) are connected to a local area network (LAN) so that users can exchange and share information. The central component of the LAN is a server that acts as an intermediary between PCs on the network and provides a large volume of disk storage for shared information. There is one more server that acts as a backup storage of all server data. The network’s topology is star – every three PCs are connected in a group via the VLan switch. Table 1. Main assets of the KD 2.14 Lab Room Hardware Assets 24 personal computers with ATA hard disks 2 servers (one is backup) 9 VLans switch / routers Cisco switches 4 Main switches 2-hours UPS Application Software Assets Anti-virus, Firewall in each router Intrusion detection system Software 2003 Operating Systems Assets OS Windows Network Assets 10.0.0 Subnet (10.0.0.1, 10.0.0.2) DHCP – dynamic host configuration protocol LAN-Ethernet, star topology - every three PCs in 1 hub Physical Security Environment Assets 2 CCTV cameras Air-conditioner Fire alarms system Locked doors Information Assets Educational and supplemental information Research literature Internal Lab regulations and documents Personal user information and correspondence People who support and use the IT system Users, System Administrators, Information Security Managers, Senior Managers Security Policies The KD 2.14 Lab Room Security Policy 4. KD 2.14 Lab Room Risk assessment The risk assessment objective Ponnam et al. (2009) define the objective of the risk assessment as “to proactively identify areas of significant risks within the organisation and determine the impact of potential threats, in order to allocate resources and direct efforst to mitigate risks” (p.75). An approach A qualitative approach has been used for assessment of risks in relation to information security in the KD 2.14 Lab Room. This approach is based on a Likelihood-Impact Characterization method so that to critically evaluate security threats and vulnerabilities associated with the assets defined above. Stoneburner et al. (2002) define risk as “a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation” (p.8). A threat is defined as “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability” (Stoneburner et al., 2002, p. 12), while vulnerability is defined as “a flaw or weakness in system security procedures, design, implementation, or internal controls that cpuld be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy” (Stoneburner et al., 2002, p. 15). Description of the magnitude of likelihood and impact is represented in the Appendix A. The risk level associated with different combinations of likelihood and impact is also shown. The result of the risk assessment related to the KD 2.14 Lab Room assets is presented in Table 2. It should be noticed that vulnerabilities with high impacts were mostly viewed in this risk assessment to reveal the most critical risks at the moment. Table 2. The risk assessment results. ID Vulnerability Likelihood Impact Risk Hardware RH1 Equipment may become unavailable because of irregular or wrong maintenance Low High Low RH2 Equipment may become unavailable because of power failures Low High Low RH3 Valuable information may be lost because of lack of management of removable media or unproper handling information storage devices. Medium High Medium Application and Operating System Software RS1 Valuable information involved in electronic messaging (email, P2P channels, Instant Messengers) may be lost because of lack of protection High High High ID Vulnerability Likelihood Impact Risk RS2 Functioning of information and application systems may be disrupted because of lack of control of user access to these systems High High High RS3 Functioning of the whole Lab IT systems may be disrupted because of lack of user access management High High High RS4 Functioning of the whole Lab IT systems may be disrupted because of lack of restriction on connection to high-risk applications and web-resources High High High Networks RN1 Functioning of applications may be disrupted because of unproper network management Medium High Medium RN2 Functioning of applications or services in the network may be disrupted because of an unauthorised access High High High Physical security environment RE1 Equipment may be damaged by humans or stolen because of lack of physical protection Medium High Medium RE2 Equipment may be damaged naturally because of lack of physical protection Low High Low RE3 Valuable information may be damaged by humans or stolen because of lack of physical protection Medium High Medium ID Vulnerability Likelihood Impact Risk RE4 Valuable information may be damaged naturally because of lack of physical protection Low High Low Information Assets RI1 Valuable information may be lost or damaged because of lack of proper classification in terms of its value, sensitivity and criticality to the Lab Low High Low RI2 Valuable information may be lost or damaged because of lack of proper back-up procedures High High High People and Policies RP1 Employees and users may fail with their responsibilities because of lack of the information security policy Medium High Medium RP2 Employees and users may fail with their responsibilities because of unawareness about the information security policy Medium High Medium RP3 People not adhere to the Security policy requirements properly because of the policy are not approved and made public by management Medium High Medium RP4 Security weakness is not recognised by the management because of the lack of procedures of alerts monitoring, detecting and reporting Medium High Medium Figure 1 shows the revealed risks in accordance Likelihood-Impact Characterization. Figure 1. Risk Assessment results. Output The most serious information security risks in the KD 2.14 Lab Room system are connected with vulnerabilities in Software Assets and partly in Network and Information Assets. Low information security risks partly characterise Hardware and Environmental Assets. People and Policy Assets are characterised by medium risks completely. 