MBA management

Security and System Maintenance topics:

SECURITY POLICY


Security Policy is a definition of what it means to be secure for a system, organization or other entry. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, thee security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

Because the security policy is a high level definition of secure behavior, it is meaningless to claim that an entry is “secure” without knowing what “secure” means. It is also foolish to make any significant effort to address security without tracing the effort to a security policy.

Significance of Security Policy

If it is important to b secure, then it is important to be sure that all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and to assure that they are completely enforced. In complex systems, such as information systems, policies can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies, which are essentially the rules of operation, and dispense with the top level policy. That gives a false sense confidence that the rules of operation address some overall definition of security when they do not. Because it is difficult to think clearly with completeness about security, rules of operation address some overall definition of security when they do not .Because it is so difficult to think clearly with completeness about security, rules of operation stated a s “sub- policies” with no “super-policy” usually turn out to be rambling ad-hoc rules that fail to enforce anything with completeness. Consequently, a top level security policy is essential to any serious security scheme and sub-policies and rules of operation are meaningless without it.

Computer Security policy

A computer security policy defines the goals and elements of an organization’s computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or unsecure. These formal policy models can be categorized into the core security principles of: Confidentially, Integrity and availability.

Critical Security Policy Factors

There are a series of factors to be taken into account in order to ensure a satisfactory implementation of a security. These are:
An approach to the Internal security Process which aligns with company culture
An IS policy, objectives and activities that reflect business objectives
An open security commitment from all levels of management
A good distribution of guidance on IS policy/ standards
Implementation of an effective measurement system
Proper funding of IS activities
Adequate awareness, education and training
Creation of a sound IS incident management process
A good understanding of IS requirements and risk
Effective security awareness ‘marketing’ throughout

SECURITY POLICY OBJECTIVES


The first stage in developing an IS policy is to identify the objectives thereof. The list of objectives are as follows:

1. Risk Assessment
To assess the risks to Information Security (IS) in a given situation or organization.

2. System Policy
To provide management direction and support for information security.

3. Organizing Information Security
a) To manage information security within the organization
b) To maintain the security of information and processing facilities with respect to external parties.

4. Asset Management
a) To achieve and maintain appropriate protection of organizational assets.
b) To ensure that information receives an appropriate level of protection.

5. Human Resources Security
a) To ensure that employees, contractors and third parties are suitable for the jobs they are considered for understand their responsibilities, and to reduce the risk of abuse ( theft, misuse, etc).
b) To ensure that the above are aware of IS threats and their responsibilities, and are able to support the organization’s security policies.
c) To ensure that the above exit the organization without compromising IS.

6. Physical and Environmental Security
a) To prevent unauthorized physical access, interference and damage to the organization’s information and premises.
b) To prevent loss, theft and damage of assets.
c) To prevent interruption to the organization’s activities.

7. Communications and Operations Management
• To ensure the secure operation of information processing facilities.
• To maintain the appropriate level of information security and service delivery, aligned with 3rd party agreements.
• To minimize the risk of system failures.
• To protect the integrity of information and software.
• To maintain the availability and integrity of information and processing facilities.
• To ensure the protection of information in networks and of the supporting infrastructure.
• To prevent unauthorized disclosure , modification, removal or destruction of assets.
• To prevent disruption of business activities.
• To maintain the security of information and/or software exchanged internally and externally.
• To ensure the security of e-commerce services.
• To detect unauthorized information processing activities.

8. Access Control
• To control access to information.
• To ensure authorized user access.
• To prevent unauthorized access to information systems.
• To prevent unauthorized user access and compromise of information and processing facilities.
• To prevent unauthorized access to networked services.
• To prevent unauthorized access to operating systems.
• To prevent unauthorized access to information within application systems.
• To ensure information security with respect to mobile computing and tele working facilities.

9. Information systems Acquisition, Development and Maintenance
• To ensure that security is an integral part of information systems.
• To prevent loss, errors or unauthorized modification/use of information within applications.
• To protect the confidentially ,integrity or authenticity of information via cryptography.
• To ensure the security of system files.
• To maintain the security of application system information and software.
• To reduce/manage risks resulting from exploitation of published vulnerabilities.

10. Information Security incident Management
• To ensure the security information is communicated in a manner allowing corrective action to be taken in a timely fashion.
• To ensure a consistent and effective approach is applied to the management of IS issues.

11. Business continuity Management
a) To counteract interruptions to business activities and protect critical processes from the effects of major failures/ disasters.
b) To ensure timely resumption of the above.

