|
|
Total Number of Subscribers: 464 |
|
| |
|
| |
|
Date: 13th October 2009 |
Compiled by: M Sathya Kumar |
|
Introduction : Sudhakar Lad who had a wide range of experience in the manufacturing sector had changed over to a utility major following the liberalisation and growth in the Utility sector in India in the last five years. Sudhakar had kept himself abreast with the latest professional issues and was a regular attendee at various professional programmes of the Institute of Chartered Accountants and Bombay Chartered Accountants’ Society. He had also undergone the course of Information Systems Audit at the Institute and also at ISACA. During a Management Committee meeting of the company, the CTO mentioned the need to have the IS organisation of the company BS 7799 certified. As a preliminary step he recommended that a consultant be appointed for ensuring that the organisation is BS 7799 ready. Sudhakar participating in the Management Committee meeting for the first time, introduced himself and proposed that the Internal Audit function had the necessary competence to conduct IS audits and ensure the organisation’s preparedness for BS 7799 certification. He also outlined briefly the steps that may be necessary to achieve the same starting from an initial review/audit of the IS organisation. The Management Committee saw an opportunity of cost savings without compromising on the deliverable. They went ahead and approved a mandate for the Internal Audit to support the CTO’s efforts towards BS 7799 certification. Methodology : The ten domains of BS 7799 were to be reviewed vis-à-vis the systems and procedures at ABC Ltd. as the first stage. Several awareness and training workshops were planned subsequently to be followed by the completion of action plans as identified during the audit. The time for the certification audit was one of the key issues to be identified during the audit. Keeping the BS 7799 standard and guidelines as the basis of the review, Sudhakar personally took up the assignment and interacted with the IS organisation users and service providers to ascertain their current status. This audit was conducted to review the adequacy of controls implemented in the Information Technology Infrastructure towards ensuring Information Security. BS 7799 is globally recognised by all segments of the enterprise as a comprehensive set of standards and guidelines to ensure Information Security in the enterprise. The network of ABC comprised of Local Area Network and Wide Area Network. The network infrastructure in Malad, Mumbai is the central hub of the communication between offices in Andheri, Bangalore, Aurangabad and Delhi. Local dial-up connectivity to the Internet on 128 kbps ISDN links is used for the transmission of outgoing email. Incoming emails are received directly in Delhi and then forwarded to the Malad, Mumbai office. Lotus Server is used as the email exchange server in all the offices. All the users in the Andheri and Malad, Mumbai offices have an email ID. Very few users in Aurangabad and Bangalore have email IDs. Internet browsing in Malad, Mumbai and Andheri is via a proxy server installed at both the locations. Offices in Aurangabad and Bangalore do not use proxy servers, but there are modems installed on the computers and they dial out individually to the Internet. Windows 98 is used as the primary operating system on all the desktop computers in the company. Computer maintenance has been outsourced to LEXUS computers in all the locations for the maintenance of the desktop computers, printers and the network. Laptops are in use in the Malad, Mumbai and Andheri office and are used by the Managing Director, Directors, Departmental Heads, Sales and Marketing staff. Anti- virus software is loaded on the server and desktop computers. The domains of BS 7799-2 2002 are as follows :
Gist of observations :
BS 7799 requires that — A security policy document be approved by management, published, reviewed regularly and communicated, as appropriate, to all employees. There is no formal and approved security policy developed and implemented in ABC. In an utilities organisation giving high-tech services, the presence and implementation of a formal and approved ISMS is vital. A security policy proves management’s commitment in ensuring the security of information in the organisation. It also proves to be an invaluable resource to provide due care and diligence in the event of liabilities.
BS 7799 requires that — In large organisations such as ABC, a cross-functional forum of management representatives from relevant parts of the organisation shall be used to co-ordinate the implementation of information security controls. Responsibilities for the protection of individual assets and for carrying out specific security processes shall be clearly defined. We have been informed that there is no forum of management representatives from relevant parts of the organisation to co-ordinate the implementation of information security controls. In the absence of a clear chain of authority and a vision for the information security of an organisation, the information security strategy of an organisation cannot achieve the desired proactive status.