5. KD 2.14 Lab Room Audit checklists The following audit checklist (see Table 3) was developed on a basis of the KD 2.14 Lab Room Security Policy statements, the KD 2.14 Lab Room Assets list (see Table 1), the Risk assessment results (see Table 2), and the Annex A of the ISO 27001 standard controls. Table 3. The KD 2.14 Lab Room security audit checklist. Assets group ISO 72001 clause Question Hardware A 9.2 Equipment Security Whether the equipment is correctly maintained to ‎ensure its continued availability? Whether the equipment is protected from power ‎failures? Whether permanence of power supplies, such as UPS, is being utilized‎? A 10.7 Media Handling Whether procedures exist for management of ‎removable media, such as tapes, disks, cassettes, ‎memory cards? Whether a procedure exists for handling information ‎storage? Operating Systems A 11.2 User Access Management Whether there is any formal user registration procedure for granting access to the Lab information system? Whether there is any formal management process to control allocation of passwords? A 11.5 Operating system access control Whether access to operating system is controlled by secure log-on procedure? Whether there exists a password management system that enforces various password controls? Whether there exists restriction on connection time for high-risk applications? Assets group ISO 72001 clause Question Application Software A 10.8 Exchange Information Whether the information involved in electronic ‎messaging (email, P2P, IM) is well protected? ‎ A 11.6 Application and Information access control Whether access to information and application system ‎functions by users and support personnel is controlled? Network A 10.6 Network Security Management Whether the network is adequately managed and controlled, to protect from threats, and to maintain security for the systems and applications in the network? Whether controls are implemented to ensure the security of the information, and the protection from threats, such as unauthorized access? A 11.4 Network Access Control Whether users are provided with access only to the ‎services that they have been specifically authorized to ‎use? Whether groups of information services, users and ‎information systems are segregated on networks? Physical security environment A 9.1 Secure Areas Whether the Lab is locked or has lockable cabinets or safes? Whether the physical protection against damage from fire, flood and other forms of natural or man-made disaster is applied in the Lab? Assets group ISO 72001 clause Question Physical security environment (continued) A 9.2 Equipment Security Whether the equipment is protected to reduce the risks from environmental threats, and opportunities for unauthorized access? Whether any controls are in place so that equipment, information and software is not taken off-site without prior authorization? Information and data A 7.2 Information Classification Whether the information is classified in terms of its value, legal requirements, sensitivity and criticality to the organization? A 10.5 Information Backup Whether back-ups of information and software are taken ‎and tested regularly? People A 8.1 Human Resource Security Whether employees and users security roles and responsibilities are defined and ‎documented? A 11.2 User Responsibilities Whether the users are made aware of ‎the security requirements for protecting ‎unattended equipment (e.g. logoff when finished, etc.)? Whether the organisation has adopted clear desk policy ‎and clear screen policy? Assets group ISO 72001 clause Question Policies A 5.1 Security Policy Whether in the Lab does an Information security policy exist, is it approved by the management and applied by all users? A 13 Information Security Incident Management Whether does a procedure exist that ensures all ‎employees of the Lab information system are ‎required to report any observed or suspected ‎security weakness in the system or services? Whether monitoring of systems, alerts and ‎vulnerabilities are used to detect information security ‎incidents? 