12. Compliance
a) To avoid thee breach of any law, regulatory or contractual obligation and of any security requirement.
b) To ensure systems comply with internal security policies/ standards.
c) To maximize the effectiveness of and minimize associated interference from and to the systems audit process.

PERSONAL SECURITY


Personal Security refers to the security given to the human being working in the environment. It is very important to provide human security and protect them properly against the various hazards. Personal security should be analysed with reference to various factors of the environment. Securing human beings is the primary concept of security policy implementation. Personal security gives confidence to the human beings about their work environment.

Personal Security should be designed carefully to protect the human life against the occurrence of any types of hazards in the working environment. Personal security should aim to give maximum protection to the employees. Personal Security creates confidence over the working environment. Policy should be framed and implemented with adequate management support to create a safe working environment.

The main objectives of Personal Security are as follows:

1. The hazards if any arising from environment should not affect the human beings.
2. Safe working environment is guaranteed for the employees.
3. Adequate safety measures to safeguard the human life.
4. Personal security policy should be flexible and supporting to all workers and officials.
5. Personal Security should be framed according to the demanding rules and regulations.

ENVIRONMENTAL SECURITY


The relation between the environment and the security of humans and nature has been the object of much research and the subject of many publications in recent decades, but it is only recently becoming an important focus of international environmental policy.

Environment and the security of the environment play an important role in the security policy. Environment should be safeguarded against hazards and pollution. The environment should support all persons involved in the process or project. The security of the environment should be designed according to the demanding situation. The environment should be friendly to all persons involved in the project or process . Environmental security protects the environment and it gives a healthy working atmosphere. The security of the environment should be protected against all types of damages arising out of various environmental factors.

The environment is the most transnational issues, and its security is an important dimension of peace, national security, and human rights that is just now being understood; Over the next 100 years, one third of current global land cover will be transformed, with the world facing increasingly hard choices among consumption, ecosystem services, restoration, and conservation and management; Environmental security is central to national security, comprising the dynamics and interconnections among the natural resource base, the social fabric of the state, and the economic engine for local and regional stability; and that, while the precise roles of the environment in peace, conflict, destabilization and human insecurity may differ from situation to situation and as such are still being debated in relation to other security and conflict variables, there are growing indications that it is increasingly an underlying cause of instability, conflict and unrest.

Importance of Environment Security
To the extent humankind neglects to maintain the globe’s life-supporting eco-systems generating water, food, medicine, and clean air, current and future generations will be confirmed with increasingly serve instances of environmentally induced changes. Such events will test our traditional concepts, boundaries and understandings of national security and alliance politics and if taken for granted, may lead to conflict, including violent conflict, from the global to the regional, national, local or human level. Environmental security, broadly defined, affects humankind and its institutions and organizations anywhere and at anytime.

SECURITY REQUIREMENTS


Security and requirements engineering are one of the most important factors of success in the development of a product line due to the complexity and extensive nature of them, given that a weakness in security can cause problems throughout the products of a product line. The main contribution of this work is that of providing a security standard- based process for product line development, which is an add-in of activities in the domain engineering. This process deals with security requirements from the early stages of the product line lifecycle in a systematic and intuitive way especially adapted for product line based development. It is based on the use of the latest security requirements techniques, together with the integration of the Common Criteria (ISO/ IEC 154080) and the ISO/IEC 17799 controls into the product line lifecycle. Additionally, it deals with security artifacts variability and traceability, providing us with a Security Core Assets repository. Moreover, it facilitates the conformance to the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 17799.

Asset Identification & Classification

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets.

In this series on Information security Management System, we have so far discussed Security policy writing and Security organization structure. Security policy is essential, since it shows the management’s commitment to the subject of information security, and establishes an outline giving clear direction in this matter. Security organization creates an administrative infrastructure defining roles and responsibilities of various participants who are entrusted with the responsibility of implementing and monitoring various aspects of information security.

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets.

In this series on Information Security Management System, we have so far discussed Security policy writing and Security organization structure. Security Policy is essential , since it shows the management’s commitment to the subject of information security, and establishes an outline giving clear direction in this matter. Security organization creates an administrative infrastructure defining roles and responsibilities of various participants who are entrusted with the responsibility of implementing and monitoring various aspects of information security.

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets.