BS 7799 requires that — Assets be classified and associated protective controls for information shall take account of business needs for sharing or restricting information, and the business impacts associated with such needs be identified. An appropriate set of procedures should be defined for information labelling and handling in accordance with the classification scheme adopted by the organisation. Sudhakar discovered that no risk-analysis exercise was conducted in ABC to identify the assets, classify them as per their criticality and the associated threats/vulnerabilities. In the absence of asset classification and adequate control, it would be extremely difficult to assess the resources to be deployed for their protection. It would also be very difficult to assess the damage caused in case of any disaster. Without adequate information labelling and handling procedures in place, it is left to the individual’s understanding of how to handle the storage, transmission and destruction of confidential and sensitive information.
BS 7799 requires that — Security roles and responsibilities, as laid down in the organisation’s information security policy be documented in job definitions where appropriate. All employees of the organisation and, where relevant, third party users, shall receive appropriate training and regular updates in organisational policies and procedures. Security incidents and software malfunctions should be reported through appropriate management channels as quickly as possible. Sudhakar discovered that :
Without well-defined job responsibilities and procedures for rotation of duties in place, there remains the possibility of employees with improper backgrounds being hired increasing the risk of fraud.
BS 7799 requires that — Organisations shall use security perimeters to protect areas which contain information processing facilities. Secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Secure areas shall be created in order to protect offices, rooms and facilities with special security requirements. Security procedures and controls shall be used to secure equipment such as laptops used outside an organisation’s premises. Access to sensitive areas such as data centres and switching cabinets are not controlled. The server room is under lock and key in Andheri but the key to the server room is readily available. There is not even the lock-and-key arrangement for the server room in Malad, Mumbai. Physical access security is the first line of defense in an organisation’s security infrastructure. In this scenario, it will be extremely easy for an unauthorised user to copy sensitive data to another device or steal costly equipments. There are no documented procedures for the safeguard and handling of laptops outside the organisation. Laptops are typically used by the senior management and marketing staff. The laptops may contain sensitive and confidential information. Without documented procedures in place for the safeguard and handling of laptops, loss or misuse of the laptops can lead to major loss of confidential and sensitive information.
BS 7799 requires that — Changes to information processing facilities and systems shall be controlled. Incident management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to security incidents. Detection and prevention controls to protect against malicious software and appropriate user awareness procedures shall be implemented. Back-up copies of essential business information and software shall be taken regularly. A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail. 1. There are no documented change control procedures for Information Processing Facilities within the organisation, although there are elaborate procedures for applying patches from software vendors, change of hardware, etc. In the absence of a documented change control procedure with adequate logs and audit trails in place, it is extremely difficult to troubleshoot and diagnose system failures. This also leads to the existing documentation to be out of sync of the latest configuration and set-up. 2. There are no documented Incident Management procedures in place. Incident response plan dictates actions to be followed by an identified group of personnel in response to any Information data security violation incident in the organisation. In the absence of an incident response plan in place, it will be very difficult if not impossible to co-ordinate the actions of the personnel required to minimise the damage caused, recover from the loss caused and also to implement corrective measures to ensure that there is no recurrence of the incident. 3. Back-up of the email server is taken regularly. User-generated data in ABC resides primarily on the individual desktops. This data is not backed up regularly. User-generated data in the form of documents such as Word and Excel documents contain important and critical information for the company. In case the user’s desktop is out of order due to a hardware failure, the data becomes unavailable. In case the hard drive on the user’s desktop fails, the data will be irreplaceable causing data loss. 4. Electronic mail is a major tool for increasing productivity and decreasing costs. Electronic mail also forms one of the weakest links in an organisation’s security infrastructure. It is the widest base for propagation of viruses, Trojan horses, malicious software, etc. Incorrect usage of email, knowingly or unknowingly, can very easily compromise the best security policy, firewalls, intrusion, detection systems, etc. An acceptable use policy for email is used for communicating what the organisation defines as acceptable behavior for email usage. This includes specifications for content which can be sent/received using email, procedures for transmitting confidential information using email, mailbox size, acceptable attachment types, maximum mail size, mail filters, etc. There is no acceptable use policy in place for electronic mail in ABC. Due to the absence of an acceptable use policy for electronic mail, it is possible for a user to transmit confidential and sensitive information to unauthorised users or entities outside the organisation. It is also possible that the user may receive emails containing malicious data, such as viruses or Trojan horses which can jeopardise the reliability and security of the network.