6. KD 2.14 Lab Room Security audit The security audit objective The objective of security audit is to test the effectiveness of selected information security procedures in the KD 2.14 Lab Room and to ensure that users operate in accordance with the specified procedures and requirements in relation to information security. Practical Audit Method Employed 1. physical inspection of the the KD 2.14 Lab Room; 2. observation of activities and conditions in the areas of concern; 3. interviews with users and personnel of the KD 2.14 Lab Room; 4. own active operations in the role of an average user. Security Audit results The detailed checklists are included in Appendix B. There are three kinds of responses to the corresponding checklist’s questions: Yes (that means the revealed security level meets the requirements and can be considered as High), No (that means the revealed security level does not meet the requirements and can ve considered as Low), and Partly (that means the revealed security level meets the requirements only in some part and can be considered as Medium). The summarised findings are presented in Table 4 and in Fig. 2: Table 4. The security audit results Assets Risk Level Security Level Comments Hardware Assets Low-Medium High PC upgrade every 4-5 years ATA hard disks (planned to upgrade to SATA soon) VLan, Cisco, Main switches 2-hour UPS Application Software and Operating Systems Assets High Low Anti-virus Intrusion detection system No Password system Network Assets Medium-High Medium DHCP protocol Firewall in each router LAN-Ethernet Star topology (3 PCs in 1 hub) Physical Security Environment Assets Low-Medium High Monitoring with cameras PAT electricity test for cables Locked doors Air conditioner Fire alarms Policy do not bring food and drink in the Room Assets Risk Level Security Level Comments Information Assets Low High Medium High 1 backup server People who support and use the IT system and Security Policies Medium Medium Unfortunately it was not possible to gain sufficient information about policies Figure 2. Security Audit results. Output The revealed security level in the KD 2.14 Lab Room is assessed as acceptable. The main important conclusions could be done as follows: 1. Application Software and Operating Systems Assets are the weakest point in information system of the KD 2.14 Lab Room; they are evaluated as assets with the highest risk and lowest security levels. It is undoubtedly that management should take immediate measures, such as the password policy, access rights policy, access restriction to dangerous web-resources, etc. 2. Network Assets are having Medium-High level of risk, and they are protected with Medium security level. For all that some measures taken immediately (e.g. unauthorized access control) would be very helpful for increasing a general security level of the information system of the KD 2.14 Lab Room. 3. Measures regarding the People and Security Polices Assets should be taken in relation to providing more awareness and formalization of the security policy, so that both employees and users will be more responsible and careful. Periodical (e.g. monthly) self-inspections to review effectiveness of security politics would be also helpful. 4. The rest assets don’t require taking of immediate measures, there should be planned activity according to the information security programme. 7. Suggestions to improve the security 1. Formal KD 2.14 Lab Room security politics and programmes of actions should be accepted, ensuring that all the computing and information assets are secure, and that appropriate care are taken by the KD 2.14 Lab Room administration to maintain the security. 2. New reviewed contracts should be signed with the KD 2.14 Lab Room personnel, formally defining their information security responsibilities, including a compliance with the KD 2.14 Lab Room security policies and procedures and a close control of access to computing and information resources in the Lab Room. 3. Immediate measures should be taken to increase a security level of the KD 2.14 Lab Room information system in accordance with the result of the security audit, presented above. At a whole I consider: 1. The KD 2.14 Lab Room administration should be more responsible regarding the overall information security governance. These responsibilities should be based on realising that: information security is an organisational issue and not a technical issue; an information security policy is absolutely essential; an information security plan must be based on identified risks; information security compliance enforcement and monitoring is absolutely essential; a proper information security organisational structure is absolutely essential; information security managers should be empowered with the proper infrastructure, tools and supporting mechanisms (Von Solms and Von Solms, 2004). 2. The KD 2.14 Lab Room personnel should be more responsible regarding the information security policy execution and keeping a closer watch over users’ behaviour. The information security policy should be clearly related to job responsibilities of employees and information security must be shared by all employees, and not only the IT managers. 3. Users working in the KD 2.14 Lab Room should be more responsible regarding the information security requirements fulfilment. But they cannot be held responsible for security problems if they are not told what such security problems are, and what they should do to prevent them. This means that they should be provided with comprehensive user information security awareness trainings. References Barman, S. (2001) Writing Information Security Policies. Indianapolis, New Riders Publishing. Calder, A. (2009) Information Security based on ISO 27001/ ISO 27002 – A Management Guide. Amersfoort, Van Haren Publishing. Gupta, J.N.D., and Sharma S.K. (Eds.) (2009) Handbook of Research on Information Security and Assurance. London, IGI Global. Guttman, B., and Roback, E. (1995) An Introduction to Computer Security: The NIST Handbook. Washington, National Institute of Standards and