The major steps required for assets classification and control are:

A. Identification of the assets
B. Accountability of assets
C. Preparing a schema for information classification
D. Implementing the classification schema

Identification of Assets

What are the critical assets? Suppose your corporate office was gutted in a major fire. Coping with this level of disaster will depend on what critical information you previously backed up at a remote location. Another nightmarish scene is that a hacker entered your network and copied your entire customer database. What impact will this have on your business?

Identifying the critical assets is essential for many reasons. You will come to know what is critical and essential for the business. You will be able to take appropriate decisions regarding the level of security that should be provided to protect the assets. You will also be able to decide about the level of redundancy that is necessary by keeping an extra copy of the data or an extra server that you should procure and keep as a hot standby.

Next question that we need to ponder upon is: What exactly is an information asset? Is it the hardware , the software , the programs or the database?

We can broadly classify assets in the following categories:

1. Information Assets
Every piece of information about your organization falls in this category. This information has been collected, classified, organized and stored in various forms.

Databases: Information about your customers, personnel, production, sales, marketing, finances. This information is critical for your business. It’s confidentially, integrity and availability are of utmost importance.

Data files: Transactional data giving up-to-date information about each event.

Operational and support procedures: These have been developed over the years and provide detailed instructions on how to perform various activities.

Archived information: Old information that may be required to be maintained by law.

Continuity plans, fallback arrangements: These would be developed to overcome any disaster and maintain the continuity of business. Absence of these will lead to ad-hoc decisions in a crises.

2. Software Assets

These can be divided into two categories:
a) Application software: Application software implements business rules of the organization. Creation of application software is a time consuming task. Integrity of application software is very important. Any flaw in the application software could impact the business adversely.

b) System software: An organization would invest in various packed software programs like operating systems, DBMS, development tools and utilizes, software packages, office productivity suites etc. Most of the software under this category would be available off the shelf, unless the software is obsolete or non-standard.

3. Physical Assets

These are the visible and tangible equipment and could comprise of:
a) Computer equipment: Mainframe computers, servers, desktops and notebook computers.
b) Communication equipment: Modems, routers, EPABXs and machines.
c) Storage media: Magnetic tapes, disks, CDs and DATs.
d) Technical equipment: Power suppliers, air conditioners.
e) Furniture and fixtures.

Services

a) Computing services that the organization has outsourced.
b) Communication services like voice communication, data communication, value added services, wide area network etc.
c) Environmental conditioning services like hating, air conditioning and power.

Accountability of Assets

The next step is to establish accountability of assets. This is not difficult for the tangible assets like physical assets. Usually the organization will have a fixed assets register maintained for the purpose of calculating depreciation.

A more difficult task is establishing ownership for the ownership for thee information assets. There will be a number of users for these assets. But the prime responsibility for accuracy will lie with the assets owner. Any addition or modification to thee information asset will only be done with the consent of the asset owner. For example, any changes to customer information will be done with the knowledge and consent of the marketing head. Information technology staff will probably make the changes, physically, But ownership clearly lies with the business head who has the prime responsibility for the content in the customer database.

Using these criteria, we have to identify the actual owners of each of the information assets. This is also an important step for one more reason. Only an owner of the asset will be able to decide the business value of the assets. Unless the correct business value of the asset is known, we cannot identify the security requirement of the assets.

The next step is identifying owners of the application software. Application software implements the business rules. As such the business process owner should be the owner of application software. But the responsibility of maintaining application software to accurately reflect business rules will be vested with the application developers. As such, the accountability for application software should be with the application development manager.

System software ownership could be with the appropriate persons within the IT team. The owner of these assets will be responsible for maintaining all the system software including protecting the organization against software piracy.

Valuation of Assets

What is the value of an asset? Like beauty, which is in the eyes of the beholder, an asset’s value is best known to the asset owner. It may not be merely the written down value. A more realistic measure is the replacement value. How much is it going to cost if the asset has to be acquired today? Accurate valuation of an information asset is a tricky task. Due care must be taken. A seemingly small item may be immensely difficult to replace today.

True value of the asset will lead us to identify realistic measures needed for protection of the asset.

RISK ASSESSMENT


Risk assessment is a step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat ( also called hazard). Quantitative risk assessment requires calculations of two components of risk: R, the magnitude of the potential loss L, and the probability p, that the loss will occur.

Methods may differ whether it is about general financial decisions or environmental or public health risk assessment.

Risk assessment consists in an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty of risk management is that measurement of both of the quantities in which risk assessment is concerned-potential loss and probability of occurrence can be very difficult to measure. The chance of error in the measurement of these two concepts is large. A risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority in dealing with first, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process. Expressed mathematically.

