|
Links:
|
Below you will find mock security policies, procedures and guidelines that EVERY company should have implemented and ENFORCED! Every year companies lose MILLIONS of dollars because of hackers and insiders that want to defraud the companies they work for. Here are some of the major topics that you will need to develop. This information is based on my own personal experience as well as the industry standard's such as ISO 17799, BS 7799 and the knowledge that I have gained from being a CISSP.
Your CEO asks you, "How long could we stay in business if our critical
business processes went down?" Are you ready to answer that question?
|
- Business Continuity Planning (BCP)
- In the event of an outage, will you be
able to recover and continue business operations? You need to
counteract interruptions to business activities and critical
business processes from the effects of major failures. Can you
and your team execute your plan flawlessly?
- Business Impact Analysis - Also part of BCP
- Rate your data center environment.
- Security Policy - An Example
- System Access Control
- You must control access to information,
prevent unauthorised access to information and computers, ensure
protection of networked services, detect unauthorised activities
and ensure security on mobile computing and in tele-networking
facilities.
- Systems Maintenance
- You need to prevent loss, modification
or misuse of user data in application systems and maintain the
security of application system software and data
- Physical and Environmental Security
- Your should have protection techniques
for the entire facility, from the outside perimeter to the
inside office space, not just the information system resources.
This includes preventing loss, damage or compromise of assets
and interruption to business activities and compromise or theft
of information and information processing facilities.
- Personnel Security
- The biggest risk and costs are from
internal threats (employees). You need to reduce risks of human
error, theft, fraud or misuse of facilities. Ensure that users
are aware of information security threats and concerns, and are
equipped to support the corporate security policy in the course
of their normal work. Implementing Personnel Security will
minimise the damage from security incidents and malfunctions and
allow them to learn from these incidents.
- Security Organisation
- Security Management Practices
- This is the art of doing everything on
this page. You need to practice good security management focus
that includes the identification of an organization's
information assets and the development, documentation, and
implementation of policies, standards, procedures, and
guidelines.
- Security Architecture and Models
- The design of the hardware is a vital
part of security as well. You should be familiar with models
that entail the design, monitoring, operating systems,
equipment, networks, applications and those controls used to
enforce various levels of availability, integrity, and
confidentiality in a hardware system and ensure that security is
built into these systems.
- Access Control Systems, Classifiction & Methodology
- This is the collection of functions
that work to create a security infrastructure to protect the
assets of the information systems.
- Application Development Security
- Although you can't really effect 3rd
party developers, you can make decisions on internal application
development. The environment where software is designed and
developed should be of high concern to a company. There are many
ways for security to be affected by developers, whether through
backdoors, or buffer overflows.
- Computer & Operations Management Security
- Do you know who has access to your
systems? You MUST identify the controls over hardware, media,
and the operators and administrators with access privileges to
any of these resources. Once done, you should audit and monitor
the mechanisms, tools, and facilities that permit the
identification of security events and subsequent actions to
identify the key elements and report the pertinent information
to the appropriate individual, group, or process.
- Cryptography
- These are the principles and methods of
ensuring your information's integrity, confidentiality and
authenticity.
- Telecommunications, Network, & Internet Security
- You should be familiar with the
different Network Structures, Transmission methods, Transport
formats, Security measures used to provide availability,
integrity, and confidentiality on your network and
authentication methods for transmissions over private and public
communications networks and media.
- Compliance - Law, Investigations, & Ethics
- You should research the laws, which usually revolve around the ethics,
where you do business, and avoid breaches of any criminal or civil law,
statutory, regulatory or contractual obligations and of any security requirements.
You must force compliance of systems with organizational security policies
and standards in place and maximize the effectiveness of and to minimize
interference to/from the system audit process. Know what tools are available
to put together a great court case.
|
|