BS 7799 requires that — Business requirements for access control shall be defined and documented, and access shall be restricted to what is defined in the access control policy. Management shall conduct a formal process at regular intervals to review user-access rights. Users shall be required to follow good security practices in the selection and use of passwords. Password management systems shall provide an effective, interactive facility which ensures quality passwords. Controls shall be introduced in networks to segregate groups of information services, users and information systems. Shared networks shall have routing controls to ensure that computer connections and information flows do not breach the access control policy of the business applications. Audit logs recording exceptions and other security-relevant events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. 1. User-right assignments are decided typically by the head of department or the IT staff. No documented access control policy has been defined for the access to resources within the organisation. In the absence of an access-control policy, it is possible that unauthorised users get access to confidential and sensitive information causing information leaks and thereby jeopardising the security of the information. 2. There is no documented password policy in place which details very important password details such as password length, password reuse, password format, etc. 3. No documented segregation of the network into groups as per their criticality and exposure has been done. Segregation of networks is essential to contain security incidents such as virus outbreaks and also to enable an organisation to identify information assets as per their criticality and deploy adequate resources to maintain their integrity and reliability. Without effective and efficient segregation of networks and systems in the organisation in place, there is a possibility that any weakness or loophole, such as a virus or an email server is compromised by a hacker, compromising the security of the entire network. 4. There are no Firewalls or intrusion-detection systems in place in ABC. A firewall typically allows traffic that is defined as acceptable to enter into the organisational network or exit from the organisational network. A firewall’s security is compromised typically by exploiting bugs in the firewall or the firewall operating system, initiating denial of service attacks, planting viruses, etc. For accomplishing this purpose, the hacker typically would make numerous attempts to find vulnerabilities in the firewall operating system and network. An intrusion-detection system serves as an alarm system and guards against attempts by a potential hacker to hack into a firewall or the organisation, by initiating proactive measures such as alerting the security administrator, reconfiguring the firewall to block out the intruder, etc. This risk is all the more pronounced since ABC is a high-profile and high-value financial organisation. If a hacker is able to successfully penetrate the ABC network, the bad publicity will be detrimental to the future of ABC capital market. In the absence of an intrusion detection system, any hacking attempts made will go undetected and no proactive action can be initiated against the perpetrator. Due to the absence of the security policy and documented risk analysis results, it is not possible to verify the adequacy of the security matrix defined in the firewall.
Sudhakar was informed that there was no software development and maintenance activity being carried out in ABC.
BS 7799 requires that — There shall be a managed process in place for developing and maintaining business continuity throughout the organisation. A strategy plan, based on appropriate risk assessment, shall be developed for the overall approach to business continuity. Plans shall be developed to maintain or restore business operations in a timely manner following interruption to, or failure of, critical business processes. A single framework of business continuity plans shall be maintained to ensure that all plans are consistent, and to identify priorities for testing and maintenance. Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective. There are no formal business continuity and disaster recovery plans in place. In the absence of a documented change-control procedure with adequate logs and audit trails in place, it is extremely difficult to troubleshoot and diagnose system failures. This also leads to the existing documentation to be out of sync of the latest configuration and set-up.
BS 7799 requires that — All relevant statutory, regulatory and contractual requirements shall be explicitly defined and documented for each information system. Controls shall be in place to ensure compliance with national agreements, laws, regulations or other instruments to control the access to or use of cryptographic controls. Where action against a person or organisation involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence. There is no security policy in place defined for the organisation. In the absence of a well-developed security policy applicable to ensure a baseline security on the enterprise computers, it is possible that the organisational data is leaked out to competitors or simply wiped out leading to data loss. Conclusion : The Management Committee and more specifically the CTO were appreciative of the role played by Sudhakar, and they were now better informed on the subject. They thought that Sudhakar could lead the efforts towards improving the weaknesses identified starting from the setting up of the Informations Systems Security Policy. He was given a time frame of six months to ensure that the organisation was ready for the certification. Sudhakar was happy that he was able to use the information gathered through various professional interactions in furthering his role and authority in a new organisation in a short span of time. Article by Deepjee Singhal Chartered Accountants | |
|
| |
|
| |
|
Rewards waiting for feedback
at | |
|
| |
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. | |
|
| |
|
Click here to contact us, if you are unable to view the content properly | |
|
| |
|
| |