Technology. Honan, B. (2009) Implementing ISO27001 in a Windows Environment. Ely, IT Governance Publishing. Ponnam, A., Harrison, B., and Watson, E. (2009) Information Systems Risk Management: An Audit and Control Approach. In Gupta, J.N.D., and Sharma S.K. (Eds.) Handbook of Research on Information Security and Assurance. London, IGI Global. Rajamani, B. (2006) Certifying automated information technology controls: Common challenges and suggested solutions. Deloitte Consulting. [Online] Available from: http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/article/c1fcfa9d452fb110VgnVCM100000ba42f00aRCRD.htm [Accessed 18 April 2010] Stoneburner, G., Goguen, A., and Feringa, A. (2002) Risk management guide for information technology systems. National Institute of Standards and Technology. [Online] Available from: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf [Accessed 20 April 2010] Ungerman M. (2005) Creating and Enforcing an Effective Information Security Policy. Information Systems Audit and Control Association. [Online] Available from: http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=28014 [Accessed 18 April 2010] Von Solms, B., and Von Solms, R. (2004) The 10 deadly sins of information security management. Computers & Security, 23, 371-376. Appendix A. Likelihhod and Impact magnitudes definitions and associated risk levels Level Likelihood Impact Risk Level High L (H): The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. I (H): Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. L (H) * I (H) = R (H) Medium L (M): The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. I (M): Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission or interest; or (3) may result in human injury. L (H) * I (M) = R (M) L (M) * I (M) = R (M) L (M) * I (H) = R (M) Low L (L): The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. I (L): Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest. L (L) * I (L) = R (L) L (M) * I (L) = R (L) L (H) * I (L) = R (L) L (L) * I (M) = R (L) L (L) * I (H) = R (L) Source: Stoneburner et al. (2002) Appendix B. The KD 2.14 Lab Room security audit checklist. Assets group ISO 72001 clause Question Yes No Partly Hardware A 9.2 Equipment Security Whether the equipment is correctly maintained to ‎ensure its continued availability? Whether the equipment is protected from power ‎failures? Whether permanence of power supplies, such as UPS, is being utilized‎? + + A 10.7 Media Handling Whether procedures exist for management of ‎removable media, such as tapes, disks, cassettes, ‎memory cards? Whether a procedure exists for handling information ‎storage? + + Operating Systems A 11.2 User Access Management Whether there is any formal user registration procedure for granting access to the Lab information system? Whether there is any formal management process to control allocation of passwords? + + A 11.5 Operating system access control Whether access to operating system is controlled by secure log-on procedure? Whether there exists a password management system that enforces various password controls? Whether there exists restriction on connection time for high-risk applications? + + + Application Software A 10.8 Exchange Information Whether the information involved in electronic ‎messaging (email, P2P, IM) is well protected? ‎ + A 11.6 Application and Information access control Whether access to information and application system ‎functions by users and support personnel is controlled? + Network A 10.6 Network Security Management Whether the network is adequately managed and controlled, to protect from threats, and to maintain security for the systems and applications in the network? Whether controls are implemented to ensure the security of the information, and the protection from threats, such as unauthorized access? + + A 11.4 Network Access Control Whether users are provided with access only to the ‎services that they have been specifically authorized to ‎use? Whether groups of information services, users and ‎information systems are segregated on networks? + + Physical security environment A 9.1 Secure Areas Whether the Lab is locked or has lockable cabinets or safes? Whether the physical protection against damage from fire, flood and other forms of natural or man-made disaster is applied in the Lab? + + A 9.2 Equipment Security Whether the equipment is protected to reduce the risks from environmental threats, and opportunities for unauthorized access? Whether any controls are in place so that equipment, information and software is not taken off-site without prior authorization? + + Information and data A 7.2 Information Classification Whether the information is classified in terms of its value, legal requirements, sensitivity and criticality to the organization? + A 10.5 Information Backup Whether back-ups of information and software are taken ‎and tested regularly? + People A 8.1 Human Resource Security Whether employees and users security roles and responsibilities are defined and ‎documented? + A 11.2 User Responsibilities Whether the users are made aware of ‎the security requirements for protecting ‎unattended equipment (e.g. logoff when finished, etc.)? Whether the organisation has adopted clear desk policy ‎and clear screen policy? + + Policies A 5.1 Security Policy Whether in the Lab does an Information security policy exist, is it approved by the management and applied by all users? + Read More