Risk assessment in a financial point of view.

Financial decisions such as insurance and express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric, such as a country’s currency, or some numerical measure of a location’s quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the “risk” is expressed as:

If the risk estimate takes into account information on the number of individuals exposed, it is termed a “population risk” and is in units of expected increased cases per a time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an “individual risk” and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are “acceptable”.

Determination of Risk

In the estimation of the risks, three or more steps are involved, requiring the inputs of different disciplines:

1. Hazard Identification: aims to determine the qualitative nature of the potential adverse consequences of the contaminant ( chemical, radiation, noise, etc.) and the strength of the evidence it can have that effect. This is done , for chemical hazards, by drawing from the results of the sciences of toxicology and epidemiology. For other kinds of hazard, engineering or other disciplines are involved.

2. Dose-Response Analysis: is determining the relationship between dose and the probability or the incidence of effect (dose-response assessment).The complexity of this step in many contexts derives mainly from the need to extrapolate results from experimental animals (e.g. mouse, rat) to humans, and/or from high to lower doses. In addition, the differences between individuals due to genetics or other factors mean that the hazard may be higher for particular groups, called susceptible populations. An alternative to dose- response estimation is to determine an effect unlikely to yield observable effects, that is, a no effect concentration. In developing such a dose, to account for the largely unknown effects of animal to human extrapolations, increased variability in humans, or missing data, a prudent approach is often adopted by including safety factors in the estimate of the “Safe” dose, typically a factor of 10 for each unknown step.

3. Exposure Quantification: aims to determine the amount of a contaminant(dose) that individuals and populations will receive. This is done by examining the results of the discipline of exposure assessment. As different location, lifestyles and other factors likely to influence the amount of contaminant that is received, a range or distribution of possible values is generated in this step. Particular care is taken to determine the exposure of thee susceptible population(s).

Finally , the results of the three steps above are then combined to produce an estimate of risk. Because of the different susceptibilities and exposures, this risk will vary within a population.

RISK MANAGEMENT


Risk Management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the project Management Institute, the National Institute of Science and Technology , actuarial societies and ISO standards. Methods , definitions and goals vary widely according to whether the risk management methods is in the context of project management, security, engineering, industrial process, financial portfolios, actuarial assessments, or public health and safety.

For the most part, these methodologies consist of the following elements, performed, more or less, in the following order.

1. Identify, characterize, and assess threats
2. Assess the vulnerability of critical assets to specific threats
3. Determine the risk (i.e. the expected consequences of specific types of attacks on specific assets)
4. Identify ways to reduce those risks
5. Prioritize risk reduction measures based on a strategy

The strategies to manage risk include transferring the risk to another party, avoiding thee risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Principles of Risk Management

The International Organization For Standardization identifies the following principles of risk management:
• Risk management should create value.
• Risk management should be an integral part of organizational processes.
• Risk management should be part of decision making.
• Risk management should explicitly address uncertainty.
• Risk management should be systematic and structured.
• Risk management should be based on the best available information.
• Risk management should be tailored.
• Risk management should take into account human factors.
• Risk management should be transparent and inclusive.
• Risk management should be dynamic, iterative and responsive to change.
• Risk management should be capable of continual improvement and enhancement.

SYSTEM DEVELOPMENT AND MAINTENANCE


System Development and Maintenance is an important operation and routine activity followed for effective system maintenance. System Development and Maintenance includes the following conditions

- Security requirements analysis and specification
- Input data validation
- Control of internal processing
- Message authentication
- Output data validation
- Policy on use of cryptographic controls
- Encryption
- Digital Signatures
- Non- repudiation services
- Key management
- Control of operational software
- Protection of system test data
- Access control to program source library
- Change control procedures
- Technical review of operating system changes
- Covert channels and Trojan code
- Outsourced software development

COMMUNICATION MANAGEMENT


Communications management is the systematic planning, implementing, monitoring and revision of all the channels of communication within an organization and between organizations; it also includes the organization and dissemination within an organization network, or communications technology, Aspects of communications management include developing corporate communication strategies, designing internal and external and external communications directives, and managing the flow of information, including online communication. New technology forces constant innovation on the part of communications managers.

Basics for Communication Management


Tell them in advance
This brings up rule number one. Whether you’re dealing with sales people, floor- sweepers or doctors, anytime you as a manager need to make a decision that affects people’s lives and tell them well in advance of the event taking place. At work, this usually affects the pocketbook or the employee’s benefits.

Give enough information
Another communication problem that will come back to bite managers and supervisors is miscommunication, being misinterpreted.

Many organizations are now considering a relatively new philosophy called open Book Management for this very reason. Lack of information often causes more problems than divulging those deep, dark company secrets. Let the worker complaining about his last meager pay raise see where the company’s money went, and see that expenses may have risen and that profits were down. This will drive an improvement in performance more often than not.

Even if your business is completely ethical, you may have good reasons not to share everything with employees. Just provide them with enough information that allows them to draw similar conclusions if they were in your position.

BUSINESS CONTINUITY MANAGEMENT


There are many risks that may threaten your organization by disrupting your business processes. These risks include traditional emergencies like fires, floods. Earthquakes and tornados as well as risks from physical and cyber terrorism, cybercrime, computer and telecommunications failures, theft , employee sabotage, and labor strife. Any one of these can all be very disruptive for your business.

BCM efforts are likely to make money for your firm as they serve to minimize disruptions and financial loss during even minor events. These mean an increased reliability and productivity for your company and competitive advantage and increased market share.

Business Continuity Management is a relatively new term that is often thought of as another way to say “disaster recovery” but it means so much more. Business Continuity Management includes disaster recovery, business recovery, business resumption, contingency planning and crises management.

Business Continuity management means ensuring the continuity or uninterrupted provision of operations and services. Business Continuity Management is an on-going process with several different but complementary elements. Planning for business continuity is a comprehensive process that includes disaster recovery, business recovery, business resumption and contingency planning as shown below.

BCP  

Disaster Recovery

 

Business

Recovery
 

Business

Resumption
 

Contingency

Planning
                 

Objective

 

Critical
Computer

Apps
 

Critical
Business

Processes
 

Process

Restoration
 

Process

Workaround
                 
Focus   Data Recovery  

Process

Recovery
 

Return to

Normal
 

Make Do

                 

Example

Event
  Mainframe or Server failure  

Laboratory

Flood
  Building Fire  

Loss of Application

                 
Solution  

Hot Site

Recovery
 

Dry out &

Restart
 

New Equip

New Bldg.
 

Use Manual

Process


As described above, Business Continuity Management is meant to have a very broad meaning and is often used as an all- encompassing team to describe an integrated and enterprise-wide process that should as an all-encompassing term to describe an integrated and enterprise- wide process that should include the following in alphabetical order.

• Accident prevention
• Business impact analysis
• Business recovery
• Business resumption planning
• Command centers
• Computer security
• Contingency planning
• Crisis communication
• Crises management
• Disaster recovery
• Emergency management and response
• Event management
• Exercising and training
• Information security
• Mitigation planning
• Project management and quality control
• Risk control
• Risk financing and insurance
• Risk management
• Safety and security
• Software management

Business Continuity Management therefore, is a comprehensive process to ensure the continuation and improvement of business in the face of whatever challenges your firm may face. Continuity planning requires that these many processes be used together, to create a complete continuity plan. The plan must be maintained and updated as business processes change. Continuity plans must be tested . Table top drills and functional exercises are generally used to make sure that they will work.

BCM Planning Process

The first step in the planning process is to conduct a risk assessment and a business impact assessment. The next step is to decide what measures can be put in place to prevent risk becoming reality and to minimize damage if a disaster does occur .Not all risks are preventable, but steps can be taken to minimize the likelihood that they will happen.
Copyright © 2015 Mbaexamnotes.com         Home | Contact | Projects | Jobs

Review Questions
  • 1. What are the objectives of a security policy under software infrastructure? What is its significance.
  • 2. What is environmental security? What is its importance?
  • 3. What are Assets identification and Assets classification?
  • 4. What are the important elements of risk assessment?
  • 5. How will you manage risks under computer system infrastructure?
  • 6. What is communications management and business continuity management in an organizational situation?
Copyright © 2015 Mbaexamnotes.com         Home | Contact | Projects | Jobs

Related Topics
Security and System Maintenance Keywords
  • Security and System Maintenance Notes

  • Security and System Maintenance Programs

  • Security and System Maintenance Syllabus

  • Security and System Maintenance Sample Questions

  • Security and System Maintenance Subjects

  • EMBA Security and System Maintenance Subjects

  • Security and System Maintenance Study Material

  • BBA Security and System Maintenance Study Material